CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

1361 matches found

OSV•added 2026/03/27 6:29 p.m.•2 views

CVE-2026-34385 Fleet's Apple MDM profile delivery has second-order SQL injection that can compromise the database

Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user...

8.6CVSS6AI score0.00009EPSS

Exploits0References3

Cvelist•added 2026/03/27 6:29 p.m.•18 views

CVE-2026-34385 Fleet's Apple MDM profile delivery has second-order SQL injection that can compromise the database

8.6CVSS0.00009EPSS

Exploits0References1

IBM Security Bulletins•added 2026/03/27 8:3 a.m.•5 views

Security Bulletin: Due to the use of hibernate-core. IBM webMethods BPM is vulnerable to a second-order SQL injection

Summary IBM webMethods BPM tool is dependant on hibernate-core which is affected by known vulnerability - CVE-2026-0603. Vulnerability Details CVEID:CVE-2026-0603 DESCRIPTION: A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection...

8.3CVSS6.1AI score0.00074EPSS

Exploits1Affected Software1

CNNVD•added 2026/03/27 12:0 a.m.•3 views

Fleet SQL注入漏洞

Fleet is an open-source device management platform developed by Fleet Device Management. It supports various operating systems and devices, and helps IT and security teams with device management, vulnerability reporting, and MDM operations. Versions of Fleet prior to 4.81.0 contained a SQL...

8.6CVSS5.8AI score0.00009EPSS

Exploits0References2

RedhatCVE•added 2026/03/26 3:10 p.m.•3 views

CVE-2026-32986

Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category th...

6.1CVSS5.7AI score0.00047EPSS

Exploits1References1

RedhatCVE•added 2026/03/26 3:8 p.m.•2 views

CVE-2026-33473

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue...

5.7CVSS5.8AI score0.00038EPSS

Exploits1References1

RedhatCVE•added 2026/03/26 3:3 p.m.•4 views

CVE-2026-29096

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report AORReports module, the fieldfunction parameter from POST data is saved directly into the aorfields table without any...

8.1CVSS6.1AI score0.00014EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:3 p.m.•3 views

CVE-2026-32246

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

8.5CVSS5.8AI score0.00049EPSS

Exploits1References1

RedhatCVE•added 2026/03/26 3:2 p.m.•2 views

CVE-2026-32813

Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort...

8CVSS6AI score0.00041EPSS

Exploits1References1

SUSE CVE•added 2026/03/25 12:24 a.m.•4 views

SUSE CVE-2026-32246

8.5CVSS5.9AI score0.00049EPSS

Exploits1References3

CVE•added 2026/03/24 3:18 p.m.•7 views

CVE-2026-33473

Vikunja (Vikunja) TOTP reuse flaw: 2FA TOTPs can be accepted for multiple sessions if the same timestamped code is reused within the 30‑second window. Root cause is in the TOTP validation path (ValidateTOTPPasscode) which fetches the user’s TOTP secret and validates the provided code, allowing re...

5.7CVSS5.8AI score0.00038EPSS

Exploits1References3Affected Software1

OSV•added 2026/03/20 8:43 p.m.•1 views

GHSA-P747-QC5P-773R Vikunja has TOTP Reuse During Validity Window

Summary Any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Details The below code is called when a user that has 2FA is authenticating to the application. Once they submit a valid username-password-totp combination, the user gets authenticated...

5.7CVSS5.9AI score0.00038EPSS

Exploits1References5

Cvelist•added 2026/03/20 3:42 p.m.•22 views

CVE-2026-32986 Textpattern CMS 4.9.0: Second-Order XSS via Atom Feed Injection

6.1CVSS0.00047EPSS

Exploits1References2

ATTACKERKB•added 2026/03/20 3:42 p.m.•2 views

CVE-2026-32986

6.1CVSS5.7AI score0.00047EPSS

Exploits1References2Affected Software1

OSV•added 2026/03/20 9:16 a.m.•5 views

UBUNTU-CVE-2026-23275

In the Linux kernel, the following vulnerability has been resolved: iouring: ensure ctx-rings is stable for task work flags manipulation If DEFERTASKRUN | SETUPTASKRUN is used and task work is added while the ring is being resized, it's possible for the OR'ing of IORINGSQTASKRUN to happen in the...

7.8CVSS5.7AI score0.00017EPSS

Exploits0References5

The Hacker News•added 2026/03/20 6:25 a.m.•5 views

DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

The U.S. Department of Justice DoJ on Thursday announced the disruption of command-and-control C2 infrastructure used by several Internet of Things IoT botnets like AISURU, Kimwolf, JackSkid, and Mossad as part of a court-authorized law enforcement operation. The effort also saw authorities from...

5.9AI score

Exploits0