CVE Vulnerabilities - 3 March 2026

IBM DevOps Plan: Weak Account Lockout Setting Exposes Passwords

CVE-2025-36363

IBM DevOps Plan 3.0.0 through 3.0.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials....

7.5

IBM DataStage on Cloud Pak for Data Leaks Sensitive Information

CVE-2025-13616

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used in further attacks agains...

7.5

Weintek cMT-3072XH2 easyweb v2.1.53 stores credentials insecurely

CVE-2024-55027

Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to stroe credentials in plaintext in the component uac_temp.db....

7.5

Weintek easyweb FTP Server Has Pre-Configured Password

CVE-2024-55021

Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to contain a hardcoded password in the FTP protocol....

7.5

Weintek cMT-3072XH2 easyweb: Unauthenticated File Download

CVE-2024-55019

Incorrect access control in the component download_wb.cgi of Weintek cMT-3072XH2 easyweb Web Version v2.1.53, OS v20231011 allows unauthenticated atta...

7.5

AWS-LC Library Fails to Properly Verify Digital Certificates

GHSA-vw5v-4f2q-w9xf

### Summary AWS-LC is an open-source, general-purpose cryptographic library. ### Impact Improper certificate validation in PKCS7_verify() in AWS-LC a...

8.7

Tenda AX3 Router: Remote Code Execution via TV Service

CVE-2025-69765

Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formGetIptv function and the list parameter, which can cause memory corruption and enable...

7.5

Cohesity TranZman Uses Weak Encryption, Exposing Data

CVE-2025-63912

Cohesity TranZman Migration Appliance Release 4.0 Build 14614 was discovered to use a weak cryptography algorithm for data encryption, allowing attack...

7.5

Using Underscore could crash your program with a deep JSON file

CVE-2026-27601 GHSA-qpx9-hpmf-5gmw

### Impact In simple words, some programs that use `_.flatten` or `_.isEqual` could be made to crash. Someone who wants to do harm may be able to do ...

8.3

Samsung Mobile Processors: Crash Risk from Data Corruption

CVE-2025-62817

An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400, 1580, and 2500. A NULL pointer dereference of session->ncp_hd...

7.5

Samsung Exynos 2200 mobile processor has a data leak risk due to uninitialized memory use

CVE-2025-66363

An issue was discovered in LBS in Samsung Mobile Processor Exynos 2200. There was no check for memory initialization within DL NAS Transport messages....

7.5

Samsung Mobile Processors: Denial of Service Risk with Firmware Loading

CVE-2025-62814

An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, and 2400. A NULL pointer dereference of ft_handle in load_fw_utc_ve...

7.5

Django Can Crash with a Very Long URL

CVE-2026-25673 GHSA-8p8v-wh79-9r56 BIT-django-2026-25673

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit(...

7.5

Red Hat Kernel Update Exposes Systems to Privilege Escalation

RHSA-2026:3634

7.5

Outdated Thunderbird Update Exposes Users to Malware Attacks

RHSA-2026:3516

7.5

Mozilla Thunderbird Security Update for Linux

RHSA-2026:3517

7.5

Red Hat Thunderbird: Critical Security Update Required

RHSA-2026:3515

7.5

HomeBox allows attackers to bypass IP rate limiting

CVE-2026-27981

HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per cli...

7.4

OpenClaw Gateway Can Execute Unintended Code

GHSA-659f-22xc-98f2

## Vulnerability Webhook transform modules were validated with lexical path checks only. A symlink under the allowed hooks transform tree could resol...

7.3

OpenClaw: Manually Adding Sort to Safe Bins Can Bypass Approval

GHSA-4gc7-qcvf-38wg

### Summary This issue applies to a **non-default configuration** only. If `sort` is manually added to `tools.exec.safeBins`, OpenClaw could treat `so...

7.3

OpenClaw's autoAllowSkills setting can bypass exec prompts

GHSA-7ff8-xjh3-mgh6

### Summary In `openclaw` versions up to and including `2026.2.22-2`, a non-default exec-approval configuration could allow a skill-name collision to ...

7.3

OpenClaw Allows Malicious Startup Files to Run on Your System

GHSA-xgf2-vxv2-rrmg

### Summary `system.run` environment sanitization allowed shell-startup env overrides (`HOME`, `ZDOTDIR`) that can execute attacker-controlled startup...

7.3

OpenClaw: Malicious Code Can Run Before Commands - Update Needed

GHSA-w9cg-v44m-4qv8

### Summary `BASH_ENV` / `ENV` startup-file injection could lead to unintended pre-command shell execution when attacker-controlled environment values...

7.3

itsourcecode College Management System SQL Injection Risk

CVE-2026-3487

A vulnerability was found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/class-result.ph...

5.1

itsourcecode College Management System: SQL Injection via Student Fee Input

CVE-2026-3486

A vulnerability has been found in itsourcecode College Management System 1.0. This vulnerability affects unknown code of the file /admin/student-fee.p...

5.1