Total
336347 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-28443 | 2026-03-05 | N/A | N/A | ||
|
OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /{projectId}/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0.
|
|||||
| CVE-2026-28442 | 2026-03-05 | N/A | 8.5 HIGH | ||
|
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be bypassed. By altering the path parameter in the delete request, internal OS files and directories can be removed successfully. The backend processes these manipulated requests without validating whether ...
Show More |
|||||
| CVE-2026-28436 | 2026-03-05 | N/A | N/A | ||
|
Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0.
|
|||||
| CVE-2026-28413 | 2026-03-05 | N/A | 5.3 MEDIUM | ||
|
Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?came_from=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0.
|
|||||
| CVE-2026-28410 | 2026-03-05 | N/A | N/A | ||
|
The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.
|
|||||
| CVE-2026-28405 | 2026-03-05 | N/A | 8.0 HIGH | ||
|
MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route reads the contents of a student-submitted file and renders them without sanitization. This issue has been patched in version 2.9.1.
|
|||||
| CVE-2026-28078 | 2026-03-05 | N/A | 4.9 MEDIUM | ||
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Stylemix uListing ulisting allows Path Traversal.This issue affects uListing: from n/a through <= 2.2.0.
|
|||||
| CVE-2026-28076 | 2026-03-05 | N/A | 7.5 HIGH | ||
|
Missing Authorization vulnerability in Frenify Guff guff allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Guff: from n/a through <= 1.0.1.
|
|||||
| CVE-2026-28074 | 2026-03-05 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in ThemeREX Pizza House pizzahouse allows Object Injection.This issue affects Pizza House: from n/a through <= 1.4.0.
|
|||||
| CVE-2026-28071 | 2026-03-05 | N/A | 6.3 MEDIUM | ||
|
Missing Authorization vulnerability in PixFort pixfort Core pixfort-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects pixfort Core: from n/a through <= 3.2.22.
|
|||||
| CVE-2026-28068 | 2026-03-05 | N/A | 8.1 HIGH | ||
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Rhythmo rhythmo allows PHP Local File Inclusion.This issue affects Rhythmo: from n/a through <= 1.3.4.
|
|||||
| CVE-2026-28066 | 2026-03-05 | N/A | 8.1 HIGH | ||
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Legrand legrand allows PHP Local File Inclusion.This issue affects Legrand: from n/a through <= 2.17.
|
|||||
| CVE-2026-28064 | 2026-03-05 | N/A | 8.1 HIGH | ||
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Edge Decor edge-decor allows PHP Local File Inclusion.This issue affects Edge Decor: from n/a through <= 2.2.
|
|||||
| CVE-2026-28062 | 2026-03-05 | N/A | 8.1 HIGH | ||
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Happy Baby happy-baby allows PHP Local File Inclusion.This issue affects Happy Baby: from n/a through <= 1.2.12.
|
|||||
| CVE-2026-28060 | 2026-03-05 | N/A | 8.1 HIGH | ||
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX S.King stephanie-king allows PHP Local File Inclusion.This issue affects S.King: from n/a through <= 1.5.3.
|
|||||
| CVE-2026-28059 | 2026-03-05 | N/A | 8.1 HIGH | ||
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Dermatology Clinic dermatology-clinic allows PHP Local File Inclusion.This issue affects Dermatology Clinic: from n/a through <= 1.4.3.
|
|||||
| CVE-2026-28038 | 2026-03-05 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Brainstorm_Force Ultimate Addons for WPBakery Page Builder ultimate_vc_addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through <= 3.21.1.
|
|||||
| CVE-2026-28036 | 2026-03-05 | N/A | 6.4 MEDIUM | ||
|
Server-Side Request Forgery (SSRF) vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through <= 1.2.6.
|
|||||
| CVE-2026-27773 | 1 Swtchenergy | 1 Swtchenergy.com | 2026-03-05 | N/A | 6.5 MEDIUM |
|
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
|
|||||
| CVE-2026-27772 | 1 Ev.energy | 1 Ev.energy | 2026-03-05 | N/A | 9.4 CRITICAL |
|
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corru ...
