Export limit exceeded: 341166 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 341166 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (341166 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4851 | 1 Casiano | 1 Grid::machine | 2026-03-30 | N/A |
| GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization. GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol. read_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval() $arg .= '$VAR1'; my $val = eval "no strict; $arg"; # line 40-41 $arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response: $VAR1 = do { system("..."); }; This executes on the client silently on every RPC call, as the return values remain correct. This functionality is by design but the trust requirement for the remote host is not documented in the distribution. | ||||
| CVE-2026-5020 | 1 Totolink | 2 A3600r, A3600r Firmware | 2026-03-30 | 6.3 Medium |
| A vulnerability was detected in Totolink A3600R 4.1.2cu.5182_B20201102. Affected by this issue is the function setNoticeCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument NoticeUrl results in command injection. The attack may be launched remotely. The exploit is now public and may be used. | ||||
| CVE-2026-5021 | 1 Tenda | 2 F453, F453 Firmware | 2026-03-30 | 8.8 High |
| A flaw has been found in Tenda F453 1.0.0.3. This affects the function fromPPTPUserSetting of the file /goform/PPTPUserSetting of the component httpd. This manipulation of the argument delno causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used. | ||||
| CVE-2026-2602 | 2 Twentig, Wordpress | 2 Twentig Supercharged Block Editor – Blocks, Patterns, Starter Sites, Portfolio, Wordpress | 2026-03-30 | 6.4 Medium |
| The Twentig plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'featuredImageSizeWidth' parameter in versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-5023 | 1 Dedeveloper23 | 1 Codebase-mcp | 2026-03-30 | 5.3 Medium |
| A vulnerability has been found in DeDeveloper23 codebase-mcp up to 3ec749d237dd8eabbeef48657cf917275792fde6. This vulnerability affects the function getCodebase/getRemoteCodebase/saveCodebase of the file src/tools/codebase.ts of the component RepoMix Command Handler. Such manipulation leads to os command injection. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-5024 | 1 D-link | 1 Dir-513 | 2026-03-30 | 8.8 High |
| A vulnerability was found in D-Link DIR-513 1.10. This issue affects the function formSetEmail of the file /goform/formSetEmail. Performing a manipulation of the argument curTime results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2026-5030 | 1 Totolink | 2 Nr1800x, Nr1800x Firmware | 2026-03-30 | 6.3 Medium |
| A vulnerability has been found in Totolink NR1800X 9.1.0u.6279_B20210910. This issue affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation of the argument host_time leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-5031 | 1 Bichitrogan | 1 Isp Billing Software | 2026-03-30 | 4.3 Medium |
| A vulnerability was found in BichitroGan ISP Billing Software 2025.3.20. Impacted is an unknown function of the file /?_route=settings/users-view/ of the component Endpoint. The manipulation of the argument ID results in improper control of resource identifiers. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-5033 | 1 Code-projects | 1 Accounting System | 2026-03-30 | 7.3 High |
| A vulnerability was detected in code-projects Accounting System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_costumer.php of the component Parameter Handler. The manipulation of the argument cos_id results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | ||||
| CVE-2026-31788 | 1 Linux | 1 Linux Kernel | 2026-03-30 | 6.7 Medium |
| In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the hypervisor will deny any hypercalls affecting other domains. In case the guest is booted using secure boot, however, the privcmd driver would be enabling a root user process to modify e.g. kernel memory contents, thus breaking the secure boot feature. The only known case where an unprivileged domU is really needing to use the privcmd driver is the case when it is acting as the device model for another guest. In this case all hypercalls issued via the privcmd driver will target that other guest. Fortunately the privcmd driver can already be locked down to allow only hypercalls targeting a specific domain, but this mode can be activated from user land only today. The target domain can be obtained from Xenstore, so when not running in dom0 restrict the privcmd driver to that target domain from the beginning, resolving the potential problem of breaking secure boot. This is XSA-482 --- V2: - defer reading from Xenstore if Xenstore isn't ready yet (Jan Beulich) - wait in open() if target domain isn't known yet - issue message in case no target domain found (Jan Beulich) | ||||
| CVE-2026-5034 | 1 Code-projects | 1 Accounting System | 2026-03-30 | 7.3 High |
| A flaw has been found in code-projects Accounting System 1.0. Affected by this issue is some unknown functionality of the file /edit_costumer.php of the component Parameter Handler. This manipulation of the argument cos_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2026-5035 | 1 Code-projects | 1 Accounting System | 2026-03-30 | 7.3 High |
| A vulnerability has been found in code-projects Accounting System 1.0. This affects an unknown part of the file /view_work.php of the component Parameter Handler. Such manipulation of the argument en_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-5036 | 1 Tenda | 1 4g06 | 2026-03-30 | 8.8 High |
| A vulnerability was found in Tenda 4G06 04.06.01.29. This vulnerability affects the function fromDhcpListClient of the file /goform/DhcpListClient of the component Endpoint. Performing a manipulation of the argument page results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. | ||||
| CVE-2026-5037 | 1 Michaelrsweet | 1 Mxml | 2026-03-30 | 3.3 Low |
| A vulnerability was determined in mxml up to 4.0.4. This issue affects the function index_sort of the file mxml-index.c of the component mxmlIndexNew. Executing a manipulation of the argument tempr can lead to stack-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 6e27354466092a1ac65601e01ce6708710bb9fa5. A patch should be applied to remediate this issue. | ||||
| CVE-2026-5041 | 1 Code-projects | 1 Chamber Of Commerce Membership Management System | 2026-03-30 | 4.7 Medium |
| A vulnerability was identified in code-projects Chamber of Commerce Membership Management System 1.0. Impacted is the function fwrite of the file admin/pageMail.php. The manipulation of the argument mailSubject/mailMessage leads to command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | ||||
| CVE-2026-5042 | 1 Belkin | 2 F9k1122, F9k1122 Firmware | 2026-03-30 | 8.8 High |
| A security flaw has been discovered in Belkin F9K1122 1.00.33. The affected element is the function formCrossBandSwitch of the file /goform/formCrossBandSwitch of the component Parameter Handler. The manipulation of the argument webpage results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-5043 | 1 Belkin | 2 F9k1122, F9k1122 Firmware | 2026-03-30 | 8.8 High |
| A weakness has been identified in Belkin F9K1122 1.00.33. The impacted element is the function formSetPassword of the file /goform/formSetPassword of the component Parameter Handler. This manipulation of the argument webpage causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-5044 | 1 Belkin | 2 F9k1122, F9k1122 Firmware | 2026-03-30 | 8.8 High |
| A security vulnerability has been detected in Belkin F9K1122 1.00.33. This affects the function formSetSystemSettings of the file /goform/formSetSystemSettings of the component Setting Handler. Such manipulation of the argument webpage leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-32914 | 1 Openclaw | 1 Openclaw | 2026-03-30 | 8.8 High |
| OpenClaw before 2026.3.12 contains an insufficient access control vulnerability in the /config and /debug command handlers that allows command-authorized non-owners to access owner-only surfaces. Attackers with command authorization can read or modify privileged configuration settings restricted to owners by exploiting missing owner-level permission checks. | ||||
| CVE-2026-32915 | 1 Openclaw | 1 Openclaw | 2026-03-30 | 8.8 High |
| OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability allowing leaf subagents to access the subagents control surface and resolve against parent requester scope instead of their own session tree. A low-privilege sandboxed leaf worker can steer or kill sibling runs and cause execution with broader tool policies by exploiting insufficient authorization checks on subagent control requests. | ||||