Search
CVE Explorer
Search the full tracked CVE corpus across every vendor — by keyword, vendor, severity, CVSS band and publication date. Server-rendered; each filtered view has its own URL.
01
Filters
Submit to refine — state is held in the URL.
02
Results
81,352 matching · page 183/1628Each CVE id links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2026-26124(opens NVD record) | Medium | 6.7 | '.../...//' in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. | Mar 5, 2026 |
| CVE-2026-26122(opens NVD record) | Medium | 6.5 | Initialization of a resource with an insecure default in Azure Compute Gallery allows an authorized attacker to disclose information over a network. | Mar 5, 2026 |
| CVE-2026-23651(opens NVD record) | Medium | 6.7 | Permissive regular expression in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. | Mar 5, 2026 |
| CVE-2026-21536(opens NVD record) | Critical | 9.8 | Microsoft Devices Pricing Program Remote Code Execution Vulnerability | Mar 5, 2026 |
| CVE-2026-3047(opens NVD record) | High | 8.8 | A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions. | Mar 5, 2026 |
| CVE-2026-3009(opens NVD record) | High | 8.1 | A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. | Mar 5, 2026 |
| CVE-2026-29054(opens NVD record) | High | 7.5 | Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers. This issue has been patched in versions 2.11.38 and 3.6.9. | Mar 5, 2026 |
| CVE-2026-26999(opens NVD record) | High | 7.5 | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open. By opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint. This issue has been patched in versions 2.11.38 and 3.6.9. | Mar 5, 2026 |
| CVE-2025-45691(opens NVD record) | High | 7.5 | An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrieved_contexts parameter when handling multimodal inputs. | Mar 5, 2026 |
| CVE-2026-30798(opens NVD record) | High | 7.5 | Insufficient Verification of Data Authenticity, Improper Handling of Exceptional Conditions vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop, strategy processing modules) allows Protocol Manipulation. This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routines stop-service handler in heartbeat loop. This issue affects RustDesk Client: through 1.4.8. | Mar 5, 2026 |
| CVE-2026-30797(opens NVD record) | High | 8.1 | Missing Authorization vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, config import modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files flutter/lib/common.Dart and program routines importConfig() via URI handler. This issue affects RustDesk Client: through 1.4.5. | Mar 5, 2026 |
| CVE-2026-30796(opens NVD record) | High | 7.5 | Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Address book sync, Heartbeat sync loop modules) allows Sniffing Attacks. The client places the preset address-book password verbatim into the heartbeat sync JSON body (src/hbbs_http/sync.rs). Over an intact HTTPS session it is not exposed in transit, but it is a reusable shared secret rather than a zero-knowledge proof, so it is recovered by any party that becomes the API endpoint - under the automatic invalid-certificate TLS downgrade (CVE-2026-30794) or a re-homed/rogue API server (CVE-2026-30797) - and the leaked credential then authorizes the server-side address book. This vulnerability is associated with program files src/hbbs_http/sync.rs and program routines heartbeat sync body builder (emits preset-address-book-password). This issue affects RustDesk Client: through 1.4.8. | Mar 5, 2026 |
| CVE-2026-30795(opens NVD record) | High | 7.5 | Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop modules) allows Sniffing Attacks. This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routines Heartbeat JSON payload construction (preset-address-book-password). This issue affects RustDesk Client: through 1.4.5. | Mar 5, 2026 |
| CVE-2026-30793(opens NVD record) | Critical | 9.8 | Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, FFI bridge modules) allows Privilege Escalation. This vulnerability is associated with program files flutter/lib/common.Dart, src/flutter_ffi.Rs and program routines URI handler for rustdesk://password/, bind.MainSetPermanentPassword(). This issue affects RustDesk Client: through 1.4.5. | Mar 5, 2026 |
