Total
340845 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-25317 | 2 Tychesoftwares, Wordpress | 2 Print Invoice & Delivery Notes For Woocommerce, Wordpress | 2026-03-26 | 7.5 High |
| Missing Authorization vulnerability in tychesoftwares Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through <= 5.9.0. | ||||
| CVE-2026-24382 | 2 Wordpress, Wp-royal-themes | 2 Wordpress, News Magazine X | 2026-03-26 | 7.5 High |
| Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Magazine X: from n/a through <= 1.2.50. | ||||
| CVE-2026-24369 | 2 Theme-one, Wordpress | 2 The Grid, Wordpress | 2026-03-26 | 7.1 High |
| Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0. | ||||
| CVE-2026-24363 | 2 Loopus, Wordpress | 2 Wp Cost Estimation & Payment Forms Builder, Wordpress | 2026-03-26 | 7.5 High |
| Missing Authorization vulnerability in loopus WP Cost Estimation & Payment Forms Builder WP_Estimation_Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cost Estimation & Payment Forms Builder: from n/a through < 10.3.0. | ||||
| CVE-2026-23977 | 2 Wordpress, Wpfactory | 2 Wordpress, Helpdesk Support Ticket System For Woocommerce | 2026-03-26 | 7.5 High |
| Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Helpdesk Support Ticket System for WooCommerce: from n/a through <= 2.1.2. | ||||
| CVE-2026-20698 | 1 Apple | 7 Ios And Ipados, Ipados, Iphone Os and 4 more | 2026-03-26 | 5.5 Medium |
| The issue was addressed with improved memory handling. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to cause unexpected system termination or corrupt kernel memory. | ||||
| CVE-2026-20694 | 1 Apple | 4 Ios And Ipados, Ipados, Iphone Os and 1 more | 2026-03-26 | 5.5 Medium |
| This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Sonoma 14.8.5, macOS Tahoe 26.3, macOS Tahoe 26.4. An app may be able to access user-sensitive data. | ||||
| CVE-2025-69358 | 2 Metagauss, Wordpress | 2 Eventprime, Wordpress | 2026-03-26 | 7.5 High |
| Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.6.0. | ||||
| CVE-2026-20670 | 1 Apple | 1 Macos | 2026-03-26 | 5.5 Medium |
| An authorization issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.8.4, macOS Tahoe 26.3. An app may be able to access sensitive user data. | ||||
| CVE-2026-20692 | 1 Apple | 4 Ios And Ipados, Ipados, Iphone Os and 1 more | 2026-03-26 | 5.3 Medium |
| A privacy issue was addressed with improved handling of user preferences. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. "Hide IP Address" and "Block All Remote Content" may not apply to all mail content. | ||||
| CVE-2026-28831 | 1 Apple | 1 Macos | 2026-03-26 | 5.5 Medium |
| An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access sensitive user data. | ||||
| CVE-2026-28855 | 1 Apple | 4 Ios And Ipados, Ipados, Iphone Os and 1 more | 2026-03-26 | 7.5 High |
| A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3. An app may be able to access protected user data. | ||||
| CVE-2026-28863 | 1 Apple | 6 Ios And Ipados, Ipados, Iphone Os and 3 more | 2026-03-26 | 6.5 Medium |
| A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to fingerprint the user. | ||||
| CVE-2026-28870 | 1 Apple | 7 Ios And Ipados, Ipados, Iphone Os and 4 more | 2026-03-26 | 5.5 Medium |
| An information leakage was addressed with additional validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data. | ||||
| CVE-2026-28874 | 1 Apple | 3 Ios And Ipados, Ipados, Iphone Os | 2026-03-26 | 7.5 High |
| The issue was addressed with improved checks. This issue is fixed in iOS 26.4 and iPadOS 26.4. A remote attacker may cause an unexpected app termination. | ||||
| CVE-2026-28892 | 1 Apple | 1 Macos | 2026-03-26 | 5.5 Medium |
| A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to modify protected parts of the file system. | ||||
| CVE-2026-33668 | 1 Go-vikunja | 1 Vikunja | 2026-03-26 | N/A |
| Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue. | ||||
| CVE-2026-33680 | 1 Go-vikunja | 1 Vikunja | 2026-03-26 | 7.5 High |
| Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from reading individual shares via `ReadOne`, the `ReadAllWeb` handler bypasses this check by never calling `CanRead()`. An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access. Version 2.2.2 patches the issue. | ||||
| CVE-2026-33160 | 1 Craftcms | 2 Craft Cms, Craftcms | 2026-03-26 | 5.3 Medium |
| Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14. | ||||
| CVE-2026-33498 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-03-26 | 7.5 High |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44. | ||||