Total
339971 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22902 | 1 Qnap Systems | 1 Qunetswitch | 2026-03-24 | N/A |
| A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later | ||||
| CVE-2026-2298 | 1 Salesforce | 1 Marketing Cloud Engagement | 2026-03-24 | 9.4 Critical |
| Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026. | ||||
| CVE-2026-25075 | 1 Strongswan | 1 Strongswan | 2026-03-24 | 7.5 High |
| strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon. | ||||
| CVE-2026-26828 | 1 Owntone | 1 Owntone-server | 2026-03-24 | 7.5 High |
| A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server | ||||
| CVE-2026-27131 | 1 Putyourlightson | 1 Craft-sprig | 2026-03-24 | 5.5 Medium |
| The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the `hashData()` signing function. This issue was mitigated in versions 3.15.2 and 2.15.2 by disabling access to the Sprig Playground entirely when `devMode` is disabled, by default. It is possible to override this behavior using a new `enablePlaygroundWhenDevModeDisabled` that defaults to `false`. | ||||
| CVE-2026-27183 | 1 Openclaw | 1 Openclaw | 2026-03-24 | 4.5 Medium |
| OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactly four transparent dispatch wrappers like repeated env invocations before /bin/sh -c to bypass security=allowlist approval gating by misaligning classification with execution planning. | ||||
| CVE-2026-29794 | 1 Go-vikunja | 1 Vikunja | 2026-03-24 | 5.3 Medium |
| Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints. Version 2.2.0 patches the issue. | ||||
| CVE-2026-30007 | 1 Xnsoft | 1 Nconvert | 2026-03-24 | 6.2 Medium |
| XnSoft NConvert 7.230 is vulnerable to Use-After-Free via a crafted .tiff file | ||||
| CVE-2026-3055 | 1 Netscaler | 2 Adc, Gateway | 2026-03-24 | N/A |
| Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread | ||||
| CVE-2026-30886 | 1 Quantumnous | 1 New-api | 2026-03-24 | 6.5 Medium |
| New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access video content belonging to other users and causes the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The missing authorization check is a single function call — `model.GetByOnlyTaskId(taskID)` queries by `task_id` alone with no `user_id` filter, while every other task-lookup in the codebase enforces ownership via `model.GetByTaskId(userId, taskID)`. Version 0.11.4-alpha.2 contains a patch. | ||||
| CVE-2026-31382 | 1 Gainsight | 1 Gainsight Assist | 2026-03-24 | 6.1 Medium |
| The error_description parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's WAF using a Safari-specific onpagereveal payload. | ||||
| CVE-2026-32303 | 1 Cryptomator | 1 Cryptomator | 2026-03-24 | 7.6 High |
| Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.19.1. | ||||
| CVE-2026-31381 | 1 Gainsight | 1 Gainsight Assist | 2026-03-24 | 5.3 Medium |
| An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL. | ||||
| CVE-2026-33371 | 1 Zimbra | 1 Collaboration | 2026-03-24 | 4.3 Medium |
| An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server. | ||||
| CVE-2025-46597 | 1 Bitcoin | 1 Bitcoin Core | 2026-03-24 | 7.5 High |
| Bitcoin Core 0.13.0 through 29.x has an integer overflow. | ||||
| CVE-2026-33368 | 1 Zimbra | 1 Collaboration | 2026-03-24 | 6.1 Medium |
| Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST interface (/h/rest). The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a crafted URL. When a victim user accesses the link, the injected script executes in the context of the Zimbra webmail application, which could allow the attacker to perform actions on behalf of the victim. | ||||
| CVE-2025-62844 | 1 Qnap Systems | 1 Qurouter | 2026-03-24 | N/A |
| A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later | ||||
| CVE-2026-22898 | 1 Qnap Systems | 1 Qvr Pro | 2026-03-24 | N/A |
| A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system. We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later | ||||
| CVE-2026-30578 | 1 Leefish | 1 File Thingie | 2026-03-24 | 6.5 Medium |
| File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "dir" parameter of the GET request to invoke arbitrary javascript code. | ||||
| CVE-2026-32309 | 1 Cryptomator | 1 Cryptomator | 2026-03-24 | N/A |
| Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-based unlock flow explicitly supports hub+http and consumes Hub endpoints from vault metadata without enforcing HTTPS. As a result, a vault configuration can drive OAuth and key-loading traffic over plaintext HTTP or other insecure endpoint combinations. An active network attacker can tamper with or observe this traffic. Even when the vault key is encrypted for the device, bearer tokens and endpoint-level trust decisions are still exposed to downgrade and interception. This issue has been patched in version 1.19.1. | ||||