Total
336347 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-26974 | 1 Slyde.js | 1 Slyde | 2026-03-02 | N/A | 9.8 CRITICAL |
|
Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicious package with a .plugin.js file can execute arbitrary code when installed or required. All projects using this loading behavior are affected, especially those installing untrusted packages. This issue has been fixed in version 0.0.5. To workaround this issue, users can audit and restrict which pac ...
Show More |
|||||
| CVE-2025-14577 | 1 Slican | 15 Ipl-256.3u, Ipl-256.wm, Ipl-256 Firmware and 12 more | 2026-03-02 | N/A | 9.8 CRITICAL |
|
Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint.
This issue was fixed in version 1.24.0190 (Slican NCP) and 6.61.0010 (Slican IPL/IPM/IPU).
|
|||||
| CVE-2026-1618 | 1 Uni-yaz | 1 Flexcity | 2026-03-02 | N/A | 8.8 HIGH |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Universal Software Inc. FlexCity/Kiosk allows Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
|
|||||
| CVE-2026-1619 | 1 Uni-yaz | 1 Flexcity | 2026-03-02 | N/A | 8.3 HIGH |
|
Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc. FlexCity/Kiosk allows Exploitation of Trusted Identifiers.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
|
|||||
| CVE-2025-14349 | 1 Uni-yaz | 1 Flexcity | 2026-03-02 | N/A | 8.8 HIGH |
|
Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
|
|||||
| CVE-2026-27190 | 1 Deno | 1 Deno | 2026-03-02 | N/A | 8.1 HIGH |
|
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.
|
|||||
| CVE-2026-27120 | 1 Vapor | 1 Leafkit | 2026-03-02 | N/A | 6.1 MEDIUM |
|
Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead to XSS if there is a leaf variable in the attribute that is user controlled. This vulnerability is fixed in 1.4.1.
|
|||||
| CVE-2026-23597 | 1 Hpe | 1 Aruba Networking Private 5g Core | 2026-03-02 | N/A | 6.5 MEDIUM |
|
Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well as to gain insight into internal services and workflows, increasing the risk of unauthorized access and elevated privileges when combined with other vulnerabilities.
|
|||||
| CVE-2026-27168 | 1 Sail | 1 Sail | 2026-03-02 | N/A | 8.8 HIGH |
|
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. All versions are vulnerable to Heap-based Buffer Overflow through the XWD parser's use of the bytes_per_line value. The value os read directly from the file as the read size in io->strict_read(), and is never compared to the actual size of the destination buffer. An attacker can provide an XWD file with an arbitrarily large bytes_per_line, causing a massive write operation beyon ...
Show More |
|||||
| CVE-2026-26104 | 2 Freedesktop, Redhat | 2 Udisks, Enterprise Linux | 2026-03-02 | N/A | 5.5 MEDIUM |
|
A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.
|
|||||
| CVE-2026-26103 | 2 Freedesktop, Redhat | 2 Udisks, Enterprise Linux | 2026-03-02 | N/A | 7.1 HIGH |
|
A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.
|
|||||
| CVE-2025-14905 | 2026-03-02 | N/A | 7.2 HIGH | ||
|
A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for additional formatting characters. When a large number of aliases are processed, this oversight can lead to a heap overflow, potentially allowing a remote attacker to cause a Denial of Service (DoS) or achieve Remote C ...
Show More |
|||||
| CVE-2026-2705 | 1 Openbabel | 1 Open Babel | 2026-03-01 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was detected in Open Babel up to 3.1.1. The impacted element is the function OBAtom::SetFormalCharge in the library include/openbabel/atom.h of the component MOL2 File Handler. The manipulation results in out-of-bounds read. It is possible to launch the attack remotely. The exploit is now public and may be used. The patch is identified as e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a. A patch should be applied to remediate this issue. The project was informed of the problem early thro ...
Show More |
|||||
| CVE-2026-2704 | 1 Openbabel | 1 Open Babel | 2026-03-01 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A security vulnerability has been detected in Open Babel up to 3.1.1. The affected element is the function OpenBabel::transform3d::DescribeAsString of the file src/math/transform3d.cpp of the component CIF File Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a. It is suggested to install a patch to address this issue ...
