Total
337953 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-0121 | 1 Google | 1 Android | 2026-03-11 | N/A | 2.9 LOW |
| In VPU, there is a possible use-after-free read due to a race condition. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2026-0122 | 1 Google | 1 Android | 2026-03-11 | N/A | 8.4 HIGH |
| In multiple places, there is a possible out of bounds write due to memory corruption. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2026-0123 | 1 Google | 1 Android | 2026-03-11 | N/A | 8.4 HIGH |
| In EfwApTransport::ProcessRxRing of efw_ap_transport.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2026-29194 | 1 Gravitl | 1 Netmaker | 2026-03-11 | N/A | 8.1 HIGH |
| Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), a valid host token bypasses all subsequent authorization checks without verifying that the host is authorized to access the specific requested resource. Any entity possessing knowledge of object identifiers (node IDs, host IDs) can craft a request with an arbitrary valid host token to access, modify, or delete resources belonging to other hosts. Affected endpoints include node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations. This issue has been patched in version 1.5.0. | |||||
| CVE-2025-70227 | 1 Dlink | 2 Dir-513, Dir-513 Firmware | 2026-03-11 | N/A | 7.5 HIGH |
| Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the nextPage parameter to goform/formLanguageChange. | |||||
| CVE-2025-70242 | 1 Dlink | 2 Dir-513, Dir-513 Firmware | 2026-03-11 | N/A | 7.5 HIGH |
| Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the webPage parameter to goform/formSetWanPPTP. | |||||
| CVE-2025-70246 | 1 Dlink | 2 Dir-513, Dir-513 Firmware | 2026-03-11 | N/A | 7.5 HIGH |
| Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formVirtualServ. | |||||
| CVE-2025-70247 | 1 Dlink | 2 Dir-513, Dir-513 Firmware | 2026-03-11 | N/A | 7.5 HIGH |
| Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWizard1. | |||||
| CVE-2025-70249 | 1 Dlink | 2 Dir-513, Dir-513 Firmware | 2026-03-11 | N/A | 7.5 HIGH |
| Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWizard2. | |||||
| CVE-2025-70251 | 1 Dlink | 2 Dir-513, Dir-513 Firmware | 2026-03-11 | N/A | 7.5 HIGH |
| Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the webPage parameter to goform/formWlanGuestSetup. | |||||
| CVE-2026-26308 | 1 Envoyproxy | 1 Envoy | 2026-03-11 | N/A | 7.5 HIGH |
| Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13. | |||||
| CVE-2026-28470 | 1 Openclaw | 1 Openclaw | 2026-03-11 | N/A | 9.8 CRITICAL |
| OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protection by embedding unescaped $() or backticks inside double-quoted strings to execute unauthorized commands. | |||||
| CVE-2026-28471 | 1 Openclaw | 1 Openclaw | 2026-03-11 | N/A | 5.3 MEDIUM |
| OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contain a vulnerability in which DM allowlist matching could be bypassed by exact-matching against sender display names and localparts without homeserver validation. Remote Matrix users can impersonate allowed identities by using attacker-controlled display names or matching localparts from different homeservers to reach the routing and agent pipeline. | |||||
| CVE-2026-28473 | 1 Openclaw | 1 Openclaw | 2026-03-11 | N/A | 8.1 HIGH |
| OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat command. The /approve command path invokes exec.approval.resolve through an internal privileged gateway client, bypassing the operator.approvals permission check that protects direct RPC calls. | |||||
| CVE-2026-28475 | 1 Openclaw | 1 Openclaw | 2026-03-11 | N/A | 4.8 MEDIUM |
| OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually recover the authentication token. | |||||
| CVE-2026-3538 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-03-11 | N/A | 8.8 HIGH |
| Integer overflow in Skia in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical) | |||||
| CVE-2026-3537 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-03-11 | N/A | 8.8 HIGH |
| Object lifecycle issue in PowerVR in Google Chrome on Android prior to 145.0.7632.159 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | |||||
| CVE-2026-3536 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-03-11 | N/A | 8.8 HIGH |
| Integer overflow in ANGLE in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical) | |||||
| CVE-2026-3277 | 2026-03-11 | N/A | N/A | ||
| The OpenID Connect (OIDC) authentication configuration in PowerShell Universal before 2026.1.3 stores the OIDC client secret in cleartext in the .universal/authentication.ps1 script, which allows an attacker with read access to that file to obtain the OIDC client credentials | |||||
| CVE-2026-2771 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-03-11 | N/A | 9.8 CRITICAL |
| Undefined behavior in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. | |||||