Total
339056 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-32096 | 1 Useplunk | 1 Plunk | 2026-03-16 | N/A | 9.3 CRITICAL |
| Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery (SSRF) vulnerability existed in the SNS webhook handler. An unauthenticated attacker could send a crafted request that caused the server to make an arbitrary outbound HTTP GET request to any host accessible from the server. This vulnerability is fixed in 0.7.0. | |||||
| CVE-2026-32132 | 1 Zitadel | 1 Zitadel | 2026-03-16 | N/A | 7.4 HIGH |
| ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel's passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the code, could allow an attacker to potentially register their own passkey and gain access to the victim's account. This vulnerability is fixed in 3.4.8 and 4.12.2. | |||||
| CVE-2026-32131 | 1 Zitadel | 1 Zitadel | 2026-03-16 | N/A | 7.7 HIGH |
| ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information belonging to other organizations by specifying a different tenant’s project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2. | |||||
| CVE-2026-32130 | 1 Zitadel | 1 Zitadel | 2026-03-16 | N/A | 7.5 HIGH |
| ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were correctly routed but would bypass necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information such as names, email addresses, phone numbers, addresses, external IDs, and roles. Note that due to additional checks when manipulating data, an attacker could not modify or delete any user data. This vulnerability is fixed in 3.4.8 and 4.12.2. | |||||
| CVE-2026-32097 | 1 Harvard | 1 Pingpong | 2026-03-16 | N/A | 8.8 HIGH |
| PingPong is a platform for using large language models (LLMs) for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploaded files and model-generated output files. Exploitation required authentication and permission to view at least one thread for retrieval, and authentication and permission to participate in at least one thread for deletion. This vulnerability is fixed in 7.27.2. | |||||
| CVE-2026-4219 | 2026-03-16 | 1.7 LOW | 3.3 LOW | ||
| A flaw has been found in INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android. Affected by this vulnerability is an unknown functionality of the file com/index/event/BuildConfig.java of the component ae.index.apgcs. Executing a manipulation of the argument ACCESS_KEY/HASH_KEY can lead to hard-coded credentials. The attack is restricted to local execution. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-3476 | 2026-03-16 | N/A | 7.8 HIGH | ||
| A Code Injection vulnerability affecting SOLIDWORKS Desktop from Release 2025 through Release 2026 could allow an attacker to execute arbitrary code on the user's machine while opening a specially crafted file. | |||||
| CVE-2026-32394 | 2026-03-16 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in PublishPress PublishPress Capabilities capability-manager-enhanced allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Capabilities: from n/a through <= 2.31.0. | |||||
| CVE-2026-32392 | 2026-03-16 | N/A | 7.5 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Greenly greenly allows PHP Local File Inclusion.This issue affects Greenly: from n/a through <= 8.1. | |||||
| CVE-2026-32390 | 2026-03-16 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in linethemes Nanosoft nanosoft allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nanosoft: from n/a through < 1.3.2. | |||||
| CVE-2026-32385 | 2026-03-16 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RegistrationMagic: from n/a through <= 6.0.7.6. | |||||
| CVE-2026-32373 | 2026-03-16 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMS Alert Order Notifications: from n/a through <= 3.9.0. | |||||
| CVE-2026-2861 | 1 Foswiki | 1 Foswiki | 2026-03-16 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was detected in Foswiki up to 2.1.10. The affected element is an unknown function of the component Changes/Viewfile/Oops. The manipulation results in information disclosure. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to version 2.1.11 is sufficient to fix this issue. The patch is identified as 31aeecb58b64/d8ed86b10e46. Upgrading the affected component is recommended. | |||||
| CVE-2026-27142 | 2026-03-16 | N/A | 6.1 MEDIUM | ||
| Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0. | |||||
| CVE-2026-26731 | 1 Totolink | 2 A3002ru-v2, A3002ru Firmware | 2026-03-16 | N/A | 8.8 HIGH |
| TOTOLINK A3002RU V2.1.1-B20211108.1455 was discovered to contain a stack-based buffer overflow via the routernamer`parameter in the formDnsv6 function. | |||||
| CVE-2025-12189 | 1 Breadbutter | 1 Bread \& Butter | 2026-03-16 | N/A | 4.3 MEDIUM |
| The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-3606 | 1 Ettercap-project | 1 Ettercap | 2026-03-16 | 1.7 LOW | 3.3 LOW |
| A vulnerability has been found in Ettercap 0.8.4-Garofalo. Affected by this vulnerability is the function add_data_segment of the file src/ettercap/utils/etterfilter/ef_output.c of the component etterfilter. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-21536 | 1 Microsoft | 1 Devices Pricing Program | 2026-03-16 | N/A | 9.8 CRITICAL |
| Microsoft Devices Pricing Program Remote Code Execution Vulnerability | |||||
| CVE-2026-23651 | 1 Microsoft | 1 Aci Confidential Containers | 2026-03-16 | N/A | 6.7 MEDIUM |
| Permissive regular expression in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-26122 | 1 Microsoft | 1 Aci Confidential Containers | 2026-03-16 | N/A | 6.5 MEDIUM |
| Initialization of a resource with an insecure default in Azure Compute Gallery allows an authorized attacker to disclose information over a network. | |||||