Total
336347 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-2747 | 1 Seppmail | 1 Seppmail | 2026-03-05 | N/A | 7.5 HIGH |
|
SEPPmail Secure Email Gateway before version 15.0.1 decrypts inline PGP messages without isolating them from surrounding unencrypted content, allowing exposure of sensitive information to an unauthorized actor.
|
|||||
| CVE-2026-2748 | 1 Seppmail | 1 Seppmail | 2026-03-05 | N/A | 5.3 MEDIUM |
|
SEPPmail Secure Email Gateway before version 15.0.1 improperly validates S/MIME certificates issued for email addresses containing whitespaces, allowing signature spoofing.
|
|||||
| CVE-2026-3224 | 1 Devolutions | 1 Devolutions Server | 2026-03-05 | N/A | 9.8 CRITICAL |
|
Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).
|
|||||
| CVE-2025-59783 | 1 2n | 1 Access Commander | 2026-03-05 | N/A | 7.2 HIGH |
|
API endpoint for user synchronization in 2N Access Commander version 3.4.1 did not have a sufficient input validation allowing for OS command injection.
This vulnerability can only be exploited after authenticating with administrator privileges.
|
|||||
| CVE-2026-3204 | 1 Devolutions | 1 Devolutions Server | 2026-03-05 | N/A | 9.8 CRITICAL |
|
Improper
input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.
|
|||||
| CVE-2025-59784 | 1 2n | 1 Access Commander | 2026-03-05 | N/A | 7.2 HIGH |
|
2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation.
This vulnerability can only be exploited after authenticating with administrator privileges.
|
|||||
| CVE-2026-2590 | 1 Devolutions | 1 Remote Desktop Manager | 2026-03-05 | N/A | 9.8 CRITICAL |
|
Improper
enforcement of the Disable password saving in vaults setting in the
connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries,
potentially exposing sensitive information to other users, by creating
or editing certain connection types while password saving is disabled.
|
|||||
| CVE-2026-27946 | 1 Zitadel | 1 Zitadel | 2026-03-05 | N/A | 6.5 MEDIUM |
|
ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7 resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address and/or phone number itself. If an upgrade is not poss ...
Show More |
|||||
| CVE-2025-59785 | 1 2n | 1 Access Commander | 2026-03-05 | N/A | 7.2 HIGH |
|
Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption.
This vulnerability can only be exploited after authenticating with administrator privileges.
|
|||||
| CVE-2026-27901 | 1 Svelte | 1 Svelte | 2026-03-05 | N/A | 6.1 MEDIUM |
|
Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.
|
|||||
| CVE-2026-27902 | 1 Svelte | 1 Svelte | 2026-03-05 | N/A | 5.4 MEDIUM |
|
Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`. Version 5.53.5 fixes the issue.
|
|||||
| CVE-2026-28423 | 1 Statamic | 1 Statamic | 2026-03-05 | N/A | 6.8 MEDIUM |
|
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5 ...
Show More |
|||||
| CVE-2026-28424 | 1 Statamic | 1 Statamic | 2026-03-05 | N/A | 6.5 MEDIUM |
|
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 and 6.4.0.
|
|||||
| CVE-2026-28425 | 1 Statamic | 1 Statamic | 2026-03-05 | N/A | 8.0 HIGH |
|
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled co ...
Show More |
|||||
| CVE-2026-28426 | 1 Statamic | 1 Statamic | 2026-03-05 | N/A | 8.7 HIGH |
|
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.
|
|||||
| CVE-2025-59786 | 1 2n | 1 Access Commander | 2026-03-05 | N/A | 9.8 CRITICAL |
|
2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.
|
|||||
| CVE-2025-59787 | 1 2n | 1 Access Commander | 2026-03-05 | N/A | 6.5 MEDIUM |
|
2N Access Commander application version 3.4.2 and prior returns HTTP 500 Internal Server Error responses when receiving malformed or manipulated requests, indicating improper handling of invalid input and potential security or availability impacts.
|
|||||
| CVE-2025-59059 | 1 Apache | 1 Ranger | 2026-03-05 | N/A | 9.8 CRITICAL |
|
Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions <= 2.7.0.
Users are recommended to upgrade to version 2.8.0, which fixes this issue.
|
|||||
| CVE-2025-59060 | 1 Apache | 1 Ranger | 2026-03-05 | N/A | 5.3 MEDIUM |
|
Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0.
Users are recommended to upgrade to version 2.8.0, which fixes this issue.
|
|||||
| CVE-2026-25673 | 1 Djangoproject | 1 Django | 2026-03-05 | N/A | 7.5 HIGH |
|
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to ...
Show More |
|||||
| CVE-2026-25674 | 1 Djangoproject | 1 Django | 2026-03-05 | N/A | 3.7 LOW |
|
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django wo ...
