Total
1305 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-28678 | 1 Toxicbishop | 1 Dsa Study Hub | 2026-03-11 | N/A | 8.1 HIGH |
| DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens (JWTs) were stored in HTTP cookies without cryptographic protection of the payload. This issue has been patched via commit d527fba. | |||||
| CVE-2026-27027 | 2026-03-10 | N/A | 6.5 MEDIUM | ||
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2026-29128 | 1 Datacast | 2 Sfx2100, Sfx2100 Firmware | 2026-03-09 | N/A | 10.0 CRITICAL |
| IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration files for routing components (e.g., zebra, bgpd, ospfd, and ripd) that are owned by root but world-readable. The configuration files (e.g., zebra.conf, bgpd.conf, ospfd.conf, ripd.conf) contain hardcoded or otherwise insecure plaintext passwords (including “enable”/privileged-mode credentials). A remote actor is able to abuse the reuse/hardcoded nature of these credentials to further access other systems in the network, gain a foothold on the satellite receiver or potentially locally privilege escalate. | |||||
| CVE-2026-27770 | 2026-03-09 | N/A | 6.5 MEDIUM | ||
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2023-2881 | 1 Pimcore | 1 Customer Management Framework | 2026-03-06 | N/A | 4.9 MEDIUM |
| Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10. | |||||
| CVE-2021-22681 | 1 Rockwellautomation | 20 Compact Guardlogix 5370, Compact Guardlogix 5380, Compactlogix 1768 and 17 more | 2026-03-06 | 7.5 HIGH | 9.8 CRITICAL |
| Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. | |||||
| CVE-2026-27773 | 1 Swtchenergy | 1 Swtchenergy.com | 2026-03-05 | N/A | 6.5 MEDIUM |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2026-25774 | 1 Ev.energy | 1 Ev.energy | 2026-03-05 | N/A | 6.5 MEDIUM |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2026-22890 | 1 Ev2go | 1 Ev2go.io | 2026-03-05 | N/A | 6.5 MEDIUM |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2026-22878 | 1 Mobility46 | 1 Mobility46.se | 2026-03-05 | N/A | 6.5 MEDIUM |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2026-20791 | 1 Chargemap | 1 Chargemap.com | 2026-03-05 | N/A | 6.5 MEDIUM |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2026-20733 | 1 Cloudcharge | 1 Cloudcharge.se | 2026-03-05 | N/A | 6.5 MEDIUM |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2026-27167 | 1 Gradio Project | 1 Gradio | 2026-03-05 | N/A | N/A |
| Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. `gr.LoginButton`) are used. When a user visits `/login/huggingface`, the server retrieves its own Hugging Face access token via `huggingface_hub.get_token()` and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string `"-v4"`, making the payload trivially decodable. Version 6.6.0 fixes the issue. | |||||
| CVE-2026-20435 | 6 Google, Linuxfoundation, Mediatek and 3 more | 40 Android, Yocto, Mt2737 and 37 more | 2026-03-03 | N/A | 4.6 MEDIUM |
| In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118. | |||||
| CVE-2026-0689 | 2026-03-02 | N/A | N/A | ||
| In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure. | |||||
| CVE-2026-21660 | 1 Johnsoncontrols | 2 Frick Controls Quantum Hd, Frick Controls Quantum Hd Firmware | 2026-03-02 | N/A | 9.8 CRITICAL |
| Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise This issue affects Frick Controls Quantum HD version 10.22 and prior. | |||||
| CVE-2025-64122 | 1 Nuvationenergy | 5 Nplatform, Nuvmsc3-04s-c, Nuvmsc3-08s-c and 2 more | 2026-02-26 | N/A | 5.5 MEDIUM |
| Insufficiently Protected Credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Signature Spoofing by Key Theft.This issue affects Multi-Stack Controller (MSC): through 2.5.1. | |||||
| CVE-2025-67860 | 2026-02-25 | N/A | 3.8 LOW | ||
| A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. | |||||
| CVE-2021-42306 | 1 Microsoft | 4 Azure Active Directory, Azure Active Site Recovery, Azure Automation and 1 more | 2026-02-24 | 4.0 MEDIUM | 8.1 HIGH |
| An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application. Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application. Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information. For more details on this issue, please refer to the MSRC Blog Entry. | |||||
| CVE-2025-0619 | 1 M-files | 1 M-files Server | 2026-02-23 | N/A | 4.9 MEDIUM |
| Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords | |||||