Critical · CVSS 9.8
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.
Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
Published Mar 26, 2026 · Updated Mar 26, 2026
High · CVSS 7.8
Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.
Published Mar 31, 2017 · Updated Dec 4, 2025
Medium · CVSS 6.4
The 17046 Ethernet card before 94450214LFMT100SEM-L.R3-CL for the GE Digital Energy Hydran M2 does not properly generate random values for TCP Initial Sequence Numbers (ISNs), which makes it easier for remote attackers to spoof packets by predicting these values.
Published Mar 14, 2015 · Updated Nov 3, 2025
Critical · CVSS 10
Hospira MedNet software version 5.8 and prior uses vulnerable versions of the JBoss Enterprise Application Platform software that may allow unauthenticated users to execute arbitrary code on the target system. Hospira has developed a new version of the MedNet software, MedNet 6.1. Existing versions of MedNet can be upgraded to MedNet 6.1.
Published Mar 26, 2019 · Updated Nov 3, 2025
Medium · CVSS 5.4 · CISA KEV
Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun19025.
Published Mar 19, 2014 · Updated Oct 22, 2025
High · CVSS 7.8 · CISA KEV
Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Word Viewer; Office Compatibility Pack SP3; Office for Mac 2011; Word Automation Services on SharePoint Server 2010 SP1 and SP2 and 2013; Office Web Apps 2010 SP1 and SP2; and Office Web Apps Server 2013 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted RTF data, as exploited in the wild in March 2014.
Published Mar 24, 2014 · Updated Oct 22, 2025
Critical · CVSS 9.8 · CISA KEV
fastping.c in MRLG (aka Multi-Router Looking Glass) before 5.5.0 allows remote attackers to cause an arbitrary memory write and memory corruption.
Published Mar 31, 2017 · Updated Oct 21, 2025
High · CVSS 8.3
Stack-based buffer overflow in BKBCopyD.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP packet.
Published Mar 14, 2014 · Updated Sep 25, 2025
Critical · CVSS 9
Stack-based buffer overflow in BKHOdeq.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP packet.
Published Mar 14, 2014 · Updated Sep 25, 2025
Critical · CVSS 9.3
Heap-based buffer overflow in BKCLogSvr.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via crafted UDP packets.
Published Mar 14, 2014 · Updated Sep 25, 2025
Medium · CVSS 6.8
The PLC driver in ServerMain.exe in the Kepware KepServerEX 4 component in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R2 build 71.4165, 2010 R2.1 build 71.4325, 2010 R3 build 72.4560, 2010 R3.1 build 72.4644, 2013 R1 build 73.4729, 2013 R1.1 build 73.4832, 2013 R1.1a build 73.4903, 2013 R1.2 build 73.4955, and 2013 R2 build 74.5094 allows remote attackers to cause a denial of service (application crash) via a crafted OPF file (aka project file).
Published Mar 14, 2014 · Updated Sep 24, 2025
Medium · CVSS 4
A vulnerability was found in Media Downloader Plugin 0.1.992 on WordPress. It has been declared as problematic. This vulnerability affects the function dl_file_resumable of the file getfile.php. The manipulation of the argument file leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 0.1.993 is able to address this issue. The patch is identified as 77beb720c682b9300035ab5f96eee225181d8a92. It is recommended to upgrade the affected component. VDB-222262 is the identifier assigned to this vulnerability.
Published Mar 4, 2023 · Updated Mar 5, 2025
Medium · CVSS 5.8
A vulnerability has been found in codepeople cp-polls Plugin 1.0.1 on WordPress and classified as critical. This vulnerability affects unknown code of the file cp-admin-int-message-list.inc.php. The manipulation of the argument lu leads to sql injection. The attack can be initiated remotely. Upgrading to version 1.0.2 is able to address this issue. The name of the patch is 6d7168cbf12d1c183bacc5cd5678f6f5b0d518d2. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-222268.