Show More |
|||||
| CVE-2026-22701 | 1 Tox-dev | 1 Filelock | 2026-03-05 | N/A | 5.3 MEDIUM |
|
filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission c ...
Show More |
|||||
| CVE-2026-22772 | 1 Linuxfoundation | 1 Fulcio | 2026-03-05 | N/A | 5.8 MEDIUM |
|
Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to ...
Show More |
|||||
| CVE-2026-3487 | 1 Angeljudesuarez | 1 College Management System | 2026-03-05 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability was found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/class-result.php. Performing a manipulation of the argument course_code results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
|
|||||
| CVE-2026-22694 | 1 Aliasvault | 1 Aliasvault | 2026-03-05 | N/A | 6.1 MEDIUM |
|
AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Androi ...
Show More |
|||||
| CVE-2025-66601 | 1 Yokogawa | 1 Fast\/tools | 2026-03-05 | N/A | 6.1 MEDIUM |
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
This product does not
specify MIME types. When an attacker performs a content sniffing attack,
malicious scripts could be executed.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2025-66602 | 1 Yokogawa | 1 Fast\/tools | 2026-03-05 | N/A | 9.8 CRITICAL |
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
The web server accepts
access by IP address. When a worm that randomly searches for IP addresses
intrudes into the network, it could potentially be attacked by the worm.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2025-66603 | 1 Yokogawa | 1 Fast\/tools | 2026-03-05 | N/A | 9.8 CRITICAL |
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
The web server accepts
the OPTIONS method. An attacker could potentially use this information to carry
out other attacks.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2026-27167 | 1 Gradio Project | 1 Gradio | 2026-03-05 | N/A | N/A |
|
Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. `gr.LoginButton`) are used. When a user visits `/login/huggingface`, the server retrieves its own Hugging Face access token via `huggingface_hub.get_token()` and stores it in the visitor's session cookie. If the application is network-accessib ...
Show More |
|||||
| CVE-2026-28414 | 1 Gradio Project | 1 Gradio | 2026-03-05 | N/A | 7.5 HIGH |
|
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining path ...
Show More |
|||||
| CVE-2026-28415 | 1 Gradio Project | 1 Gradio | 2026-03-05 | N/A | 4.3 MEDIUM |
|
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, quer ...
Show More |
|||||
| CVE-2026-28416 | 1 Gradio Project | 1 Gradio | 2026-03-05 | N/A | 8.2 HIGH |
|
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endp ...
Show More |
|||||
| CVE-2026-2975 | 1 Fastapiadmin | 1 Fastapiadmin | 2026-03-05 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A security flaw has been discovered in FastApiAdmin up to 2.2.0. Affected by this vulnerability is the function reset_api_docs of the file /backend/app/plugin/init_app.py of the component Custom Documentation Endpoint. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
|
|||||
| CVE-2026-2977 | 1 Fastapiadmin | 1 Fastapiadmin | 2026-03-05 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A security vulnerability has been detected in FastApiAdmin up to 2.2.0. This affects the function upload_controller of the file /backend/app/api/v1/module_common/file/controller.py of the component Scheduled Task API. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
|
|||||
| CVE-2026-2976 | 1 Fastapiadmin | 1 Fastapiadmin | 2026-03-05 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function download_controller of the file /backend/app/api/v1/module_common/file/controller.py of the component Download Endpoint. This manipulation of the argument file_path causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
|
|||||
| CVE-2026-2979 | 1 Fastapiadmin | 1 Fastapiadmin | 2026-03-05 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function user_avatar_upload_controller of the file /backend/app/api/v1/module_system/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used.
|
|||||
| CVE-2026-2978 | 1 Fastapiadmin | 1 Fastapiadmin | 2026-03-05 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was detected in FastApiAdmin up to 2.2.0. This vulnerability affects the function upload_file_controller of the file /backend/app/api/v1/module_system/params/controller.py of the component Scheduled Task API. Performing a manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used.
|
|||||
| CVE-2025-66604 | 1 Yokogawa | 1 Fast\/tools | 2026-03-05 | N/A | 5.3 MEDIUM |
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
The library version
could be displayed on the web page. This information could be exploited by an
attacker for other attacks.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2025-66605 | 1 Yokogawa | 1 Fast\/tools | 2026-03-05 | N/A | 5.3 MEDIUM |
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
Since there are input
fields on this webpage with the autocomplete attribute enabled, the input
content could be saved in the browser the user is using.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2025-66606 | 1 Yokogawa | 1 Fast\/tools | 2026-03-05 | N/A | 9.6 CRITICAL |
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
This product does not
properly encode URLs. An attacker could tamper with web pages or execute
malicious scripts.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||