Total
2704 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-24692 | 1 Mattermost | 1 Mattermost Server | 2026-03-18 | N/A | 4.3 MEDIUM |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554 | |||||
| CVE-2026-22545 | 1 Mattermost | 1 Mattermost Server | 2026-03-18 | N/A | 3.1 LOW |
| Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID: MMSA-2026-00583 | |||||
| CVE-2026-31892 | 1 Argoproj | 1 Argo Workflows | 2026-03-17 | N/A | 8.1 HIGH |
| Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a podSpecPatch field in their Workflow submission. This works even when the controller is configured with templateReferencing: Strict, which is specifically documented as a mechanism to restrict users to admin-approved templates. The podSpecPatch field on a submitted Workflow takes precedence over the referenced WorkflowTemplate during spec merging and is applied directly to the pod spec at creation time with no security validation. This vulnerability is fixed in 4.0.2 and 3.7.11. | |||||
| CVE-2026-32267 | 1 Craftcms | 1 Craft Cms | 2026-03-17 | N/A | 9.8 CRITICAL |
| Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12. | |||||
| CVE-2026-30945 | 1 Studiocms | 1 Studiocms | 2026-03-17 | N/A | 7.1 HIGH |
| StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0. | |||||
| CVE-2026-30944 | 1 Studiocms | 1 Studiocms | 2026-03-17 | N/A | 8.8 HIGH |
| StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target user ID, resulting in a full privilege escalation. This vulnerability is fixed in 0.4.0. | |||||
| CVE-2026-27653 | 1 Soliton | 3 Securebrowser For Onegate, Securebrowser Ii, Secureworkspace | 2026-03-17 | N/A | 6.7 MEDIUM |
| The installers for multiple products provided by Soliton Systems K.K. contain an issue with incorrect default permissions, which may allow arbitrary code to be executed with SYSTEM privileges. | |||||
| CVE-2026-32102 | 1 Olivetin | 1 Olivetin | 2026-03-17 | N/A | 6.5 MEDIUM |
| OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure. | |||||
| CVE-2026-32101 | 1 Studiocms | 1 Studiocms | 2026-03-17 | N/A | 7.6 HIGH |
| StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket. This vulnerability is fixed in 0.3.1. | |||||
| CVE-2026-30943 | 1 Forceu | 1 Gokapi | 2026-03-17 | N/A | 4.1 MEDIUM |
| Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by abusing the deleteNewFile flag, bypassing the requirement for UserPermDeleteOtherUploads. This vulnerability is fixed in 2.2.4. | |||||
| CVE-2026-31887 | 1 Shopware | 1 Shopware | 2026-03-16 | N/A | 7.5 HIGH |
| Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15. | |||||
| CVE-2026-32717 | 1 Mintplexlabs | 1 Anythingllm | 2026-03-16 | N/A | 2.7 LOW |
| AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API key path. If a user already has a valid brx-... browser extension API key, that key continues to work after suspension. As a result, a suspended user can still access browser extension endpoints, read reachable workspace metadata, and continue upload or embed operations even though normal authenticated requests are rejected. | |||||
| CVE-2026-32715 | 1 Mintplexlabs | 1 Anythingllm | 2026-03-16 | N/A | 3.8 LOW |
| AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key. | |||||
| CVE-2026-32059 | 1 Openclaw | 1 Openclaw | 2026-03-16 | N/A | 8.8 HIGH |
| OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with abbreviated long options to skip approval requirements in allowlist mode. | |||||
| CVE-2026-30236 | 1 Openproject | 1 Openproject | 2026-03-13 | N/A | 4.3 MEDIUM |
| OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing a project budget and planning the labor cost, it was not checked that the user that was planned in the budget is actually a project member. This exposed the user's default rate (if one was set up) to users that should only see that information for project members. Also, the endpoint that handles the pre-calculation for the frontend to display a preview of the costs, while it was being entered, did not properly validate the membership of the user as well. This also allowed to calculate costs with the default rate of non-members. This vulnerability is fixed in 17.2.0. | |||||
| CVE-2026-30239 | 1 Openproject | 1 Openproject | 2026-03-13 | N/A | 6.5 MEDIUM |
| OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. This allowed all users in the application to delete work package budget assignments. This vulnerability is fixed in 17.2.0. | |||||
| CVE-2026-26141 | 1 Microsoft | 1 Azure Automation Hybrid Worker Windows Extension | 2026-03-13 | N/A | 7.8 HIGH |
| Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-28719 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2026-03-13 | N/A | 4.3 MEDIUM |
| Unauthorized resource manipulation due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | |||||
| CVE-2026-28720 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2026-03-13 | N/A | 4.3 MEDIUM |
| Unauthorized modification of settings due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | |||||
| CVE-2026-28723 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2026-03-13 | N/A | 4.3 MEDIUM |
| Unauthorized report deletion due to insufficient access control. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | |||||