Show More |
|||||
| CVE-2025-15581 | 2026-02-28 | N/A | N/A | ||
|
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation.
Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access.
|
|||||
| CVE-2026-2791 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Mitigation bypass in the Networking: Cache component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2788 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2784 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2779 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Incorrect boundary conditions in the Networking: JAR component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2778 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 10.0 CRITICAL |
|
Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2776 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 10.0 CRITICAL |
|
Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2775 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Mitigation bypass in the DOM: HTML Parser component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2025-6591 | 2026-02-28 | N/A | N/A | ||
|
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php.
This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0.
|
|||||
| CVE-2025-69971 | 1 Frangoteam | 1 Fuxa | 2026-02-28 | N/A | 9.8 CRITICAL |
|
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.
|
|||||
| CVE-2025-69421 | 1 Openssl | 1 Openssl | 2026-02-28 | N/A | 7.5 HIGH |
|
Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer
dereference in the PKCS12_item_decrypt_d2i_ex() function.
Impact summary: A NULL pointer dereference can trigger a crash which leads to
Denial of Service for an application processing PKCS#12 files.
The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct
parameter is NULL before dereferencing it. When called from
PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can
be NULL, cau ...
Show More |
|||||
| CVE-2025-66374 | 1 Cyberark | 1 Endpoint Privilege Manager | 2026-02-28 | N/A | 7.8 HIGH |
|
CyberArk Endpoint Privilege Manager Agent through 25.10.0 allows a local user to achieve privilege escalation through policy elevation of an Administration task.
|
|||||
| CVE-2025-65887 | 1 Oneflow | 1 Oneflow | 2026-02-28 | N/A | 6.5 MEDIUM |
|
A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero.
|
|||||
| CVE-2024-26480 | 1 Statping-ng | 1 Statping-ng | 2026-02-28 | N/A | 7.5 HIGH |
|
An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the admin parameter.
|
|||||
| CVE-2026-2773 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Incorrect boundary conditions in the Web Audio component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2766 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2765 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2764 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2763 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-2762 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
|
Integer overflow in the JavaScript: Standard Library component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
|
|||||
| CVE-2026-3054 | 1 Alinto | 1 Sogo | 2026-02-28 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-26369 | 1 Jung-group | 1 Enet Smart Home | 2026-02-28 | N/A | 9.8 CRITICAL |
|
eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user (UG_USER) can send a crafted POST request to /jsonrpc/management specifying their own username to elevate their account to the UG_ADMIN group, bypassing intended access controls and gaining administrative capabilities such as modifying device configurations, network settings, and other smart home system functions.
|
|||||
| CVE-2026-26368 | 1 Jung-group | 1 Enet Smart Home | 2026-02-28 | N/A | 8.8 HIGH |
|
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without supplying the current password or having sufficient privileges. By sending a crafted JSON-RPC request to /jsonrpc/management, an attacker can overwrite existing credentials, resulting in direct account ...
Show More |
|||||
| CVE-2026-23595 | 1 Hpe | 1 Aruba Networking Private 5g Core | 2026-02-28 | N/A | 8.8 HIGH |
|
An authentication bypass in the application API allows an unauthorized administrative account to be created. A remote attacker could exploit this vulnerability to create privileged user accounts. Successful exploitation could allow an attacker to gain administrative access, modify system configurations, and access or manipulate sensitive data.
|
|||||
| CVE-2026-23596 | 1 Hpe | 1 Aruba Networking Private 5g Core | 2026-02-28 | N/A | 6.5 MEDIUM |
|
A vulnerability in the management API of the affected product could allow an unauthenticated remote attacker to trigger service restarts. Successful exploitation could allow an attacker to disrupt services and negatively impact system availability.
|
|||||
| CVE-2026-23598 | 1 Hpe | 1 Aruba Networking Private 5g Core | 2026-02-28 | N/A | 6.5 MEDIUM |
|
Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well as to gain insight into internal services and workflows, increasing the risk of unauthorized access and elevated privileges when combined with other vulnerabilities.
|
|||||