Total
34640 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-0038 | 1 Google | 1 Android | 2026-03-06 | N/A | 8.4 HIGH |
|
In multiple functions of mem_protect.c, there is a possible way to execute arbitrary code due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2026-0026 | 1 Google | 1 Android | 2026-03-06 | N/A | 7.8 HIGH |
|
In removePermission of PermissionManagerServiceImpl.java, there is a possible way to override any system permission due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2026-0012 | 1 Google | 1 Android | 2026-03-06 | N/A | 6.2 MEDIUM |
|
In setHideSensitive of ExpandableNotificationRow.java, there is a possible contact name leak due due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2026-0005 | 1 Google | 1 Android | 2026-03-06 | N/A | 6.2 MEDIUM |
|
In onServiceDisconnected of KeyguardServiceDelegate.java, there is a possible partial bypass of app pinning allowing limited interaction with other apps without knowing the LSKF due to a missing permission check. This could lead to local information disclosure where the extent of interaction and impact is app-dependent with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-48654 | 1 Google | 1 Android | 2026-03-06 | N/A | 7.8 HIGH |
|
In onStart of CompanionDeviceManagerService.java, there is a possible confused deputy due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-48653 | 1 Google | 1 Android | 2026-03-06 | N/A | 7.8 HIGH |
|
In loadDataAndPostValue of multiple files, there is a possible way to obscure permission usage due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-48645 | 1 Google | 1 Android | 2026-03-06 | N/A | 7.8 HIGH |
|
In loadDescription of DeviceAdminInfo.java, there is a possible persistent package due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-48644 | 1 Google | 1 Android | 2026-03-06 | N/A | 5.5 MEDIUM |
|
In multiple locations, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-48642 | 1 Google | 1 Android | 2026-03-06 | N/A | 5.5 MEDIUM |
|
In jump_to_payload of payload.rs, there is a possible information disclosure due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2026-28434 | 1 Yhirose | 1 Cpp-httplib | 2026-03-05 | N/A | 5.3 MEDIUM |
|
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a C++ exception and the application has not registered a custom exception handler via set_exception_handler(), the library catches the exception and writes its message directly into the HTTP response as a header named EXCEPTION_WHAT. This header is sent to whoever made the request, with no authentication check and no special configuration required to trigger it. The be ...
Show More |
|||||
| CVE-2025-66319 | 1 Huawei | 1 Harmonyos | 2026-03-05 | N/A | 3.3 LOW |
|
Permission control vulnerability in the resource scheduling module. Impact: Successful exploitation of this vulnerability may affect service integrity.
|
|||||
| CVE-2026-28542 | 1 Huawei | 2 Emui, Harmonyos | 2026-03-05 | N/A | 7.3 HIGH |
|
Permission bypass vulnerability in the system service framework. Impact: Successful exploitation of this vulnerability may affect availability.
|
|||||
| CVE-2026-28541 | 1 Huawei | 1 Harmonyos | 2026-03-05 | N/A | 4.0 MEDIUM |
|
Permission control vulnerability in the cellular_data module. Impact: Successful exploitation of this vulnerability may affect availability.
|
|||||
| CVE-2026-28539 | 1 Huawei | 1 Harmonyos | 2026-03-05 | N/A | 6.2 MEDIUM |
|
Data processing vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2026-1709 | 2 Keylime, Redhat | 9 Keylime, Enterprise Linux, Enterprise Linux Eus and 6 more | 2026-03-05 | N/A | 9.4 CRITICAL |
|
A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.
|
|||||
| CVE-2026-27443 | 1 Seppmail | 1 Seppmail | 2026-03-05 | N/A | 7.5 HIGH |
|
SEPPmail Secure Email Gateway before version 15.0.1 does not properly sanitize the headers from S/MIME protected MIME entities, allowing an attacker to control trusted headers.
|
|||||
| CVE-2026-2747 | 1 Seppmail | 1 Seppmail | 2026-03-05 | N/A | 7.5 HIGH |
|
SEPPmail Secure Email Gateway before version 15.0.1 decrypts inline PGP messages without isolating them from surrounding unencrypted content, allowing exposure of sensitive information to an unauthorized actor.
