Recent
Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030
Published 2026-03-26 by drupal
Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029
Published 2026-03-26 by drupal
AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028
Published 2026-03-26 by drupal
Libssh: libssh: denial of service via improper configuration file handling
Published 2026-03-26 by redhat
Libssh: libssh: denial of service via inefficient regular expression processing
Published 2026-03-26 by redhat
Libssh: libssh: denial of service due to malformed sftp message
Published 2026-03-26 by redhat
Libssh: improper sanitation of paths received from scp servers
Published 2026-03-26 by redhat
Libssh: buffer underflow in ssh_get_hexa() on invalid input
Published 2026-03-26 by redhat
Missing Protected-field Authorization in Provisioning Contact Points API
Published 2026-03-26 by GRAFANA
Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS
Published 2026-03-26 by GRAFANA
Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs
Published 2026-03-26 by GitHub_M
OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027
Published 2026-03-26 by drupal
OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026
Published 2026-03-26 by drupal
OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025
Published 2026-03-26 by drupal
Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024
Published 2026-03-26 by drupal
Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023
Published 2026-03-26 by drupal
AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022
Published 2026-03-26 by drupal
File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021
Published 2026-03-26 by drupal
File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020
Published 2026-03-26 by drupal
P11-kit: p11-kit: null dereference via c_derivekey with specific null parameters
Published 2026-03-26 by redhat
Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked
Published 2026-03-26 by GitHub_M
Gimp: gimp: application crash (dos) via crafted psd file due to heap-buffer-overflow
Published 2026-03-26 by redhat
Gimp: gimp: memory corruption due to integer overflow in ico file handling
Published 2026-03-26 by redhat
Gimp: gimp: denial of service via crafted psp image file
Published 2026-03-26 by redhat
ImageMagick has an Out-of-bounds Write via InterpretImageFilename
Published 2026-03-26 by GitHub_M
ImageMagick has an Out-of-Bounds write of a zero byte in its X11 display interaction
Published 2026-03-26 by GitHub_M
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
Published 2026-03-26 by GitHub_M
Infinite loop in github.com/antchfx/xpath
Published 2026-03-26 by Go
Denial of service in github.com/jackc/pgproto3/v2
Published 2026-03-26 by Go
Denial of service in github.com/buger/jsonparser
Published 2026-03-26 by Go
Denial of service in github.com/shamaton/msgpack
Published 2026-03-26 by Go
InvenTree has Path Traversal In Report Templates
Published 2026-03-26 by GitHub_M
InvenTree Vulnerable to ORM Filter Injection
Published 2026-03-26 by GitHub_M
ClearanceKit: opfilter policy bypass via exchangedata and clone operations
Published 2026-03-26 by GitHub_M
Libsoup: libsoup: denial of service via use-after-free in soupserver during tls handshake
Published 2026-03-26 by redhat
ClearanceKit: opfilter policy bypass via non-open file operations
Published 2026-03-26 by GitHub_M
Ruckus AP CLI Arbitrary File Read Allows Authenticated Remote File Access
Published 2026-03-26 by VulnCheck
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE
Published 2026-03-26 by GitHub_M
GoDoxy has a Path Traversal Vulnerability in its File API
Published 2026-03-26 by GitHub_M
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting
Published 2026-03-26 by GitHub_M
Ruckus Unleashed Authenticated RCE in Gateway Mode
Published 2026-03-26 by VulnCheck
Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission
Published 2026-03-26 by redhat
Keycloak: keycloak: information disclosure via improper role enforcement in uma 2.0 protection api
Published 2026-03-26 by redhat
Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication
Published 2026-03-26 by GitHub_M
Tandoor Recipes's Unauthenticated Debug Parameter Leaks Full Raw SQL Queries Including Schema, Table Names, and Access Control Logic
Published 2026-03-26 by GitHub_M
URL Parameter Injection in FDC Food Search API Causes Server Crash and Exposes Internal API Key
Published 2026-03-26 by GitHub_M
Tandoor Recipes: WebP and GIF Image Uploads Bypass EXIF/Metadata Stripping, Leaking GPS Coordinates and PII
Published 2026-03-26 by GitHub_M
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
Published 2026-03-26 by openjs
thingino-firmware api.cgi Unauthenticated Command Injection in Captive Portal
Published 2026-03-26 by VulnCheck
path-to-regexp vulnerable to Denial of Service via sequential optional groups
Published 2026-03-26 by openjs
Tandoor Recipes has Cross-Space IDOR in SyncViewSet.query_synced_folder: missing space scoping on get_object_or_404
Published 2026-03-26 by GitHub_M
Tandoor Recipes Vulnerable to Host Header Injection
Published 2026-03-26 by GitHub_M
DOM-Based XSS in Ory Polis Login Page
Published 2026-03-26 by GitHub_M
Zen-C has Stack-Based Buffer Overflow in Identifier Mangling
Published 2026-03-26 by GitHub_M
Ory Keto has a SQL injection via forged pagination tokens
Published 2026-03-26 by GitHub_M
Ory Hydra has a SQL injection via forged pagination tokens
Published 2026-03-26 by GitHub_M
Ory Kratos has a SQL injection via forged pagination tokens
Published 2026-03-26 by GitHub_M
Ory Oathkeeper has an authentication bypass by cache key confusion
Published 2026-03-26 by GitHub_M
Firecrawl Playwright Service SSRF Protection Bypass via Missing Post-Redirect Validation
Published 2026-03-26 by VulnCheck
Ory Oathkeeper has an authentication bypass by usage of untrusted header
Published 2026-03-26 by GitHub_M
Ory Oathkeeper has a path traversal authorization bypass
Published 2026-03-26 by GitHub_M
srvx is vulnerable to middleware bypass via absolute URI in request line
Published 2026-03-26 by GitHub_M
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes
Published 2026-03-26 by GitHub_M
goxmldsig has validateSignature Loop Variable Capture Signature Bypass
Published 2026-03-26 by GitHub_M
Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents
Published 2026-03-26 by GitHub_M
Syft improper temporary file cleanup
Published 2026-03-26 by GitHub_M
FileRise has incorrect authorization in /api/file/snippet.php allows read_own users to read other users’ file content
Published 2026-03-26 by GitHub_M
Frigate has cross-camera snapshot disclosure via unrestricted timeline IDs and missing authorization in /api/events/{event_id}/snapshot-clean.webp
Published 2026-03-26 by GitHub_M
Authenticated Frigate users can read the full unredacted configuration via `/api/config/raw
Published 2026-03-26 by GitHub_M
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings
Published 2026-03-26 by GitHub_M
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.
