Total
2704 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-29127 | 1 Datacast | 2 Sfx2100, Sfx2100 Firmware | 2026-03-09 | N/A | 7.8 HIGH |
| The IDC SFX2100 Satellite Receiver sets overly permissive file system permissions on the monitor user's home directory. The directory is configured with permissions 0777, granting read, write, and execute access to all local users on the system, which may cause local privilege escalation depending on conditions of the system due to the presence of highly privileged processes and binaries residing within the affected directory. | |||||
| CVE-2025-15288 | 1 Tanium | 1 Interact | 2026-03-09 | N/A | 3.1 LOW |
| Tanium addressed an improper access controls vulnerability in Interact. | |||||
| CVE-2025-15322 | 1 Tanium | 1 Server | 2026-03-09 | N/A | 4.3 MEDIUM |
| Tanium addressed an improper access controls vulnerability in Tanium Server. | |||||
| CVE-2026-28466 | 1 Openclaw | 1 Openclaw | 2026-03-09 | N/A | 9.9 CRITICAL |
| OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass exec approval gating for system.run commands. Attackers with valid gateway credentials can inject approval control fields to execute arbitrary commands on connected node hosts, potentially compromising developer workstations and CI runners. | |||||
| CVE-2026-28474 | 2026-03-09 | N/A | 9.8 CRITICAL | ||
| OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and gain unauthorized access to restricted conversations. | |||||
| CVE-2026-23925 | 2026-03-09 | N/A | N/A | ||
| An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions. | |||||
| CVE-2026-29087 | 2026-03-09 | N/A | 7.5 HIGH | ||
| @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10. | |||||
| CVE-2026-27802 | 1 Dani-garcia | 1 Vaultwarden | 2026-03-06 | N/A | 8.3 HIGH |
| Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4. | |||||
| CVE-2026-27803 | 1 Dani-garcia | 1 Vaultwarden | 2026-03-06 | N/A | 8.3 HIGH |
| Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the collection. This issue has been patched in version 1.35.4. | |||||
| CVE-2025-67490 | 1 Auth0 | 1 Nextjs-auth0 | 2026-03-06 | N/A | 5.4 MEDIUM |
| The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1. | |||||
| CVE-2026-26949 | 1 Dell | 1 Device Management Agent | 2026-03-05 | N/A | 5.5 MEDIUM |
| Dell Device Management Agent (DDMA), versions prior to 26.02, contain an Incorrect Authorization vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | |||||
| CVE-2026-3136 | 1 Google | 1 Cloud Build | 2026-03-05 | N/A | 9.8 CRITICAL |
| An improper authorization vulnerability in GitHub Trigger Comment Control in Google Cloud Build prior to 2026-1-26 allows a remote attacker to execute arbitrary code in the build environment. This vulnerability was patched on 26 January 2026, and no customer action is needed. | |||||
| CVE-2026-2141 | 1 5kcrm | 1 Wukongcrm | 2026-03-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-68129 | 1 Auth0 | 4 Auth0-php, Laravel-auth0, Symfony and 1 more | 2026-03-05 | N/A | 6.8 MEDIUM |
| Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they use Auth0-PHP SDK versions between v8.0.0 and v8.17.0, or applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: Auth0/symfony versions between 5.0.0 and 5.5.0, Auth0/laravel-auth0 versions between 7.0.0 and 7.19.0, and/or Auth0/wordpress plugin versions between 5.0.0-BETA0 and 5.4.0. Auth0/Auth0-PHP version 8.18.0 contains a patch for the issue. | |||||
| CVE-2026-3103 | 1 Checkmk | 1 Checkmk | 2026-03-05 | N/A | 5.4 MEDIUM |
| A logic error in the remove_password() function in Checkmk GmbH's Checkmk versions <2.4.0p23, <2.3.0p43, and 2.2.0 (EOL) allows a low-privileged user to cause data loss. | |||||
| CVE-2025-66623 | 1 Linuxfoundation | 1 Strimzi | 2026-03-04 | N/A | 7.4 HIGH |
| Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The issue is fixed in Strimzi 0.49.1. | |||||
| CVE-2025-13734 | 1 Ibm | 1 Engineering Requirements Management Doors Next | 2026-03-04 | N/A | 5.4 MEDIUM |
| IBM Engineering Requirements Management DOORS Next 7.1, and 7.2 could allow an authenticated user to view and edit data beyond their authorized access permissions. | |||||
| CVE-2026-28354 | 1 Oxygenz | 1 Clipbucket | 2026-03-03 | N/A | 6.5 MEDIUM |
| ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify another user’s collection items. This affects both add item (/actions/add_to_collection.php) due to missing authorization checks and delete item (/manage_collections.php?mode=manage_items...) due to a broken ownership check in removeItemFromCollection(). As a result, attackers can insert and remove items from collections they do not own. Version 5.5.3 #59 fixes the issue. | |||||
| CVE-2026-26336 | 1 Hyland | 1 Alfresco Content Services | 2026-03-03 | N/A | 7.5 HIGH |
| Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files. | |||||
| CVE-2026-25040 | 1 Budibase | 1 Budibase | 2026-03-03 | N/A | 8.8 HIGH |
| Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or App Viewer, and assign them to any group in the organization. This allows full privilege escalation, bypassing UI restrictions, and can lead to complete takeover of the workspace or organization. As of time of publication, no known fixed versions are available. | |||||