|
|||||
| CVE-2026-2975 | 1 Fastapiadmin | 1 Fastapiadmin | 2026-03-05 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A security flaw has been discovered in FastApiAdmin up to 2.2.0. Affected by this vulnerability is the function reset_api_docs of the file /backend/app/plugin/init_app.py of the component Custom Documentation Endpoint. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
|
|||||
| CVE-2026-24924 | 1 Huawei | 1 Harmonyos | 2026-03-05 | N/A | 6.1 MEDIUM |
|
Vulnerability of improper permission control in the print module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2026-0871 | 1 Redhat | 2 Build Of Keycloak, Keycloak | 2026-03-05 | N/A | 4.9 MEDIUM |
|
A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.
|
|||||
| CVE-2026-20601 | 1 Apple | 1 Macos | 2026-03-04 | N/A | 3.3 LOW |
|
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.3. An app may be able to monitor keystrokes without user permission.
|
|||||
| CVE-2025-36364 | 1 Ibm | 1 Devops Plan | 2026-03-04 | N/A | 6.2 MEDIUM |
|
IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the system.
|
|||||
| CVE-2026-28559 | 1 Gvectors | 1 Wpforo Forum | 2026-03-04 | N/A | 5.3 MEDIUM |
|
wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.
|
|||||
| CVE-2026-28230 | 1 Steve-community | 1 Steve | 2026-03-03 | N/A | 6.3 MEDIUM |
|
SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transactionId (a sequential integer starting from 1) without verifying that the requesting charger matches the charger that originally started the transaction. Any authenticated charger can terminate any other charger’s active session across the entire network. The root cause is in OcppServerRepositoryImpl. ...
Show More |
|||||
| CVE-2023-4631 | 1 Wpdo | 1 Dologin Security | 2026-03-03 | N/A | 5.3 MEDIUM |
|
The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing.
|
|||||
| CVE-2026-21928 | 1 Oracle | 1 Solaris | 2026-03-03 | N/A | 5.3 MEDIUM |
|
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Solaris accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
|
|||||
| CVE-2026-24314 | 1 Sap | 2 S\/4hana Uiapfi70, S\/4hana Uis4h | 2026-03-03 | N/A | 4.3 MEDIUM |
|
Under certain conditions SAP S/4HANA (Manage Payment Media) allows an authenticated attacker to access information which would otherwise be restricted. This could cause low impact on confidentiality of the application while integrity and availability are not impacted.
|
|||||
| CVE-2025-55749 | 1 Xwiki | 1 Xwiki | 2026-03-02 | N/A | 7.5 HIGH |
|
XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.
|
|||||
| CVE-2026-27975 | 1 Ajenti | 1 Ajenti | 2026-03-02 | N/A | 9.8 CRITICAL |
|
Ajenti is a Linux and BSD modular server admin panel. Prior to version 2.2.13, an unauthenticated user could gain access to a server to execute arbitrary code on this server. This is fixed in the version 2.2.13.
|
|||||
| CVE-2026-2791 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Mitigation bypass in the Networking: Cache component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2788 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2784 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2779 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Incorrect boundary conditions in the Networking: JAR component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2778 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 10.0 CRITICAL |
|
Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2776 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 10.0 CRITICAL |
|
Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2775 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Mitigation bypass in the DOM: HTML Parser component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2025-66374 | 1 Cyberark | 1 Endpoint Privilege Manager | 2026-02-28 | N/A | 7.8 HIGH |
|
CyberArk Endpoint Privilege Manager Agent through 25.10.0 allows a local user to achieve privilege escalation through policy elevation of an Administration task.
|
|||||
| CVE-2024-26480 | 1 Statping-ng | 1 Statping-ng | 2026-02-28 | N/A | 7.5 HIGH |
|
An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the admin parameter.
|
|||||
| CVE-2026-2773 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Incorrect boundary conditions in the Web Audio component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-26369 | 1 Jung-group | 1 Enet Smart Home | 2026-02-28 | N/A | 9.8 CRITICAL |
|
eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user (UG_USER) can send a crafted POST request to /jsonrpc/management specifying their own username to elevate their account to the UG_ADMIN group, bypassing intended access controls and gaining administrative capabilities such as modifying device configurations, network settings, and other smart home system functions.
|
|||||