Security Vulnerabilities
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3.
CVSS Score
9.1
EPSS Score
0.001
Published
2026-03-16
SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component
CVSS Score
7.5
EPSS Score
0.0
Published
2026-03-16
A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue is the function check_is_ipv6 of the component IPv6 Handler. The manipulation leads to reliance on ip address for authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
CVSS Score
9.8
EPSS Score
0.003
Published
2026-03-16
An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute
CVSS Score
7.5
EPSS Score
0.001
Published
2026-03-16
Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 "comment" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-03-16
A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe). This allows unauthorized interaction with the OpenEDR kernel driver, granting access to privileged functionality such as configuration changes, process monitoring, and IOCTL communication that should be restricted to trusted components. While this issue alone does not directly grant SYSTEM privileges, it breaks OpenEDR's trust model and enables further exploitation leading to full local privilege escalation.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-03-16
A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system.
CVSS Score
8.8
EPSS Score
0.0
Published
2026-03-16
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.0.1]).. Mattermost Advisory ID: MMSA-2026-00585
CVSS Score
4.3
EPSS Score
0.0
Published
2026-03-16
Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID: MMSA-2026-00583
CVSS Score
3.1
EPSS Score
0.001
Published
2026-03-16
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554
CVSS Score
4.3
EPSS Score
0.0
Published
2026-03-16