Total
5950 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-4004 | 2026-03-23 | N/A | 6.5 MEDIUM | ||
| The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all versions up to, and including, 3.0.2. This is due to missing capability checks in the callback_search() function and insufficient input validation that allows shortcode syntax (square brackets) to pass through sanitize_text_field() and be concatenated into a do_shortcode() call. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes on the site by injecting shortcode syntax into parameters like 'task_id', 'point_id', 'categories_id', or 'term'. | |||||
| CVE-2026-4515 | 2026-03-23 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability has been found in Foundation Agents MetaGPT up to 0.8.1. This affects the function code_generate of the file metagpt/ext/aflow/scripts/operator.py. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-4510 | 2026-03-23 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A weakness has been identified in PbootCMS up to 3.2.12. This impacts the function alert_location of the file apps/home/controller/MemberController.php of the component Parameter Handler. This manipulation of the argument backurl causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-4577 | 2026-03-23 | 3.3 LOW | 2.4 LOW | ||
| A vulnerability was found in code-projects Exam Form Submission 1.0. The affected element is an unknown function of the file /admin/update_s4.php. Performing a manipulation of the argument sname results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used. | |||||
| CVE-2026-4557 | 2026-03-23 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was detected in code-projects Exam Form Submission 1.0. This impacts an unknown function of the file /admin/update_s1.php. Performing a manipulation of the argument sname results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used. | |||||
| CVE-2026-4564 | 2026-03-23 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A security vulnerability has been detected in yangzongzhuan RuoYi up to 4.8.2. This issue affects some unknown processing of the file /monitor/job/ of the component Quartz Job Handler. Such manipulation of the argument invokeTarget leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-4544 | 2026-03-23 | 3.3 LOW | 2.4 LOW | ||
| A vulnerability was determined in Wavlink WL-WN578W2 221110. This affects an unknown function of the file /cgi-bin/login.cgi of the component POST Request Handler. Executing a manipulation of the argument homepage/hostname/login_page can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10679 | 2026-03-23 | N/A | 7.3 HIGH | ||
| The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to arbitrary method calls in all versions up to, and including, 2.2.12. This is due to insufficient input validation in the bulkTenReviews function that allows user-controlled data to be passed directly to a variable function call mechanism. This makes it possible for unauthenticated attackers to call arbitrary PHP class methods that take no inputs or have default values, potentially leading to information disclosure or remote code execution depending on available methods and server configuration. | |||||
| CVE-2026-4578 | 2026-03-23 | 3.3 LOW | 2.4 LOW | ||
| A vulnerability was determined in code-projects Exam Form Submission 1.0. The impacted element is an unknown function of the file /admin/update_s3.php. Executing a manipulation of the argument sname can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-4576 | 2026-03-23 | 3.3 LOW | 2.4 LOW | ||
| A vulnerability has been found in code-projects Exam Form Submission 1.0. Impacted is an unknown function of the file /admin/update_s5.php. Such manipulation of the argument sname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-4575 | 2026-03-23 | 3.3 LOW | 2.4 LOW | ||
| A flaw has been found in code-projects Exam Form Submission 1.0. This issue affects some unknown processing of the file /admin/update_s2.php. This manipulation of the argument sname causes cross site scripting. The attack can be initiated remotely. The exploit has been published and may be used. | |||||
| CVE-2025-32432 | 1 Craftcms | 1 Craft Cms | 2026-03-20 | N/A | 10.0 CRITICAL |
| Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892. | |||||
| CVE-2025-54068 | 1 Laravel | 1 Livewire | 2026-03-20 | N/A | 9.8 CRITICAL |
| Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available. | |||||
| CVE-2026-30402 | 2026-03-20 | N/A | 9.8 CRITICAL | ||
| An issue in wgcloud v.2.3.7 and before allows a remote attacker to execute arbitrary code via the test connection function | |||||
| CVE-2025-67034 | 1 Lantronix | 6 Eds5008, Eds5008 Firmware, Eds5016 and 3 more | 2026-03-19 | N/A | 8.8 HIGH |
| An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "name" parameter when deleting SSL credentials through the management interface. Injected commands are executed with root privileges. | |||||
| CVE-2025-67035 | 1 Lantronix | 6 Eds5008, Eds5008 Firmware, Eds5016 and 3 more | 2026-03-19 | N/A | 9.8 CRITICAL |
| An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The SSH Client and SSH Server pages are affected by multiple OS injection vulnerabilities due to missing sanitization of input parameters. An attacker can inject arbitrary commands in delete actions of various objects, such as server keys, users, and known hosts. Commands are executed with root privileges. | |||||
| CVE-2025-67036 | 1 Lantronix | 6 Eds5008, Eds5008 Firmware, Eds5016 and 3 more | 2026-03-19 | N/A | 8.8 HIGH |
| An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The Log Info page allows users to see log files by specifying their names. Due to a missing sanitization in the file name parameter, an authenticated attacker can inject arbitrary OS commands that are executed with root privileges. | |||||
| CVE-2025-67037 | 1 Lantronix | 6 Eds5008, Eds5008 Firmware, Eds5016 and 3 more | 2026-03-19 | N/A | 8.8 HIGH |
| An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "tunnel" parameter when killing a tunnel connection. Injected commands are executed with root privileges. | |||||
| CVE-2025-67038 | 1 Lantronix | 6 Eds5008, Eds5008 Firmware, Eds5016 and 3 more | 2026-03-19 | N/A | 9.8 CRITICAL |
| An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges. | |||||
| CVE-2026-32304 | 1 Locutus | 1 Locutus | 2026-03-19 | N/A | 9.8 CRITICAL |
| Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14. | |||||