Show More |
|||||
| CVE-2026-27767 | 1 Swtchenergy | 1 Swtchenergy.com | 2026-03-05 | N/A | 9.4 CRITICAL |
|
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corru ...
Show More |
|||||
| CVE-2026-27652 | 1 Cloudcharge | 1 Cloudcharge.se | 2026-03-05 | N/A | 7.3 HIGH |
|
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
...
Show More |
|||||
| CVE-2026-27647 | 1 Mobility46 | 1 Mobility46.se | 2026-03-05 | N/A | 7.3 HIGH |
|
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
...
Show More |
|||||
| CVE-2026-27028 | 1 Mobility46 | 1 Mobility46.se | 2026-03-05 | N/A | 9.4 CRITICAL |
|
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corru ...
Show More |
|||||
| CVE-2026-26305 | 1 Mobility46 | 1 Mobility46.se | 2026-03-05 | N/A | 7.5 HIGH |
|
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
|
|||||
| CVE-2026-26290 | 1 Ev.energy | 1 Ev.energy | 2026-03-05 | N/A | 7.3 HIGH |
|
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
...
Show More |
|||||
| CVE-2026-25945 | 1 Ev2go | 1 Ev2go.io | 2026-03-05 | N/A | 7.5 HIGH |
|
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
|
|||||
| CVE-2026-25851 | 1 Chargemap | 1 Chargemap.com | 2026-03-05 | N/A | 9.4 CRITICAL |
|
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corru ...
Show More |
|||||
| CVE-2026-25778 | 1 Swtchenergy | 1 Swtchenergy.com | 2026-03-05 | N/A | 7.3 HIGH |
|
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
...
Show More |
|||||
| CVE-2026-25774 | 1 Ev.energy | 1 Ev.energy | 2026-03-05 | N/A | 6.5 MEDIUM |
|
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
|
|||||
| CVE-2026-25711 | 1 Chargemap | 1 Chargemap.com | 2026-03-05 | N/A | 7.3 HIGH |
|
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
...
Show More |
|||||
| CVE-2026-25114 | 1 Cloudcharge | 1 Cloudcharge.se | 2026-03-05 | N/A | 7.5 HIGH |
|
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
|
|||||
| CVE-2026-25113 | 1 Swtchenergy | 1 Swtchenergy.com | 2026-03-05 | N/A | 7.5 HIGH |
|
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
|
|||||
| CVE-2026-24731 | 1 Ev2go | 1 Ev2go.io | 2026-03-05 | N/A | 9.4 CRITICAL |
|
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corru ...
Show More |
|||||
| CVE-2026-24445 | 1 Ev.energy | 1 Ev.energy | 2026-03-05 | N/A | 7.5 HIGH |
|
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attacks by suppressing
or mis-routing legitimate charger telemetry, or conduct brute-force
attacks to gain unauthorized access.
|
|||||
| CVE-2026-22890 | 1 Ev2go | 1 Ev2go.io | 2026-03-05 | N/A | 6.5 MEDIUM |
|
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
|
|||||
| CVE-2026-22878 | 1 Mobility46 | 1 Mobility46.se | 2026-03-05 | N/A | 6.5 MEDIUM |
|
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
|
|||||
| CVE-2026-22723 | 2026-03-05 | N/A | 6.5 MEDIUM | ||
|
Inappropriate user token revocation due to a logic error in the token revocation endpoint implementation in Cloudfoundry UAA v77.30.0 to v78.7.0 and in Cloudfoundry Deployment v48.7.0 to v54.10.0.
|
|||||
| CVE-2026-20895 | 1 Ev2go | 1 Ev2go.io | 2026-03-05 | N/A | 7.3 HIGH |
|
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
...
Show More |
|||||
| CVE-2026-0848 | 2026-03-05 | N/A | 10.0 CRITICAL | ||
|
NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of arbitrary Java bytecode at import time. This vulnerability can be exploited through methods such as model poisoning, MITM attacks, or dependency poisoning, leading to remote code execution. The issue arise ...
Show More |
|||||