Export limit exceeded: 338305 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (338305 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-70973 | 1 Scadabr | 1 Scadabr | 2026-03-11 | 4.8 Medium |
| ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once the victim logs in, allowing an attacker who knows the session ID to hijack an authenticated session. | ||||
| CVE-2025-27769 | 1 Siemens | 2 Heliox Flex 180 Kw Ev Charging Station, Heliox Mobile Dc 40 Kw Ev Charging Station | 2026-03-11 | 2.6 Low |
| A vulnerability has been identified in Heliox Flex 180 kW EV Charging Station (All versions < F4.11.1), Heliox Mobile DC 40 kW EV Charging Station (All versions < L4.10.1). Affected devices contain improper access control that could allow an attacker to reach unauthorized services via the charging cable. | ||||
| CVE-2026-22614 | 1 Eaton | 1 Easysoft | 2026-03-11 | 6.1 Medium |
| The encryption mechanism used in Eaton's EasySoft project file was insecure and susceptible to brute force attacks, an attacker with access to this file and the local host machine could potentially read the sensitive information stored and tamper with the project file. This security issue has been fixed in the latest version of Eaton EasySoft which is available on the Eaton download centre. | ||||
| CVE-2025-56422 | 1 Limesurvey | 1 Limesurvey | 2026-03-11 | 9.8 Critical |
| A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server. | ||||
| CVE-2025-70025 | 1 Benkeen | 1 Generatedata | 2026-03-11 | 6.1 Medium |
| An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in benkeen generatedata 4.0.14. | ||||
| CVE-2025-2399 | 1 Mitsubishi Electric | 20 Cnc C80 Series C80, Cnc E70 Series E70, Cnc E80 Series E80 and 17 more | 2026-03-11 | 5.9 Medium |
| Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Mitsubishi Electric CNC M800V Series M800VW and M800VS, M80V Series M80V and M80VW, M800 Series M800W and M800S, M80 Series M80 and M80W, E80 Series E80, C80 Series C80, M700V Series M750VW, M720VW, 730VW, M720VS, M730VS, and M750VS, M70V Series M70V, E70 Series E70, and Software Tools NC Trainer2 and NC Trainer2 plus allows a remote attacker to cause an out-of-bounds read, resulting in a denial-of-service condition by sending specially crafted packets to TCP port 683. | ||||
| CVE-2026-25960 | 1 Vllm-project | 1 Vllm | 2026-03-11 | 7.1 High |
| vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0. | ||||
| CVE-2025-54659 | 1 Fortinet | 1 Fortisoaragentcommunicationbridge | 2026-03-11 | 5.5 Medium |
| An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] vulnerability in Fortinet FortiSOAR Agent Communication Bridge 1.1.0, FortiSOAR Agent Communication Bridge 1.0 all versions may allow an unauthenticated attacker to read files accessible to the fortisoar user on a system where the agent is deployed, via sending a crafted request to the agent port. | ||||
| CVE-2026-27687 | 1 Sap Se | 2 Sap Erp Hcm Portugal, Sap S/4hana Hcm Portugal | 2026-03-11 | 5.8 Medium |
| Due to missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, a user with high privileges could access sensitive data belonging to another company. This vulnerability has a high impact on confidentiality and does not affect integrity and availability. | ||||
| CVE-2025-13901 | 1 Schneider-electric | 2 Modicon M241/m251, Modicon M262 | 2026-03-11 | N/A |
| CWE-404 Improper Resource Shutdown or Release vulnerability exists that could cause partial Denial of Service on Machine Expert protocol when an unauthenticated attacker sends malicious payload to occupy active communication channels. | ||||
| CVE-2026-29773 | 1 Kubewarden | 1 Kubewarden-controller | 2026-03-11 | 4.3 Medium |
| Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe manner, without privilege escalation. An attacker with privileged "AdmissionPolicy" create permissions (which isn't the default) could make use of 3 deprecated host-callback APIs: kubernetes/ingresses, kubernetes/namespaces, kubernetes/services. The attacker can craft a policy that exercises these deprecated API calls and would allow them read access to Ingresses, Namespaces, and Services resources respectively. This attack is read-only, there is no write capability and no access to Secrets, ConfigMaps, or other resource types beyond these three. | ||||
| CVE-2025-41711 | 2 Janitza, Weidmueller | 4 Umg 96rm-e 230v(5222062), Umg 96rm-e 24v(5222063), Energy Meter 750-230 (2540910000) and 1 more | 2026-03-11 | 5.3 Medium |
| An unauthenticated remote attacker can use firmware images to extract password hashes and brute force plaintext passwords of accounts with limited access. | ||||
| CVE-2025-69614 | 1 Deutsche Telekom | 1 Account Management Portal | 2026-03-11 | 9.4 Critical |
| Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password resets and full account takeover. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-27, fixed 2025-10-31. | ||||
| CVE-2025-69615 | 1 Deutsche Telekom | 1 Account Management Portal | 2026-03-11 | 9.1 Critical |
| Incorrect Access Control via missing 2FA rate-limiting allowing unlimited brute-force retries and full MFA bypass with no user interaction required. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-24, fixed 2025-11-03. | ||||
| CVE-2026-3719 | 1 Tsinghua Unigroup | 1 Electronic Archives System | 2026-03-11 | 5.3 Medium |
| A vulnerability was identified in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). This issue affects some unknown processing of the file /System/Cms/downLoad. The manipulation of the argument path leads to path traversal. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-31838 | 1 Istio | 1 Istio | 2026-03-11 | 5.3 Medium |
| Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a vulnerability in Envoy RBAC header matching could allow authorization policy bypass when policies rely on HTTP headers that may contain multiple values. An attacker could craft requests with multiple header values in a way that causes Envoy to evaluate the header differently than intended, potentially bypassing authorization checks. This may allow unauthorized requests to reach protected services when policies depend on such header-based matching conditions. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8. | ||||
| CVE-2026-3315 | 1 Assa Abloy | 1 Visionline | 2026-03-11 | N/A |
| Incorrect Default Permissions, : Execution with Unnecessary Privileges, : Incorrect Permission Assignment for Critical Resource vulnerability in ASSA ABLOY Visionline on Windows allows Configuration/Environment Manipulation.This issue affects Visionline: from 1.0 before 1.33. | ||||
| CVE-2026-3228 | 2 Nextscripts, Wordpress | 2 Social Networks Auto Poster, Wordpress | 2026-03-11 | 6.4 Medium |
| The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[nxs_fbembed]` shortcode in all versions up to, and including, 4.4.6. This is due to insufficient input sanitization and output escaping on the `snapFB` post meta value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-30964 | 1 Web-auth | 3 Webauthn-framework, Webauthn-lib, Webauthn-symfony-bundle | 2026-03-11 | 5.4 Medium |
| web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. This vulnerability is fixed in 5.2.4. | ||||
| CVE-2026-30945 | 1 Withstudiocms | 1 Studiocms | 2026-03-11 | 7.1 High |
| StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0. | ||||