Total
1323 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-28678 | 2026-03-07 | 8.1 High | ||
| DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens (JWTs) were stored in HTTP cookies without cryptographic protection of the payload. This issue has been patched via commit d527fba. | ||||
| CVE-2023-2881 | 1 Pimcore | 1 Customer Management Framework | 2026-03-06 | 4.9 Medium |
| Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10. | ||||
| CVE-2026-27777 | 2026-03-06 | 6.5 Medium | ||
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | ||||
| CVE-2026-27027 | 2026-03-06 | 6.5 Medium | ||
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | ||||
| CVE-2026-29128 | 1 International Datacasting Corporation | 1 Sfx2100 Satellite Receiver | 2026-03-06 | N/A |
| IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration files for routing components (e.g., zebra, bgpd, ospfd, and ripd) that are owned by root but world-readable. The configuration files (e.g., zebra.conf, bgpd.conf, ospfd.conf, ripd.conf) contain hardcoded or otherwise insecure plaintext passwords (including “enable”/privileged-mode credentials). A remote actor is able to abuse the reuse/hardcoded nature of these credentials to further access other systems in the network, gain a foothold on the satellite receiver or potentially locally privilege escalate. | ||||
| CVE-2026-27770 | 1 Epower | 1 Epower.ie | 2026-03-06 | 6.5 Medium |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | ||||
| CVE-2026-28714 | 1 Acronis | 1 Acronis Cyber Protect 17 | 2026-03-06 | N/A |
| Unnecessary transmission of sensitive cryptographic material. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | ||||
| CVE-2021-22681 | 1 Rockwellautomation | 20 Compact Guardlogix 5370, Compact Guardlogix 5380, Compactlogix 1768 and 17 more | 2026-03-06 | 9.8 Critical |
| Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. | ||||
| CVE-2026-27773 | 2 Switch Ev, Swtchenergy | 2 Swtchenergy.com, Swtchenergy.com | 2026-03-05 | 6.5 Medium |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | ||||
| CVE-2026-25774 | 2 Ev.energy, Ev Energy | 2 Ev.energy, Ev.energy | 2026-03-05 | 6.5 Medium |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | ||||
| CVE-2026-22890 | 1 Ev2go | 1 Ev2go.io | 2026-03-05 | 6.5 Medium |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | ||||
| CVE-2026-22878 | 1 Mobility46 | 1 Mobility46.se | 2026-03-05 | 6.5 Medium |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | ||||
| CVE-2026-20791 | 1 Chargemap | 1 Chargemap.com | 2026-03-05 | 6.5 Medium |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | ||||
| CVE-2026-20733 | 1 Cloudcharge | 1 Cloudcharge.se | 2026-03-05 | 6.5 Medium |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | ||||
| CVE-2025-15113 | 2 Ksenia Security, Kseniasecurity | 3 Lares 4.0 Home Automation, Lares, Lares Firmware | 2026-03-05 | 8.4 High |
| Ksenia Security lares (legacy model) Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server. | ||||
| CVE-2026-27167 | 2 Gradio-app, Gradio Project | 2 Gradio, Gradio | 2026-03-05 | 0 Low |
| Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. `gr.LoginButton`) are used. When a user visits `/login/huggingface`, the server retrieves its own Hugging Face access token via `huggingface_hub.get_token()` and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string `"-v4"`, making the payload trivially decodable. Version 6.6.0 fixes the issue. | ||||
| CVE-2020-37097 | 1 Edimax | 2 Ew-7438rpn Mini, Ew-7438rpn Mini Firmware | 2026-03-05 | 7.5 High |
| Edimax EW-7438RPn 1.13 contains an information disclosure vulnerability that exposes WiFi network configuration details through the wlencrypt_wiz.asp file. Attackers can access the script to retrieve sensitive information including WiFi network name and plaintext password stored in device configuration variables. | ||||
| CVE-2020-36968 | 1 Tildeslash | 2 M\/monit, Monit | 2026-03-05 | 6.5 Medium |
| M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for all users. | ||||
| CVE-2026-20435 | 6 Google, Linuxfoundation, Mediatek and 3 more | 40 Android, Yocto, Mt2737 and 37 more | 2026-03-04 | 4.6 Medium |
| In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118. | ||||
| CVE-2026-0689 | 1 Extremenetworks | 1 Extremecloud Iq - Site Engine | 2026-03-03 | N/A |
| In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure. | ||||