CVE-2026-20165 - In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124, a low-privileged user that does not hold the "admin" or "power" Splunk roles... read CVE-2026-20165
Published: March 11, 2026; 1:16:56 PM -0400

V3.1: 6.5 MEDIUM

CVE-2026-33202 - Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metach... read CVE-2026-33202
Published: March 23, 2026; 8:16:29 PM -0400

V3.1: 9.1 CRITICAL

CVE-2026-33295 - WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directl... read CVE-2026-33295
Published: March 22, 2026; 1:17:09 PM -0400

V3.1: 5.4 MEDIUM

CVE-2026-33296 - WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains an open redirect vulnerability in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript `document.location` assi... read CVE-2026-33296
Published: March 22, 2026; 1:17:09 PM -0400

V3.1: 6.1 MEDIUM

CVE-2026-4678 - Use after free in WebGPU in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: March 23, 2026; 9:17:03 PM -0400

CVE-2026-4679 - Integer overflow in Fonts in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Published: March 23, 2026; 9:17:03 PM -0400

CVE-2026-4680 - Use after free in FedCM in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: March 23, 2026; 9:17:03 PM -0400

CVE-2026-33488 - WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who... read CVE-2026-33488
Published: March 23, 2026; 12:16:49 PM -0400

V3.1: 8.1 HIGH

CVE-2026-33492 - WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneratio... read CVE-2026-33492
Published: March 23, 2026; 12:16:49 PM -0400

CVE-2026-26128 - Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges locally.
Published: March 10, 2026; 2:18:41 PM -0400

V3.1: 7.8 HIGH

CVE-2026-26132 - Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
Published: March 10, 2026; 2:18:42 PM -0400

V3.1: 7.8 HIGH

CVE-2026-24299 - Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Published: March 19, 2026; 5:17:00 PM -0400

V3.1: 5.3 MEDIUM

CVE-2026-26137 - Server-side request forgery (ssrf) in Microsoft 365 Copilot's Business Chat allows an authorized attacker to elevate privileges over a network.
Published: March 19, 2026; 5:17:08 PM -0400

V3.1: 9.9 CRITICAL

CVE-2026-26138 - Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
Published: March 19, 2026; 5:17:08 PM -0400

V3.1: 10.0 CRITICAL

CVE-2026-26139 - Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
Published: March 19, 2026; 5:17:08 PM -0400

V3.1: 8.6 HIGH

CVE-2026-20164 - In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the "admin" or "power" Splunk roles... read CVE-2026-20164
Published: March 11, 2026; 1:16:56 PM -0400

CVE-2026-20163 - In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cm... read CVE-2026-20163
Published: March 11, 2026; 1:16:56 PM -0400

V3.1: 7.2 HIGH

CVE-2026-33502 - WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbit... read CVE-2026-33502
Published: March 23, 2026; 1:16:51 PM -0400

V3.1: 8.2 HIGH

CVE-2026-33507 - WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protectio... read CVE-2026-33507
Published: March 23, 2026; 1:16:51 PM -0400

CVE-2026-4673 - Heap buffer overflow in WebAudio in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Published: March 23, 2026; 9:17:02 PM -0400