| CVE-2026-30792(opens NVD record) | High | 8.1 | A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files src/hbbs_http/sync.Rs, hbb_common/src/config.Rs and program routines Strategy merge loop in sync.Rs, Config::set_options(). This issue affects RustDesk Client: through 1.4.8. | Mar 5, 2026 |
| CVE-2026-30789(opens NVD record) | Critical | 9.8 | Use of Password Hash With Insufficient Computational Effort, Improper Restriction of Excessive Authentication Attempts vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Password Brute Forcing. The authentication proof is SHA256(SHA256(password + salt) + challenge), where both the salt and the challenge are generated entirely by the server with no client-side nonce, and the hash uses no slow key-derivation function. A rogue or on-path API/relay server (see CVE-2026-30794 / CVE-2026-30797) can issue a chosen salt and challenge, capture the resulting proof, and recover the password offline. The capture-replay claim (CWE-294) is withdrawn: the challenge is regenerated per connection (challenge = Config::get_auto_password(6)), so a captured proof is not replayable against the legitimate server. The 1.4.7 OTP brute-force limiter and the existing LOGIN_FAILURES counter constrain only ONLINE attempts and do not address offline recovery. This vulnerability is associated with program files src/client.rs and program routines handle_hash(), handle_login_from_ui() (login proof construction). This issue affects RustDesk Client: through 1.4.8. | Mar 5, 2026 |
| CVE-2026-30785(opens NVD record) | Medium | 5.5 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk, hbb_common on Windows, MacOS, Linux (Password security module, config encryption, machine UID modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program files hbb_common/src/password_security.Rs, hbb_common/src/config.Rs, hbb_common/src/lib.Rs (get_uuid), machine-uid/src/lib.Rs and program routines symmetric_crypt(), encrypt_str_or_original(), decrypt_str_or_original(), get_uuid(), get_machine_id(). This issue affects RustDesk Client: through 1.4.5. | Mar 5, 2026 |
| CVE-2026-30783(opens NVD record) | Critical | 9.8 | A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_mediator.Rs, src/hbbs_http/sync.Rs and program routines API sync loop, api-server config handling. This issue affects RustDesk Client: through 1.4.8. | Mar 5, 2026 |
| CVE-2026-25048(opens NVD record) | High | 7.5 | xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32. | Mar 5, 2026 |
| CVE-2026-3598(opens NVD record) | High | 7.5 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Config string generation, web console export modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program routines Config export/generation routines. This issue affects RustDesk Server Pro: through 1.7.5. | Mar 5, 2026 |
| CVE-2026-30791(opens NVD record) | High | 7.5 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Config import, URI scheme handler, CLI --config modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program files flutter/lib/common.Dart, hbb_common/src/config.Rs and program routines parseRustdeskUri(), importConfig(). This issue affects RustDesk Client: through 1.4.5. | Mar 5, 2026 |
| CVE-2025-69534(opens NVD record) | High | 7.5 | Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions. | Mar 5, 2026 |
| CVE-2026-1605(opens NVD record) | High | 7.5 | In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak. | Mar 5, 2026 |
| CVE-2026-28551(opens NVD record) | Medium | 4.7 | Race condition vulnerability in the device security management module. Impact: Successful exploitation of this vulnerability may affect availability. | Mar 5, 2026 |
| CVE-2026-28549(opens NVD record) | Medium | 6.6 | Race condition vulnerability in the permission management service. Impact: Successful exploitation of this vulnerability may affect availability. | Mar 5, 2026 |
| CVE-2026-28548(opens NVD record) | High | 7.1 | Vulnerability of improper verification in the email application. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | Mar 5, 2026 |
| CVE-2026-28547(opens NVD record) | Medium | 6.8 | Vulnerability of uninitialized pointer access in the scanning module. Impact: Successful exploitation of this vulnerability may affect availability. | Mar 5, 2026 |
| CVE-2026-28546(opens NVD record) | Medium | 5.9 | Buffer overflow vulnerability in the scanning module. Impact: Successful exploitation of this vulnerability may affect availability. | Mar 5, 2026 |
