9.8

CVSS3.1

CVE-2026-22738 - SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution

In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression ke…

📅 Published: March 27, 2026, 5:21 a.m. 🔄 Last Modified: March 27, 2026, 5:21 a.m.

5.1

CVSS4.0

CVE-2026-33559 -

WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/editing privilege can embed some malicious script with a crafted HTTP request. When a victim user acces…

📅 Published: March 27, 2026, 4:56 a.m. 🔄 Last Modified: March 27, 2026, 4:56 a.m.

5.9

CVSS3.1

CVE-2026-34353 -

In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, and resultant reading of arbitrary memory, when untrusted data is processed.

📅 Published: March 27, 2026, 4:55 a.m. 🔄 Last Modified: March 27, 2026, 5:03 a.m.

6.5

CVSS3.1

CVE-2026-3098 - Smart Slider 3 <= 3.5.1.33 - Authenticated (Subscriber+) Arbitrary File Read via actionExportAll

The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the …

📅 Published: March 27, 2026, 3:37 a.m. 🔄 Last Modified: March 27, 2026, 3:37 a.m.

6.9

CVSS4.0

CVE-2026-4910 - Shenzhen Ruiming Technology Streamax Crocus Endpoint RemoteFormat.do sql injection

A security vulnerability has been detected in Shenzhen Ruiming Technology Streamax Crocus bis 1.3.44. Affected is an unknown function of the file /RemoteFormat.do of the component Endpoint. Such manipulation of the argument State leads to sql injection. It is possible to launch the attack remotely.…

📅 Published: March 27, 2026, 3:01 a.m. 🔄 Last Modified: March 27, 2026, 4:16 a.m.

8.4

CVSS3.1

CVE-2026-33747 - BuildKit vulnerable to malicious frontend causing file escape outside of storage root

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for th…

📅 Published: March 27, 2026, 12:49 a.m. 🔄 Last Modified: March 27, 2026, 1:16 a.m.

7.4

CVSS3.1

CVE-2026-33745 - cpp-httplib Client Leaks Authentication Credentials to Untrusted Hosts on Cross-Origin HTTP Redirect

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects (301/302/307/308). A malicious or compro…

📅 Published: March 27, 2026, 12:46 a.m. 🔄 Last Modified: March 27, 2026, 1:16 a.m.

7.8

CVSS3.1

CVE-2026-33744 - BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `sys…

📅 Published: March 27, 2026, 12:45 a.m. 🔄 Last Modified: March 27, 2026, 1:16 a.m.

8.9

CVSS4.0

CVE-2026-33890 - MyTube has an Unauthenticated Admin Privilege Escalation via Passkey Registration

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requir…

📅 Published: March 27, 2026, 12:38 a.m. 🔄 Last Modified: March 27, 2026, 1:16 a.m.

7.4

CVSS4.0

CVE-2026-33735 - MyTube has an Improper Access Control that Allows Complete Application Takeover

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a fu…

📅 Published: March 27, 2026, 12:36 a.m. 🔄 Last Modified: March 27, 2026, 1:16 a.m.
Total resulsts: 340748
Page 2 of 34,075
« previous page » next page
Filters