Total
341257 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-30558 | 2026-03-30 | N/A | N/A | ||
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_customer.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. | |||||
| CVE-2026-30557 | 2026-03-30 | N/A | N/A | ||
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_category.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. | |||||
| CVE-2026-30556 | 2026-03-30 | N/A | N/A | ||
| A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. | |||||
| CVE-2026-30082 | 2026-03-30 | N/A | 6.1 MEDIUM | ||
| Multiple stored cross-site scripting (XSS) vulnerabilities in the Edit feature of the Software Package List page of IngEstate Server v11.14.0 allow attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the About application, What's news, or Release note parameters. | |||||
| CVE-2026-2287 | 2026-03-30 | N/A | N/A | ||
| CrewAI does not properly check that Docker is still running during runtime, and will fall back to a sandbox setting that allows for RCE exploitation. | |||||
| CVE-2026-2286 | 2026-03-30 | N/A | N/A | ||
| CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided at runtime. | |||||
| CVE-2026-2285 | 2026-03-30 | N/A | N/A | ||
| CrewAI contains a arbitrary local file read vulnerability in the JSON loader tool that reads files without path validation, enabling access to files on the server. | |||||
| CVE-2026-2275 | 2026-03-30 | N/A | N/A | ||
| The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling. | |||||
| CVE-2026-21712 | 2026-03-30 | N/A | 5.7 MEDIUM | ||
| A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process. | |||||
| CVE-2026-32979 | 1 Openclaw | 1 Openclaw | 2026-03-30 | N/A | 7.3 HIGH |
| OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modifying scripts between approval and execution when exact file binding cannot occur. Remote attackers can change approved local scripts before execution to achieve unintended code execution as the OpenClaw runtime user. | |||||
| CVE-2026-33573 | 1 Openclaw | 1 Openclaw | 2026-03-30 | N/A | 8.8 HIGH |
| OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC that allows authenticated operators with operator.write permission to override workspace boundaries by supplying attacker-controlled spawnedBy and workspaceDir values. Remote operators can escape the configured workspace boundary and execute arbitrary file and exec operations from any process-accessible directory. | |||||
| CVE-2026-33575 | 1 Openclaw | 1 Openclaw | 2026-03-30 | N/A | 7.5 HIGH |
| OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint and OpenClaw qr command. Attackers with access to leaked setup codes from chat history, logs, or screenshots can recover and reuse the shared gateway credential outside the intended one-time pairing flow. | |||||
| CVE-2026-5102 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-03-30 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. This vulnerability affects the function setSmartQosCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument qos_up_bw results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2026-5045 | 1 Tenda | 2 Fh1201, Fh1201 Firmware | 2026-03-30 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability was detected in Tenda FH1201 1.2.0.14(408). This impacts the function WrlclientSet of the file /goform/WrlclientSet of the component Parameter Handler. Performing a manipulation of the argument GO results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. | |||||
| CVE-2026-5046 | 1 Tenda | 2 Fh1201, Fh1201 Firmware | 2026-03-30 | 9.0 HIGH | 8.8 HIGH |
| A flaw has been found in Tenda FH1201 1.2.0.14(408). Affected is the function formWrlExtraSet of the file /goform/WrlExtraSet of the component Parameter Handler. Executing a manipulation of the argument GO can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. | |||||
| CVE-2026-5101 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-03-30 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was identified in Totolink A3300R 17.0.0cu.557_b20221024. This affects the function setLanCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument lanIp leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | |||||
| CVE-2026-2370 | 1 Gitlab | 1 Gitlab | 2026-03-30 | N/A | 8.1 HIGH |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks. | |||||
| CVE-2026-5103 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-03-30 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. This issue affects the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument enable causes command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-5104 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-03-30 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip leads to command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2026-5105 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-03-30 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in Totolink A3300R 17.0.0cu.557_b20221024. The affected element is the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. Performing a manipulation of the argument pptpPassThru results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | |||||