Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In March 2026
GitLab has remediated an issue in GitLab EE affecting all versions from 18.1 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticated user to gain unauthorized access to resources due to improper caching of authorization decisions.
CVSS Score
3.7
EPSS Score
0.001
Published
2026-03-25
pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()
CVSS Score
9.8
EPSS Score
0.025
Published
2026-03-25
Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade Kiteworks Core to version 9.2.2 or later to receive a patch.
CVSS Score
8.8
EPSS Score
0.01
Published
2026-03-25
In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution.
CVSS Score
9.8
EPSS Score
0.005
Published
2026-03-25
In N2W before 4.3.2 and 4.4.x before 4.4.1, there is potential remote code execution and account credentials theft because of a spoofing vulnerability.
CVSS Score
9.8
EPSS Score
0.005
Published
2026-03-25
In N2WS Backup & Recovery before 4.4.0, a two-step attack against the RESTful API results in remote code execution.
CVSS Score
9.0
EPSS Score
0.003
Published
2026-03-25
A SQL Injection vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to retrieve, create, update and delete database via 'calls[0][message_ids][]' parameter in '/supportboard/include/ajax.php' endpoint.
CVSS Score
8.7
EPSS Score
0.002
Published
2026-03-25
A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
CVSS Score
4.8
EPSS Score
0.001
Published
2026-03-25
Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.
CVSS Score
6.5
EPSS Score
0.006
Published
2026-03-25
A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.
CVSS Score
5.4
EPSS Score
0.004
Published
2026-03-25


Contact Us

Shodan ® - All rights reserved