Published Mar 4, 2023 · Updated Mar 5, 2025
Medium · CVSS 4
A vulnerability was found in MaxButtons Plugin up to 1.26.0 on WordPress and classified as problematic. This issue affects the function maxbuttons_strip_px of the file includes/maxbuttons-button.php. The manipulation of the argument button_id leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 1.26.1 is able to address this issue. The patch is named e74564c9e3b7429808e317f4916bd1c26ef0b806. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222323.
Published Mar 5, 2023 · Updated Mar 5, 2025
Unknown · CVSS Not scored
The Grails Resource Plugin often has to exchange URIs for resources with other internal components. Those other components will decode any URI passed to them. To protect against directory traversal the Grails Resource Plugin did the following: normalized the URI, checked the normalized URI did not step outside the appropriate root directory (e.g. the web application root), decoded the URI and checked that this did not introduce additional /../ (and similar) sequences. A bug was introduced where the Grails Resource Plugin before 1.2.13 returned the decoded version of the URI rather than the normalized version of the URI after the directory traversal check. This exposed a double decoding vulnerability. To address this issue, the Grails Resource Plugin now repeatedly decodes the URI up to three times or until decoding no longer changes the URI. If the decode limit of 3 is exceeded the URI is rejected. A side-effect of this is that the Grails Resource Plugin is unable to serve a resource that includes a '%' character in the full path to the resource. Not all environments are vulnerable because of the differences in URL resolving in different servlet containers. Applications deployed to Tomcat 8 and Jetty 9 were found not not be vulnerable, however applications deployed to JBoss EAP 6.3 / JBoss AS 7.4 and JBoss AS 7.1 were found to be vulnerable (other JBoss versions weren't tested). In certain cases JBoss returns JBoss specific vfs protocol urls from URL resolution methods (ClassLoader.getResources). The JBoss vfs URL protocol supports resolving any file on the filesystem. This made the directory traversal possible. There may be other containers, in addition to JBoss, on which this vulnerability is exposed.
Published Mar 19, 2018 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the login audit form in McAfee Cloud Single Sign On (SSO) allows remote attackers to inject arbitrary web script or HTML via a crafted password.
Published Mar 23, 2014 · Updated Sep 17, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in ajax_udf.php in OpenDocMan before 1.2.7.2 allows remote attackers to execute arbitrary SQL commands via the table parameter. NOTE: some of these details are obtained from third party information.
Published Mar 7, 2014 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in the Importers plugin in Atlassian JIRA before 6.0.5 allows remote attackers to create arbitrary files via unspecified vectors.
Published Mar 7, 2014 · Updated Sep 16, 2024
Unknown · CVSS Not scored
ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external app is enabled, allows remote authenticated users to mount the local filesystem in the user's ownCloud via the mount configuration.
Published Mar 23, 2014 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.
Published Mar 5, 2015 · Updated Sep 16, 2024
Unknown · CVSS Not scored
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.
Published Mar 11, 2014 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier for remote attackers to obtain access via a VPN session.
Published Mar 2, 2014 · Updated Sep 16, 2024
Medium · CVSS 4
A vulnerability has been found in wp-file-upload Plugin up to 2.4.3 on WordPress and classified as problematic. Affected by this vulnerability is the function wfu_ajax_action_callback of the file lib/wfu_ajaxactions.php. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 2.4.4 is able to address this issue. The identifier of the patch is c846327df030a0a97da036a2f07c769ab9284ddb. It is recommended to upgrade the affected component. The identifier VDB-258781 was assigned to this vulnerability.
Published Mar 31, 2024 · Updated Aug 6, 2024
Medium · CVSS 4.3
A vulnerability has been found in Ad Blocking Detector Plugin up to 1.2.1 on WordPress and classified as problematic. This vulnerability affects unknown code of the file ad-blocking-detector.php. The manipulation leads to information disclosure. The attack can be initiated remotely. Upgrading to version 1.2.2 is able to address this issue. The patch is identified as 3312b9cd79e5710d1e282fc9216a4e5ab31b3d94. It is recommended to upgrade the affected component. VDB-222610 is the identifier assigned to this vulnerability.
Published Mar 10, 2023 · Updated Aug 6, 2024
Unknown · CVSS Not scored
contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.