Published 2026-03-26 by GitHub_M
Stirling-PDF has Stored Cross Site Scripting (XSS) via EML-to-HTML Export
Published 2026-03-26 by GitHub_M
Stirling-PDF vulnerable to DoS via add-watermark
Published 2026-03-26 by GitHub_M
Briefcase: Windows MSI Installer Privilege Escalation via Insecure Directory Permissions
Published 2026-03-26 by GitHub_M
LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64
Published 2026-03-26 by GitHub_M
LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`
Published 2026-03-26 by GitHub_M
SAK-52311: Sakai site-manage group titles can contain XSS content
Published 2026-03-26 by GitHub_M
EVerest has RemoteStop Bypass via BCB Toggle Session Restart
Published 2026-03-26 by GitHub_M
EVerest has Delayed Authorization Response Bypasses Termination After RemoteStop
Published 2026-03-26 by GitHub_M
EVerest: MQTT Switch-Phases Command Data Race Causing Charger State Corruptio
Published 2026-03-26 by GitHub_M
EVerest: Charging Continues When WithdrawAuthorization Is Processed Before TransactionStarted
Published 2026-03-26 by GitHub_M
OpenClaw Media Parsing Path Traversal to Arbitrary File Read
Published 2026-03-26 by VulnCheck
EVerest: ISO15118 session_setup use-after-free can crash EVSE process
Published 2026-03-26 by GitHub_M
EVerest's ISO15118 update_energy_transfer_modes overflow can corrupt EVSE state
Published 2026-03-26 by GitHub_M
EVerest: ISO15118 session_setup payment options overflow can corrupt EVSE state
Published 2026-03-26 by GitHub_M
Arbitrary File Read via Advanced Logging Support Packet
Published 2026-03-26 by Mattermost
Missing timestamp validation in Zoom webhook handler
Published 2026-03-26 by Mattermost
EVerest EvseManager phase-switch path has unsynchronized shared-state access race condition
Published 2026-03-26 by GitHub_M
EVerest has use-after-free in auth timeout timer via race condition
Published 2026-03-26 by GitHub_M
Guest users can view group member IDs without respecting view restrictions
Published 2026-03-26 by Mattermost
Zip Bomb Denial of Service via Unrestricted Archive Decompression
Published 2026-03-26 by Mattermost
EVerest: OCPP201 startup event_queue lock mismatch leads to std::map/std::queue data race
Published 2026-03-26 by GitHub_M
Improper Input Validation in Zoom Plugin Webhook Handler
Published 2026-03-26 by Mattermost
mmctl export download command doesn’t restrict permissions to created file to file owner
Published 2026-03-26 by Mattermost
Terminal Escape Injection in mmctl Report Posts Command
Published 2026-03-26 by Mattermost
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
Published 2026-03-26 by openjs
EVerest: OCPP 1.6 heap corruption caused by lock-free insertion in event_queue
Published 2026-03-26 by GitHub_M
Polkit: polkit: denial of service via unbounded input processing through standard input
Published 2026-03-26 by redhat
EVerest has race-condition-induced std::map corruption in OCPP 1.6 evse_soc_map
Published 2026-03-26 by GitHub_M
EVerest: OCPP 2.0.1 EVCCID Data Race Leads to Heap Use‑After‑Free
Published 2026-03-26 by GitHub_M
EVerest: OCPP 2.0.1 EV SoC Update Race Causes Charge Point Crash
Published 2026-03-26 by GitHub_M
EVerest has OOB via EVSE ID Indexing Mismatch in OCPP 2.0.1 UpdateAllowedEnergyTransferModes
Published 2026-03-26 by GitHub_M
EVerest has stack buffer overflow in ifreq.ifr_name when interface name exceeds IFNAMSIZ
Published 2026-03-26 by GitHub_M
EVerest's unchecked SLAC payload length causes stack overflow in HomeplugMessage::setup_payload
Published 2026-03-26 by GitHub_M
SolarWinds Observability Self-Hosted Stored Cross-Site Scripting Vulnerability
Published 2026-03-26 by SolarWinds
Published 2026-03-26 by siemens
Published 2026-03-26 by siemens
SolarWinds Observability Self-Hosted Stored Cross-Site Scripting Vulnerability
Published 2026-03-26 by SolarWinds
EVerest has off-by-one stack buffer overflow in IsoMux certificate filename parsing
Published 2026-03-26 by GitHub_M
Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass
Published 2026-03-26 by GitHub_M
Load more ↓