Total
336509 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27984 | 2026-03-06 | N/A | 9.0 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This issue affects Widget Options: from n/a through <= 4.1.3. | |||||
| CVE-2025-69534 | 2026-03-06 | N/A | N/A | ||
| Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions. | |||||
| CVE-2026-24105 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2026-03-06 | N/A | 9.8 CRITICAL |
| An issue was discovered in goform/formsetUsbUnload in Tenda AC15V1.0 V15.03.05.18_multi. The value of `v1` was not checked, potentially leading to a command injection vulnerability if injected into doSystemCmd. | |||||
| CVE-2025-70252 | 1 Tenda | 2 Ac6, Ac6 Firmware | 2026-03-06 | N/A | 7.5 HIGH |
| An issue was discovered in /goform/WifiWpsStart in Tenda AC6V2.0 V15.03.06.23_multi. The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability. | |||||
| CVE-2026-28268 | 1 Vikunja | 1 Vikunja | 2026-03-06 | N/A | 9.8 CRITICAL |
| Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue. | |||||
| CVE-2019-25491 | 1 Doditsolutions | 1 Airbnb Clone Script | 2026-03-06 | N/A | 8.2 HIGH |
| Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requests to the admin/cms_getpagetitle.php endpoint with malicious catid values to extract sensitive database information. | |||||
| CVE-2019-25493 | 1 Doditsolutions | 1 Airbnb Clone Script | 2026-03-06 | N/A | 8.2 HIGH |
| Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. Attackers can send GET requests to the admin/getrecord.php endpoint with malicious 'val' values to extract sensitive database information. | |||||
| CVE-2019-25492 | 1 Doditsolutions | 1 Airbnb Clone Script | 2026-03-06 | N/A | 8.2 HIGH |
| Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET requests to the admin/getcmsdata.php endpoint with malicious 'pt' values to extract sensitive database information. | |||||
| CVE-2019-25490 | 1 Doditsolutions | 1 Airbnb Clone Script | 2026-03-06 | N/A | 8.2 HIGH |
| Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter. Attackers can send GET requests to the admin/edit.php endpoint with time-based SQL injection payloads to extract sensitive database information. | |||||
| CVE-2019-25489 | 1 Doditsolutions | 1 Airbnb Clone Script | 2026-03-06 | N/A | 8.2 HIGH |
| Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET requests to the rooms/ajax_refresh_subtotal endpoint with malicious hosting_id values to extract sensitive database information or cause denial of service. | |||||
| CVE-2019-25498 | 1 Simplejobscript | 1 Simplejobscript | 2026-03-06 | N/A | 8.2 HIGH |
| Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the landing_location parameter. Attackers can send POST requests to the searched endpoint with malicious SQL payloads to bypass authentication and extract sensitive database information. | |||||
| CVE-2019-25499 | 1 Simplejobscript | 1 Simplejobscript | 2026-03-06 | N/A | 8.2 HIGH |
| Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the job_id parameter. Attackers can send POST requests to get_job_applications_ajax.php with malicious job_id values to bypass authentication, extract sensitive data, or modify database contents. | |||||
| CVE-2019-25500 | 1 Simplejobscript | 1 Simplejobscript | 2026-03-06 | N/A | 8.2 HIGH |
| Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the employerid parameter. Attackers can send POST requests to the register-recruiters endpoint with time-based SQL injection payloads to extract sensitive data or modify database contents. | |||||
| CVE-2026-26377 | 1 Koha | 1 Koha | 2026-03-06 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function. | |||||
| CVE-2025-11143 | 1 Eclipse | 1 Jetty | 2026-03-06 | N/A | 3.7 LOW |
| The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details. | |||||
| CVE-2026-3431 | 1 Sim | 1 Sim | 2026-03-06 | N/A | 9.8 CRITICAL |
| On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB instance and perform unauthorized operations including reading, modifying, and deleting data. | |||||
| CVE-2026-3432 | 1 Sim | 1 Sim | 2026-03-06 | N/A | 9.1 CRITICAL |
| On SimStudio version below to 0.5.74, the `/api/auth/oauth/token` endpoint contains a code path that bypasses all authorization checks when provided with `credentialAccountUserId` and `providerId` parameters. An unauthenticated attacker can retrieve OAuth access tokens for any user by supplying their user ID and a provider name, effectively stealing credentials to third-party services. | |||||
| CVE-2025-66597 | 1 Yokogawa | 1 Fast\/tools | 2026-03-06 | N/A | 7.5 HIGH |
| A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product supports weak cryptographic algorithms, potentially allowing an attacker to decrypt communications with the web server. The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04 | |||||
| CVE-2025-66596 | 1 Yokogawa | 1 Fast\/tools | 2026-03-06 | N/A | 6.1 MEDIUM |
| A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product does not properly validate request headers. When an attacker inserts an invalid host header, users could be redirected to malicious sites. The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04 | |||||
| CVE-2025-66595 | 1 Yokogawa | 1 Fast\/tools | 2026-03-06 | N/A | 5.4 MEDIUM |
| A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product is vulnerable to Cross-Site Request Forgery (CSRF). When a user accesses a link crafted by an attacker, the user’s account could be compromised. The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04 | |||||