Published Mar 20, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.
Published Mar 21, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Unauthorized execution of binary vulnerability in McAfee (now Intel Security) McAfee Application Control (MAC) 6.0.0 before hotfix 9726, 6.0.1 before hotfix 9068, 6.1.0 before hotfix 692, 6.1.1 before hotfix 399, 6.1.2 before hotfix 426, and 6.1.3 before hotfix 357 and earlier allows attackers to create a malformed Windows binary that is considered non-executable and is not protected through the whitelisting protection feature via a specific set of circumstances.
Published Mar 14, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Information disclosure vulnerability in McAfee (now Intel Security) Cloud Analysis and Deconstructive Services (CADS) 1.0.0.3x, 1.0.0.4d and earlier allows remote unauthenticated users to view, add, and remove users via a configuration error.
Published Mar 14, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Off-by-one error in ImageMagick before 6.6.0-4 allows remote attackers to cause a denial of service (application crash) via a crafted 8BIM profile.
Published Mar 23, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
vision.c in ImageMagick allows remote attackers to cause a denial of service (infinite loop) via vectors related to "too many object."
Published Mar 30, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
EmbedThis GoAhead 3.0.0 through 3.4.1 does not properly handle path segments starting with a . (dot), which allows remote attackers to conduct directory traversal attacks, cause a denial of service (heap-based buffer overflow and crash), or possibly execute arbitrary code via a crafted URI.
Published Mar 31, 2015 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Buffer overflow in the ReadRLEImage function in coders/rle.c in ImageMagick 6.8.9.9 allows remote attackers to have unspecified impact.
Published Mar 20, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Heap-based buffer overflow in ImageMagick allows remote attackers to have unspecified impact via a crafted psd file, a different vulnerability than CVE-2014-9824.
Published Mar 30, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
distribute-cache.c in ImageMagick re-uses objects after they have been destroyed, which allows remote attackers to have unspecified impact via unspecified vectors.
Published Mar 17, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Heap overflow in ImageMagick 6.8.9-9 via a crafted pict file.
Published Mar 22, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
ImageMagick 6.8.9-9 allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted palm file.
Published Mar 22, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The xwd file handler in ImageMagick allows remote attackers to cause a denial of service (segmentation fault and application crash) via a malformed xwd file.
Published Mar 30, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.
Published Mar 30, 2015 · Updated Aug 6, 2024
Unknown · CVSS Not scored
pcre_jit_compile.c in PCRE 8.35 does not properly use table jumps to optimize nested alternatives, which allows remote attackers to cause a denial of service (stack memory corruption) or possibly have unspecified other impact via a crafted string, as demonstrated by packets encountered by Suricata during use of a regular expression in an Emerging Threats Open ruleset.
Published Mar 28, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
ImageMagick allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted viff file.
Published Mar 30, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
ImageMagick allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted dpc image.
Published Mar 30, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.
Published Mar 3, 2015 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The png coder in ImageMagick allows remote attackers to cause a denial of service (crash).
Published Mar 20, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The dpx file handler in ImageMagick allows remote attackers to cause a denial of service (segmentation fault and application crash) via a malformed dpx file.
Published Mar 30, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
magick/colormap-private.h in ImageMagick 6.8.9-9 allows remote attackers to cause a denial of service (out-of-bounds access).
Published Mar 22, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
ImageMagick allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted xwd image.
Published Mar 30, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
ImageMagick allows remote attackers to cause a denial of service (file descriptor consumption) via a crafted file.
Published Mar 30, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The DecodePSDPixels function in coders/psd.c in ImageMagick 6.8.9.9 allows remote attackers to have unspecified impact via unknown vectors.
Published Mar 20, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Logic error in ImageMagick 6.8.9.9 allows remote attackers to cause a denial of service (resource consumption).
Published Mar 20, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Heap-based buffer overflow in ImageMagick allows remote attackers to have unspecified impact via a crafted psd file, a different vulnerability than CVE-2014-9825.
Published Mar 30, 2017 · Updated Aug 6, 2024