CVSS: 8.7EPSS: %CPEs: 1EXPL: 0CVE-2026-32268 – Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability
https://notcve.org/view.php?id=CVE-2026-32268
18 Mar 2026 — The Azure Blob Storage for Craft CMS plugin provides an Azure Blob Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.1.1, unauthenticated users can view a list of buckets the plugin has access to. The `DefaultController->actionLoadContainerData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Because Azure can return sensitive data in error messages, additional attack vectors are also exposed. Users should... • https://github.com/craftcms/azure-blob/commit/cf69db45f393b3508a32f89ac8235554a2f026ff • CWE-862: Missing Authorization •
CVSS: 5.8EPSS: %CPEs: -EXPL: 0CVE-2026-4366 – Keycloak-services: blind server-side request forgery (ssrf) via http redirect handling in keycloak
https://notcve.org/view.php?id=CVE-2026-4366
18 Mar 2026 — This issue may lead to information disclosure and enable attackers to map internal network infrastructure. • https://access.redhat.com/security/cve/CVE-2026-4366 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 2.4EPSS: %CPEs: 1EXPL: 0CVE-2026-32266 – Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2026-32266
18 Mar 2026 — The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.1 of the plugin to mitigate the issue. • https://github.com/craftcms/google-cloud/commit/651bacaa5f5fd7813e4075e0747b1d706391fb2c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.9EPSS: %CPEs: 1EXPL: 0CVE-2026-32265 – Amazon S3 for Craft CMS has an Information Disclosure vulnerability
https://notcve.org/view.php?id=CVE-2026-32265
18 Mar 2026 — The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue. • https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.6EPSS: %CPEs: 2EXPL: 0CVE-2026-30884 – mdjnelson/moodle-mod_customcert Vulnerable to Authorization Bypass Through User-Controlled Key
https://notcve.org/view.php?id=CVE-2026-30884
18 Mar 2026 — The `core_get_fragment` callback `editelement` and the `mod_customcert_save_element` web service both fail to verify that the supplied `elementid` belongs to the authorized context, enabling cross-course information disclosure and data tampering. • https://github.com/mdjnelson/moodle-mod_customcert/commit/a1494a80fb953f187f7888a7394cbf9d13c28468 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.7EPSS: %CPEs: -EXPL: 0CVE-2026-2092 – Keycloak-services: keycloak: unauthorized access via improper validation of encrypted saml assertions
https://notcve.org/view.php?id=CVE-2026-2092
18 Mar 2026 — This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure. • https://access.redhat.com/errata/RHSA-2026:3925 • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.5EPSS: %CPEs: 1EXPL: 0CVE-2026-1267 – IBM Planning Analytics Information Disclosure
https://notcve.org/view.php?id=CVE-2026-1267
17 Mar 2026 — IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an unauthorized access to sensitive application data and administrative functionalities due to lack of proper access controls. • https://www.ibm.com/support/pages/node/7263581 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.7EPSS: %CPEs: 1EXPL: 0CVE-2025-14806 – IBM Planning Analytics Information Disclosure
https://notcve.org/view.php?id=CVE-2025-14806
17 Mar 2026 — IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an attacker to trick the caching mechanism into storing and serving sensitive, user-specific responses as publicly cacheable resources. • https://www.ibm.com/support/pages/node/7263581 • CWE-524: Use of Cache Containing Sensitive Information •
CVSS: 4.3EPSS: %CPEs: 1EXPL: 0CVE-2026-28506 – Outline's Information Disclosure in Activity Logs allows User Enumeration of Private Drafts
https://notcve.org/view.php?id=CVE-2026-28506
17 Mar 2026 — Outline is a service that allows for collaborative documentation. Prior to 1.5.0, the events.list API endpoint, used for retrieving activity logs, contains a logic flaw in its filtering mechanism. It allows any authenticated user to retrieve activity events associated with documents that have no collection (e.g., Private Drafts, Deleted Documents), regardless of the user's actual permissions on those documents. While the document content is not directly exposed, this vulnerability leaks sensitive metadata (... • https://github.com/outline/outline/security/advisories/GHSA-69x7-6fcr-mm6g • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: %CPEs: -EXPL: 0CVE-2026-4324 – Rubygem-katello: katello: denial of service and potential information disclosure via sql injection
https://notcve.org/view.php?id=CVE-2026-4324
17 Mar 2026 — A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sort_by parameter of the /api/hosts/bootc_images API endpoint. This can lead to a Denial of Service (DoS) by triggering database errors, and potentially enable Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database. • https://access.redhat.com/security/cve/CVE-2026-4324 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •