Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 10 March 2026
RSS658 vulnerabilities published on 10 March 2026
Severity:
DeviceId.java in Android Devices: Privilege Escalation Risk
CVE-2025-48611
In DeviceId of DeviceId.java, there is a possible desync in persistence due to a missing bounds check. This could lead to local escalation of privileg...
10.0
OneUptime Synthetic Monitors allow unauthorized command execution
GHSA-jw8q-gjvg-8w4q
CVE-2026-30957
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticat...
9.9
OneUptime: Unauthorized access to other businesses' data
GHSA-r5v6-2599-9g3m
CVE-2026-30956
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isola...
9.9
OneUptime Synthetic Monitors allow malicious code execution on probes
GHSA-4j36-39gm-8vq8
CVE-2026-30921
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users...
9.9
OneUptime: Untrusted Code Execution in Synthetic Monitors
GHSA-h343-gg57-2q67
CVE-2026-30887
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaS...
9.9
Linkdave Allows Unauthorized Access to Some Features
GHSA-xv8g-fj9h-6gmv
The `linkdave` server does not enforce authentication on its REST and WebSocket routes in versions prior to `0.1.5`.
### Impact
An attacker with net...
9.9
Out of Bounds Write Vulnerability in Modem Allows Remote Code Execution
CVE-2026-0120
In modem, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execut...
9.8
Adobe Flash Player: Missing Check Allows Remote Code Execution
CVE-2026-0116
In __mfc_handle_released_buf of mfc_core_isr.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code ...
9.8
Out of bounds write in Modem allows unauthorized code execution
CVE-2026-0114
In Modem, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execut...
9.8
Mozilla SMS Service Allows Unauthorized Access to Data
CVE-2026-0113
In ns_GetUserData of ns_SmscbUtilities.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalati...
9.8
Incorrect Bounds Check in Firefox SMS Library Allows Escalation of Privilege
CVE-2026-0111
In ns_GetUserData of ns_SmscbUtilities.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalati...
9.8
Microsoft Office may let attackers take control of your computer
CVE-2026-0110
In MM_DATA_IND of cn_NrSmMsgHdlrFromMM.cpp, there is a possible EoP due to memory corruption. This could lead to remote escalation of privilege with n...
9.8
simple-git: Malicious Git Commands Can Execute Code on Your Server
CVE-2026-28292
GHSA-r275-fr43-pm7q
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker...
9.8
Nefteprodukttekhnika BUK TS-G Gas Station Automation System on Linux vulnerable to unauthorized data access
CVE-2026-3843
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration...
9.3
Coral Server allows unauthorized message injection in sessions
CVE-2026-30968
Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1....
8.6
LimeSurvey Remote Code Execution Vulnerability
CVE-2025-56422
A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server....
9.8
[PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]
CVE-2025-41709
[PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]...
9.8
SiYuan: Unauthorized file access via path traversal in /export endpoint
GHSA-2h2p-mvfx-868w
CVE-2026-30869
SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read a...
9.8
Tutor LMS Pro plugin: attackers can log in as any user
CVE-2026-0953
The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. ...
9.8
Apache HTTP Server Trust Manager Vulnerability: Mismatched Hostname
CLEANSTART-2026-ZV38826
Security vulnerability affects the trust-manager package. Within HostnameError....
9.8
Adobe Premiere Pro allows malicious code injection through trace files
CVE-2025-40943
Affected devices do not properly sanitize contents of trace files. This could allow an attacker to inject code through social engineering a legitimate...
9.4
Unauthorized Access to Devices in Other Organizations
CVE-2026-28806
EEF-CVE-2026-28806
GHSA-f8fr-mccc-xvcx
Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update A...
9.4
Deutsche Telekom Portal: Hackers can change passwords and take over accounts
CVE-2025-69614
Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password resets and full account takeover. Af...
9.4
Feathers MongoDB Adapter Vulnerable to Data Exposure Through WebSocket
CVE-2026-29793
GHSA-p9xr-7p9p-gpqx
Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer per...
9.3
OAuth callback in Feathers allows unauthorized account takeover
CVE-2026-29792
GHSA-wg9x-qfgw-pxhj
An unauthenticated attacker can send a crafted GET request directly to `/oauth/:provider/callback` with a forged profile in the query string. The OAut...
9.3