| CVE-2026-28542(opens NVD record) | High | 7.3 | Permission bypass vulnerability in the system service framework. Impact: Successful exploitation of this vulnerability may affect availability. | Mar 5, 2026 |
| CVE-2026-28552(opens NVD record) | Medium | 6.5 | Out-of-bounds write vulnerability in the IMS module. Impact: Successful exploitation of this vulnerability may affect availability. | Mar 5, 2026 |
| CVE-2026-28550(opens NVD record) | Medium | 4.0 | Race condition vulnerability in the security control module. Impact: Successful exploitation of this vulnerability may affect availability. | Mar 5, 2026 |
| CVE-2026-28545(opens NVD record) | Medium | 5.9 | Race condition vulnerability in the printing module. Impact: Successful exploitation of this vulnerability may affect availability. | Mar 5, 2026 |
| CVE-2026-28544(opens NVD record) | Medium | 6.2 | Race condition vulnerability in the printing module. Impact: Successful exploitation of this vulnerability may affect availability. | Mar 5, 2026 |
| CVE-2026-28543(opens NVD record) | Medium | 4.4 | Race condition vulnerability in the maintenance and diagnostics module. Impact: Successful exploitation of this vulnerability may affect availability. | Mar 5, 2026 |
| CVE-2026-28541(opens NVD record) | Medium | 4.0 | Permission control vulnerability in the cellular_data module. Impact: Successful exploitation of this vulnerability may affect availability. | Mar 5, 2026 |
| CVE-2026-28540(opens NVD record) | Medium | 4.0 | Out-of-bounds character read vulnerability in Bluetooth. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | Mar 5, 2026 |
| CVE-2026-28539(opens NVD record) | Medium | 6.2 | Data processing vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | Mar 5, 2026 |
| CVE-2026-28538(opens NVD record) | Medium | 5.9 | Path traversal vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect availability. | Mar 5, 2026 |
| CVE-2026-28537(opens NVD record) | Medium | 5.1 | Double free vulnerability in the window module. Impact: Successful exploitation of this vulnerability may affect availability. | Mar 5, 2026 |
| CVE-2025-66319(opens NVD record) | Low | 3.3 | Permission control vulnerability in the resource scheduling module. Impact: Successful exploitation of this vulnerability may affect service integrity. | Mar 5, 2026 |
| CVE-2026-28536(opens NVD record) | Critical | 9.6 | Authentication bypass vulnerability in the device authentication module. Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality. | Mar 5, 2026 |
| CVE-2026-26034(opens NVD record) | High | 7.8 | UPS Multi-UPS Management Console (MUMC) version 01.06.0001 (A03) contains an Incorrect Default Permissions (CWE-276) vulnerability that allows an attacker to execute arbitrary code with SYSTEM privileges by causing the application to load a specially crafted DLL. | Mar 5, 2026 |
| CVE-2026-26033(opens NVD record) | Medium | 6.7 | UPS Multi-UPS Management Console (MUMC) version 01.06.0001 (A03) contains an Unquoted Search Path or Element (CWE-428) vulnerability, which allows a user with write access to a directory on the system drive to execute arbitrary code with SYSTEM privileges. | Mar 5, 2026 |
| CVE-2026-22052(opens NVD record) | Medium | 4.3 | ONTAP versions 9.12.1 and higher with S3 NAS buckets are susceptible to an information disclosure vulnerability. Successful exploit could allow an authenticated attacker to view a listing of the contents in a directory for which they lack permission. | Mar 5, 2026 |
| CVE-2026-29000(opens NVD record) | Critical | 9.1 | pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators. | Mar 4, 2026 |
| CVE-2026-3545(opens NVD record) | Critical | 9.6 | Insufficient data validation in Navigation in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | Mar 4, 2026 |
| CVE-2026-3544(opens NVD record) | High | 8.8 | Heap buffer overflow in WebCodecs in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | Mar 4, 2026 |
| CVE-2026-3543(opens NVD record) | High | 8.8 | Inappropriate implementation in V8 in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | Mar 4, 2026 |
| CVE-2026-3542(opens NVD record) | High | 8.8 | Inappropriate implementation in WebAssembly in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | Mar 4, 2026 |
| CVE-2026-3541(opens NVD record) | High | 8.8 | Inappropriate implementation in CSS in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) | Mar 4, 2026 |