Total
272 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3991 | 1 Broadcom | 1 Data Loss Prevention | 2026-04-03 | 7.8 High |
| Symantec Data Loss Prevention Windows Endpoint, prior to 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. | ||||
| CVE-2026-34442 | 2 Freescout, Freescout Helpdesk | 2 Freescout, Freescout | 2026-04-02 | 5.4 Medium |
| FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, host header manipulation in FreeScout version (http://localhost:8080/system/status) allows an attacker to inject an arbitrary domain into generated absolute URLs. This leads to External Resource Loading and Open Redirect behavior. When the application constructs links and assets using the unvalidated Host header, user requests can be redirected to attacker-controlled domains and external resources may be loaded from malicious servers. This issue has been patched in version 1.8.211. | ||||
| CVE-2026-32920 | 1 Openclaw | 1 Openclaw | 2026-04-02 | 8.4 High |
| OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute when users run OpenClaw from the directory. | ||||
| CVE-2025-39507 | 1 Nasatheme | 1 Nasa Core | 2026-04-01 | 8.8 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core nasa-core allows PHP Local File Inclusion.This issue affects Nasa Core: from n/a through < 6.4.4. | ||||
| CVE-2024-56216 | 1 Themify | 1 Builder | 2026-04-01 | 6.5 Medium |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themifyme Themify Builder themify-builder allows PHP Local File Inclusion.This issue affects Themify Builder: from n/a through <= 7.6.3. | ||||
| CVE-2024-50497 | 1 Buynowdepot | 1 Advanced Online Ordering And Delivery Platform | 2026-04-01 | 9.8 Critical |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wdesco Advanced Online Ordering and Delivery Platform advanced-online-ordering-and-delivery-platform allows PHP Local File Inclusion.This issue affects Advanced Online Ordering and Delivery Platform: from n/a through <= 2.0.0. | ||||
| CVE-2024-49649 | 1 Buildapp | 1 Build App Online | 2026-04-01 | 9.8 Critical |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23. | ||||
| CVE-2024-49243 | 2 Jon Vincent Mendoza, Jonvincentmendoza | 2 Dynamic Elementor Addons, Dynamic Elementor Addons | 2026-04-01 | 8.8 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ramjon27 Dynamic Elementor Addons dynamic-elementor-addons allows PHP Local File Inclusion.This issue affects Dynamic Elementor Addons: from n/a through <= 1.0.0. | ||||
| CVE-2024-35650 | 1 Melapress | 1 Melapress Login Security | 2026-04-01 | 7.2 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Melapress MelaPress Login Security melapress-login-security.This issue affects MelaPress Login Security: from n/a through <= 1.3.0. | ||||
| CVE-2025-55273 | 2 Hcl, Hcltech | 2 Aftermarket Dpc, Aftermarket Cloud | 2026-03-27 | 4.3 Medium |
| HCL Aftermarket DPC is affected by Cross Domain Script Include vulnerability where an attacker using external scripts can tamper with the DOM, altering the content or behavior of the application. Malicious scripts can steal cookies or session tokens, leading to session hijacking. | ||||
| CVE-2026-22217 | 1 Openclaw | 1 Openclaw | 2026-03-25 | 6.1 Medium |
| OpenClaw version 2026.2.22 prior to 2026.2.23 contain an arbitrary code execution vulnerability in shell-env that allows attackers to execute attacker-controlled binaries by exploiting trusted-prefix fallback logic for the $SHELL variable. An attacker can influence the $SHELL environment variable on systems with writable trusted-prefix directories such as /opt/homebrew/bin to execute arbitrary binaries in the OpenClaw process context. | ||||
| CVE-2026-33075 | 2 Fastgpt, Labring | 2 Fastgpt, Fastgpt | 2026-03-25 | 8.8 High |
| FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication. | ||||
| CVE-2026-4295 | 1 Aws | 1 Kiro Ide | 2026-03-24 | 7.8 High |
| Improper trust boundary enforcement in Kiro IDE before version 0.8.0 on all supported platforms might allow a remote unauthenticated threat actor to execute arbitrary code via maliciously crafted project directory files that bypass workspace trust protections when a local user opens the directory. To remediate this issue, users should upgrade to version 0.8.0 or higher. | ||||
| CVE-2026-28500 | 2 Linuxfoundation, Onnx | 2 Onnx, Onnx | 2026-03-24 | 8.6 High |
| Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available. | ||||
| CVE-2026-4255 | 1 Thermalright | 1 Tr-vision Home | 2026-03-24 | N/A |
| A DLL search order hijacking vulnerability in Thermalright TR-VISION HOME on Windows (64-bit) allows a local attacker to escalate privileges via DLL side-loading. The application loads certain dynamic-link library (DLL) dependencies using the default Windows search order, which includes directories that may be writable by non-privileged users.\n\n\n\nBecause these directories can be modified by unprivileged users, an attacker can place a malicious DLL with the same name as a legitimate dependency in a directory that is searched before trusted system locations. When the application is executed, which is always with administrative privileges, the malicious DLL is loaded instead of the legitimate library.\n\n\n\nThe application does not enforce restrictions on DLL loading locations and does not verify the integrity or digital signature of loaded libraries. As a result, attacker-controlled code may be executed within the security context of the application, allowing arbitrary code execution with elevated privileges.\n\n\n\nSuccessful exploitation requires that an attacker place a crafted malicious DLL in a user-writable directory that is included in the application's DLL search path and then cause the affected application to be executed. Once loaded, the malicious DLL runs with the same privileges as the application.\n\n\n\nThis issue affects \nTR-VISION HOME versions up to and including 2.0.5. | ||||
| CVE-2025-70046 | 1 Miazzy | 2 Oa-font-service, Oa Front Service | 2026-03-13 | 9.8 Critical |
| An issue pertaining to CWE-829: Inclusion of Functionality from Untrusted Control Sphere was discovered in Miazzy oa-front-service master. | ||||
| CVE-2026-1699 | 1 Eclipse | 2 Theia, Theia Website | 2026-03-10 | 10 Critical |
| In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository. | ||||
| CVE-2025-20236 | 1 Cisco | 1 Webex Teams | 2026-02-26 | 8.8 High |
| A vulnerability in the custom URL parser of Cisco Webex App could allow an unauthenticated, remote attacker to persuade a user to download arbitrary files, which could allow the attacker to execute arbitrary commands on the host of the targeted user. This vulnerability is due to insufficient input validation when Cisco Webex App processes a meeting invite link. An attacker could exploit this vulnerability by persuading a user to click a crafted meeting invite link and download arbitrary files. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the targeted user. | ||||
| CVE-2025-32463 | 6 Canonical, Debian, Opensuse and 3 more | 8 Ubuntu Linux, Debian Linux, Leap and 5 more | 2026-02-26 | 9.3 Critical |
| Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option. | ||||
| CVE-2025-57729 | 1 Jetbrains | 1 Intellij Idea | 2026-02-26 | 6.5 Medium |
| In JetBrains IntelliJ IDEA before 2025.2 unexpected plugin startup was possible due to automatic LSP server start | ||||