Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 3 March 2026
RSS282 vulnerabilities published on 3 March 2026
Severity:
Using @tootallnate/once can cause your app to freeze
CVE-2026-3449
GHSA-vpq2-c234-7xj6
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option i...
6.3
SQL Injection in Sourcecodester Logistic Hub Parcel's Management System
CVE-2026-26891
Sourcecodester Logistic Hub Parcel's Management System v1.0 is vulnerable to SQL Injection in /manage_parcel_type.php....
2.7
Pharmacy Point of Sale SQL Injection in Manage Category Page
CVE-2026-26889
Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_category.php....
2.7
Pharmacy Point of Sale System SQL Injection Vulnerability
CVE-2026-26888
Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_stock.php....
2.7
Pharmacy Point of Sale System SQL Injection Risk: Supplier Data Exposure
CVE-2026-26887
Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_supplier.php....
2.7
Pharmacy Point of Sale System SQL Injection Vulnerability: Unsecured Data Access
CVE-2026-26890
Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_product.php....
2.7
Vulnerability in Online Men's Salon Management System Exposes User Data
CVE-2026-26886
Sourcecodester Online Men's Salon Management System v1.0 is vulnerable to SQL Injection in /admin/services/manage_service.php....
2.7
SQL Injection in Men's Salon Management System
CVE-2026-26885
Sourcecodester Online Men's Salon Management System v1.0 is vulnerable to SQL Injection in /classes/Master.php?f=delete_service....
2.7
SQL Injection in Sourcecodester Men's Salon Management System
CVE-2026-26884
Sourcecodester Online Men's Salon Management System v1.0 is vulnerable to SQL Injection in /msms/admin/appointments/view_appointment.php....
2.7
Online Salon Management System SQL Injection Vulnerability
CVE-2026-26883
Sourcecodester Online Men's Salon Management System v1.0 is vulnerable to SQL Injection in /msms/classes/Master.php?f=delete_appointment....
2.7
Gallagher Morpho integration in Command Centre Server crashes with admin access
CVE-2026-20757
Improper Locking vulnerability (CWE-667) in Gallagher Morpho integration allows a privileged operator to cause a limited denial-of-service in the Comm...
2.5
OpenClaw's tools.exec.safeBins Allows Unauthorized Execution of Interpreter Binaries
GHSA-8mf7-vv8w-hjr2
### Summary
When `tools.exec.safeBins` contained a binary without an explicit safe-bin profile, OpenClaw used a permissive generic fallback profile. I...
2.3
OpenClaw: Microsoft Teams media fetch paths bypass shared SSRF guard model
GHSA-7qf6-h84j-8fq4
## Impact
Microsoft Teams media handling used mixed fetch paths for Graph metadata/content and attachment auth-retry flows. Some paths bypassed the sh...
2.3
OpenClaw allows unauthorized access to sensitive data
GHSA-vvgp-4c28-m3jm
## Summary
A trusted-proxy Control UI pairing bypass accepted `client.id=control-ui` without device identity checks. The bypass did not require `opera...
2.3
OpenClaw exposes sensitive data in system prompts
GHSA-v6x2-2qvm-6gv8
## Vulnerability
OpenClaw reused `gateway.auth.token` (and `gateway.remote.token`) as a fallback hash secret for owner-ID prompt obfuscation when `co...
2.1
Craft CMS Allows Malicious Code in Settings Names and Labels
GHSA-4mgv-366x-qxvx
## Overview of all XSS Reports
Multiple stored XSS vulnerabilities were found in Craft CMS. They were split into **4 reports** as follows:
| Report ...
2.1
OpenClaw's Debug Mode Can Be Hacked with Special Keys
GHSA-62f6-mrcj-v8h5
### Summary
OpenClaw accepted prototype-reserved keys in runtime `/debug set` override object values (`__proto__`, `constructor`, `prototype`).
### I...
2.0
Nokia Impact: Malicious Data Injection via Campaign Name
CVE-2023-31044
An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign function...
2.0
Duplicate Vulnerability: Do Not Use
CVE-2026-3076
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-2363. Reason: This candidate is a reservation duplicate of CVE-20...
CGA-2jg9-9ccq-wcm4
CGA-2jg9-9ccq-wcm4
CGA-2jg9-9ccq-wcm4
OpenClaw's system.run bypass lets attackers run unauthorized commands
GHSA-9868-vxmx-w862
### Summary
In OpenClaw `system.run` allowlist mode, shell-wrapper analysis could be bypassed by splitting command substitution as `$\\` + newline + `...
Unauthorized People Can Download and Save Media from Telegram
GHSA-h656-5vcf-cm23
## Impact
In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender ...
OpenClaw Gateway Plugin Authentication Bypass in Certain Paths
GHSA-mwxv-35wr-4vvj
### Summary
Gateway plugin route auth protection for `/api/channels` could be bypassed using encoded dot-segment traversal (for example `..%2f`) in pa...
BELL-CVE-2026-3184
BELL-CVE-2026-3184