Total
337705 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-26148 | 2026-03-11 | N/A | 8.1 HIGH | ||
| External initialization of trusted variables or data stores in Azure Entra ID allows an unauthorized attacker to elevate privileges locally. | |||||
| CVE-2026-2742 | 2026-03-11 | N/A | N/A | ||
| An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization. Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version. | |||||
| CVE-2026-23672 | 2026-03-11 | N/A | 7.8 HIGH | ||
| Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability | |||||
| CVE-2026-27826 | 2026-03-11 | N/A | 8.2 HIGH | ||
| MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an `Authorization` header. No authentication is required. The vulnerability exists in the HTTP middleware and dependency injection layer — not in any MCP tool handler - making it invisible to tool-level code analysis. In cloud deployments, this could enable theft of IAM role credentials via the instance metadata endpoint (`169[.]254[.]169[.]254`). In any HTTP deployment it enables internal network reconnaissance and injection of attacker-controlled content into LLM tool results. Version 0.17.0 fixes the issue. | |||||
| CVE-2026-30977 | 2026-03-11 | N/A | N/A | ||
| RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This vulnerability is fixed in 0.1.1. | |||||
| CVE-2026-26130 | 2026-03-11 | N/A | 7.5 HIGH | ||
| Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network. | |||||
| CVE-2026-26141 | 2026-03-11 | N/A | 7.8 HIGH | ||
| Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-24292 | 2026-03-11 | N/A | 7.8 HIGH | ||
| Use after free in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-26115 | 2026-03-11 | N/A | 8.8 HIGH | ||
| Improper validation of specified type of input in SQL Server allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2026-25180 | 2026-03-11 | N/A | 5.5 MEDIUM | ||
| Out-of-bounds read in Microsoft Graphics Component allows an unauthorized attacker to disclose information locally. | |||||
| CVE-2026-25167 | 2026-03-11 | N/A | 7.4 HIGH | ||
| Use after free in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally. | |||||
| CVE-2026-2339 | 2026-03-11 | N/A | 7.5 HIGH | ||
| Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion, Privilege Abuse, Command Injection.This issue affects Liderahenk: before v3.4.0. | |||||
| CVE-2026-31792 | 2026-03-11 | N/A | 7.8 HIGH | ||
| iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a null pointer dereference in CIccTagXmlStruct::ParseTag() causing a segmentation fault or denial of service. This vulnerability is fixed in 2.3.1.5. | |||||
| CVE-2026-26105 | 2026-03-11 | N/A | 8.1 HIGH | ||
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2025-48611 | 2026-03-11 | N/A | 10.0 CRITICAL | ||
| In DeviceId of DeviceId.java, there is a possible desync in persistence due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2026-25169 | 2026-03-11 | N/A | 6.2 MEDIUM | ||
| Divide by zero in Microsoft Graphics Component allows an unauthorized attacker to deny service locally. | |||||
| CVE-2026-3228 | 2026-03-11 | N/A | 6.4 MEDIUM | ||
| The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[nxs_fbembed]` shortcode in all versions up to, and including, 4.4.6. This is due to insufficient input sanitization and output escaping on the `snapFB` post meta value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-23674 | 2026-03-11 | N/A | 7.5 HIGH | ||
| Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network. | |||||
| CVE-2026-25190 | 2026-03-11 | N/A | 7.8 HIGH | ||
| Untrusted search path in Windows GDI allows an unauthorized attacker to execute code locally. | |||||
| CVE-2026-30986 | 2026-03-11 | N/A | 5.5 MEDIUM | ||
| iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow write in CIccMatrixMath::SetRange() causing memory corruption or crash. This vulnerability is fixed in 2.3.1.5. | |||||