🔍 Search

Found 500 results for "cve"

Showing 481 - 500 of 500 results (limited to 500 results)

🔒 CVE CRITICAL CVSS: 9.8 March 11, 2026

CVE-2026-31871

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. This vulnerability is fixed in 9.6.0-alpha.5 and 8.6.31.

EPSS: 0.0%
🔒 CVE CRITICAL CVSS: 9.8 March 11, 2026

CVE-2026-31856

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs. MongoDB deployments are not affected. This vulnerability is fixed in 9.6.0-alpha.3 and 8.6.29.

EPSS: 0.0%
🔒 CVE CRITICAL CVSS: 9.8 March 11, 2026

CVE-2026-31840

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28.

EPSS: 0.1%
🔒 CVE CRITICAL CVSS: 9.8 March 11, 2026

CVE-2025-70082

An issue in Lantronix EDS3000PS v.3.1.0.0R2 allows an attacker to execute arbitrary code and obtain sensitive information via the ltrx_evo component

EPSS: 0.1%
🔒 CVE CRITICAL CVSS: 9.8 March 11, 2026

CVE-2025-67041

An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges.

EPSS: 0.1%
🔒 CVE CRITICAL CVSS: 9.8 March 11, 2026

CVE-2025-67038

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.

EPSS: 0.1%
🔒 CVE CRITICAL CVSS: 9.8 March 11, 2026

CVE-2025-67035

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The SSH Client and SSH Server pages are affected by multiple OS injection vulnerabilities due to missing sanitization of input parameters. An attacker can inject arbitrary commands in delete actions of various objects, such as server keys, users, and known hosts. Commands are executed with root privileges.

EPSS: 0.1%
🔒 CVE CRITICAL CVSS: 9.8 March 11, 2026

CVE-2026-30741

A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack.

EPSS: 0.3%
🔒 CVE CRITICAL CVSS: 9.8 March 11, 2026

CVE-2026-28229

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests. This vulnerability is fixed in 4.0.2 and 3.7.11.

EPSS: 0.0%
🔒 CVE CRITICAL CVSS: 9.8 March 11, 2026

CVE-2026-3826

IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server.

EPSS: 0.3%
🔒 CVE CRITICAL CVSS: 9.8 March 11, 2026

CVE-2026-2631

The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator.

EPSS: 0.1%
🔒 CVE CRITICAL CVSS: 9.8 March 11, 2026

CVE-2026-27842

Authentication bypass issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to bypass authentication and change the device configuration.

EPSS: 0.1%
🔒 CVE CRITICAL CVSS: 9.8 March 11, 2026

CVE-2026-24448

Use of hard-coded credentials issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to obtain administrative access.

EPSS: 0.1%
🔒 CVE CRITICAL CVSS: 9.8 March 11, 2026

CVE-2026-23813

A vulnerability has been identified in the web-based management interface of AOS-CX switches that could potentially allow an unauthenticated remote actor to circumvent existing authentication controls. In some cases this could enable resetting the admin password.

EPSS: 0.1%
🔒 CVE CRITICAL CVSS: 9.8 March 10, 2026

CVE-2026-0120

In modem, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

EPSS: 0.2%
🔒 CVE CRITICAL CVSS: 9.8 March 10, 2026

CVE-2026-0116

In __mfc_handle_released_buf of mfc_core_isr.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

EPSS: 0.2%
🔒 CVE CRITICAL CVSS: 9.8 March 10, 2026

CVE-2026-0114

In Modem, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

EPSS: 0.2%
🔒 CVE CRITICAL CVSS: 9.8 March 10, 2026

CVE-2026-0113

In ns_GetUserData of ns_SmscbUtilities.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

EPSS: 0.2%
🔒 CVE CRITICAL CVSS: 9.8 March 10, 2026

CVE-2026-0111

In ns_GetUserData of ns_SmscbUtilities.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

EPSS: 0.2%
🔒 CVE CRITICAL CVSS: 9.8 March 10, 2026

CVE-2026-0110

In MM_DATA_IND of cn_NrSmMsgHdlrFromMM.cpp, there is a possible EoP due to memory corruption. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

EPSS: 0.2%