Total
337669 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-24282 | 2026-03-11 | N/A | 5.5 MEDIUM | ||
| Out-of-bounds read in Push Message Routing Service allows an authorized attacker to disclose information locally. | |||||
| CVE-2026-2741 | 2026-03-11 | N/A | N/A | ||
| Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory. Users of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version. | |||||
| CVE-2026-25570 | 2026-03-11 | N/A | 7.4 HIGH | ||
| A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7). The SICAM SIAPP SDK does not perform checks on input values potentially resulting in stack overflow. This could allow an attacker to perform code execution and denial of service. | |||||
| CVE-2026-23668 | 2026-03-11 | N/A | 7.0 HIGH | ||
| Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-25181 | 2026-03-11 | N/A | 7.5 HIGH | ||
| Out-of-bounds read in Windows GDI+ allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2026-26110 | 2026-03-11 | N/A | 8.4 HIGH | ||
| Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. | |||||
| CVE-2026-30964 | 2026-03-11 | N/A | 5.4 MEDIUM | ||
| web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. This vulnerability is fixed in 5.2.4. | |||||
| CVE-2026-2273 | 2026-03-11 | N/A | N/A | ||
| CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exist that could cause execution of untrusted commands on the engineering workstation which could result in a limited compromise of the workstation and a potential loss of Confidentiality, Integrity and Availability of the subsequent system when an authenticated user opens a malicious project file. | |||||
| CVE-2026-30978 | 2026-03-11 | N/A | 7.8 HIGH | ||
| iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-use-after-free in CIccCmm::AddXform() causing invalid vptr dereference and crash. This vulnerability is fixed in 2.3.1.5. | |||||
| CVE-2026-27825 | 2026-03-11 | N/A | 9.0 CRITICAL | ||
| MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, the `confluence_download_attachment` MCP tool accepts a `download_path` parameter that is written to without any directory boundary enforcement. An attacker who can call this tool and supply or access a Confluence attachment with malicious content can write arbitrary content to any path the server process has write access to. Because the attacker controls both the write destination and the written content (via an uploaded Confluence attachment), this constitutes for arbitrary code execution (for example, writing a valid cron entry to `/etc/cron.d/` achieves code execution within one scheduler cycle with no server restart required). Version 0.17.0 fixes the issue. | |||||
| CVE-2026-24297 | 2026-03-11 | N/A | 6.5 MEDIUM | ||
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kerberos allows an unauthorized attacker to bypass a security feature over a network. | |||||
| CVE-2026-30985 | 2026-03-11 | N/A | 7.8 HIGH | ||
| iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow write in CIccMatrixMath::SetRange() causing memory corruption or crash. This vulnerability is fixed in 2.3.1.5. | |||||
| CVE-2026-25186 | 2026-03-11 | N/A | 5.5 MEDIUM | ||
| Exposure of sensitive information to an unauthorized actor in Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized attacker to disclose information locally. | |||||
| CVE-2026-30928 | 2026-03-11 | N/A | N/A | ||
| Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1. | |||||
| CVE-2026-26123 | 2026-03-11 | N/A | 5.5 MEDIUM | ||
| Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally. | |||||
| CVE-2026-27661 | 2026-03-11 | N/A | 4.3 MEDIUM | ||
| A vulnerability has been identified in SINEC Security Monitor (All versions < V4.9.0). The affected application leaks confidential information in metadata, and files such as information on contributors and email address, on `SSM Server`. | |||||
| CVE-2026-26128 | 2026-03-11 | N/A | 7.8 HIGH | ||
| Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-30944 | 2026-03-11 | N/A | 8.8 HIGH | ||
| StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target user ID, resulting in a full privilege escalation. This vulnerability is fixed in 0.4.0. | |||||
| CVE-2026-30934 | 2026-03-11 | N/A | 8.9 HIGH | ||
| FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable. | |||||
| CVE-2026-23664 | 2026-03-11 | N/A | 7.5 HIGH | ||
| Improper restriction of communication channel to intended endpoints in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network. | |||||