Total
11917 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-4407 | 2026-03-19 | N/A | N/A | ||
| Out-of-bounds array write in Xpdf 4.06 and earlier, due to incorrect validation of the "N" field in ICCBased color spaces. | |||||
| CVE-2018-25160 | 1 Tokuhirom | 1 Http\ | 2026-03-18 | N/A | 6.5 MEDIUM |
| HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value. | |||||
| CVE-2026-29791 | 1 Lfprojects | 1 Agentgateway | 2026-03-18 | N/A | 4.9 MEDIUM |
| Agentgateway is an open source data plane for agentic AI connectivity within or across any agent framework or environment. Prior to version 0.12.0, when converting MCP tools/call request to OpenAPI request, input path, query, and header values are not sanitized. This issue has been patched in version 0.12.0. | |||||
| CVE-2025-12543 | 1 Redhat | 8 Build Of Apache Camel, Data Grid, Fuse and 5 more | 2026-03-18 | N/A | 9.6 CRITICAL |
| A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions. | |||||
| CVE-2026-23489 | 1 Teclib-edition | 1 Fields | 2026-03-18 | N/A | 9.1 CRITICAL |
| Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3. | |||||
| CVE-2024-11079 | 2026-03-18 | N/A | 5.5 MEDIUM | ||
| A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks. | |||||
| CVE-2025-6969 | 1 Openatom | 1 Openharmony | 2026-03-17 | N/A | 5.0 MEDIUM |
| in OpenHarmony v5.1.0 and prior versions allow a local attacker cause DOS through improper input. | |||||
| CVE-2025-26474 | 1 Openatom | 1 Openharmony | 2026-03-17 | N/A | 3.3 LOW |
| in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information improper input. This vulnerability can be exploited only in restricted scenarios. | |||||
| CVE-2025-14558 | 1 Freebsd | 1 Freebsd | 2026-03-17 | N/A | 7.2 HIGH |
| The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. A lack of quoting meant that shell commands pass as input to resolvconf(8) may be executed. | |||||
| CVE-2025-31966 | 2026-03-17 | N/A | 2.7 LOW | ||
| HCL Sametime is vulnerable to broken server-side validation. While the application performs client-side input checks, these are not enforced by the web server. An attacker can bypass these restrictions by sending manipulated HTTP requests directly to the server. | |||||
| CVE-2026-3644 | 2026-03-17 | N/A | N/A | ||
| The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). | |||||
| CVE-2026-22204 | 1 Gvectors | 1 Wpdiscuz | 2026-03-17 | N/A | 3.7 LOW |
| wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail() functions, enables header injection to alter email recipients or inject additional headers. | |||||
| CVE-2026-31900 | 1 Python | 1 Black | 2026-03-16 | N/A | 9.8 CRITICAL |
| Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability. | |||||
| CVE-2026-29046 | 1 Ritlabs | 1 Tinyweb | 2026-03-16 | N/A | 8.2 HIGH |
| TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04. | |||||
| CVE-2026-1668 | 2026-03-16 | N/A | N/A | ||
| The web interface on multiple Omada switches does not adequately validate certain external inputs, which may lead to out-of-bound memory access when processing crafted requests. Under specific conditions, this flaw may result in unintended command execution.<br>An unauthenticated attacker with network access to the affected interface may cause memory corruption, service instability, or information disclosure. Successful exploitation may allow remote code execution or denial-of-service. | |||||
| CVE-2026-26121 | 1 Microsoft | 1 Azure Iot Explorer | 2026-03-13 | N/A | 7.5 HIGH |
| Server-side request forgery (ssrf) in Azure IoT Explorer allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2025-43533 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2026-03-13 | N/A | 5.7 MEDIUM |
| Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in watchOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. A malicious HID device may cause an unexpected process crash. | |||||
| CVE-2026-20967 | 1 Microsoft | 1 System Center Operations Manager | 2026-03-13 | N/A | 8.8 HIGH |
| Improper input validation in System Center Operations Manager allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2026-26106 | 1 Microsoft | 1 Sharepoint Server | 2026-03-13 | N/A | 8.8 HIGH |
| Improper input validation in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||||
| CVE-2026-30901 | 2026-03-12 | N/A | 7.0 HIGH | ||
| Improper Input Validation in Zoom Rooms for Windows before 6.6.5 in Kiosk Mode may allow an authenticated user to conduct an escalation of privilege via local access. | |||||