Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 2 March 2026

RSS

248 vulnerabilities published on 2 March 2026

Severity:
WordPress Plugin Vulnerability Allows Malicious Code Injection
BELL-CVE-2026-28419
6.6
GitLab Login and Authorization Issue Affects Security
GHSA-5r3p-6rj5-7937
### Impact - GitLab login allows login by any user. - JWT auth token can be derived as long as the server isn't rebooted. - Developers can assign issu...
6.6
SourceCodester Pharmacy Product Management System Can Lose Session Data
CVE-2026-3401
A weakness has been identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part. This manipulation cau...
2.3
Microsoft MS-Agent allows hackers to run malicious commands
CVE-2026-2256 GHSA-4gc2-344q-r2rw
A Command Injection vulnerability in ModelScope's MS-Agent versions v1.6.0rc1 and earlier exists, allowing an attacker to execute arbitrary operating ...
6.5
NocoDB: Attacker Keeps Access After Password Reset
CVE-2026-28396 GHSA-x4vh-j75g-268g
### Summary The password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue mi...
4.9
Bluetooth Security Module Exposes Data in Nearby Devices
CVE-2024-43766
In multiple functions of btm_ble_sec.cc, there is a possible unencrypted communication due to Invalid error handling. This could lead to remote (proxi...
6.5
ZimaOS: Internal Network Access via Authenticated Local User Request
CVE-2025-64427
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validat...
6.5
WebLogic Server MAC Configuration Overflow Causes System Crash
CVE-2025-47384
Transient DOS when MAC configures config id greater than supported maximum value....
6.5
LTE UE crashes when receiving malformed LTE data packet
CVE-2025-47371
Transient DOS when an LTE RLC packet with invalid TB is received by UE....
6.5
Open Babel CDXML File Handler Allows Remote Code Execution
CVE-2026-3408
A vulnerability was identified in Open Babel up to 3.1.1. This impacts the function OBAtom::GetExplicitValence of the file isrc/atom.cpp of the compon...
5.3
Blocksy Theme for WordPress: Malicious Code Injection via Metadata Fields
CVE-2026-2583
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and includi...
6.4
OpenClaw allows attackers to bypass approval and run malicious commands
GHSA-6j27-pc5c-m8w8
### Summary In `openclaw` npm releases up to and including `2026.2.21-2`, approving wrapped `system.run` commands with `allow-always` in `security=all...
6.4
MAE: Malicious access to sensitive data with system privileges
CVE-2026-20438
In MAE, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege if a malicious actor has alr...
6.4
NocoDB MCP Token Service Allows Unauthorized Access
CVE-2026-28361 GHSA-p9x3-w98f-7j3q
### Summary The MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another use...
4.9
Dataease SQLBot: Unsecured Access to API Endpoint
CVE-2025-15597
A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of th...
5.3
Android Keyguard App Bypass Allows Limited Interaction with Other Apps
CVE-2026-0005
In onServiceDisconnected of KeyguardServiceDelegate.java, there is a possible partial bypass of app pinning allowing limited interaction with other ap...
6.2
lxml-html-clean allows attackers to hijack relative links
GHSA-xvp8-3mhv-424c CVE-2026-28350
### Summary The `<base>` tag passes through the default `Cleaner` configuration. While `page_structure=True` removes `html`, `head`, and `title` tags,...
6.1
lxml-html-clean allows malicious CSS loading in older browsers
GHSA-hw26-mmpg-fqfg CVE-2026-28348
### Summary The `_has_sneaky_javascript()` method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequen...
6.1
Wethink Technology 720yun pano-sdk allows remote code execution via malicious login and signup pages
CVE-2025-66880
Cross Site Scripting vulnerability in Wethink Technology Inc 720yun pano-sdk 0.5.877 allows a remote attacker to execute arbitrary code via the LoginC...
6.1
Chamilo Learning Management System: Malicious Code Injection via URL
CVE-2025-52564
Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fails to properly sanitize user input. This allows a...
6.9
Chamilo Learning Management System: Malicious Code Injection
CVE-2025-52563
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to insufficient s...
5.1
Chamilo Learning Management System: Malicious Content Injection Risk
CVE-2025-52476
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to improper sanit...
5.1
Chamilo Learning Management System: Malicious Script Injection via URL
CVE-2025-52475
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_lis...
5.1
Chamilo Learning Management System: CSV Data Import XSS
CVE-2025-52468
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. T...
6.1
Skrol29 TbsZip: Malicious code can be injected via filename
CVE-2025-65465
A reflected Cross-Site Scripting (XSS) vulnerability in the RaiseError function of Skrol29 TbsZip version 2.17 and earlier allows remote attackers to ...
6.1
1 Mar 2026 All days 3 Mar 2026