CVE Vulnerabilities - 3 March 2026

Craft CMS: Unpatched Sites at Risk of Hacker Takeover

CVE-2026-28784 GHSA-qc86-q28f-ggww

For this to work, the attacker must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/refere...

6.1

Craft CMS 5.8.21 Allows Unauthorized Access to Server

CVE-2026-28695 GHSA-94rc-cqvm-m4pw

There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the `create()` Twig function combined with a Symfony ...

6.6

SQL Injection in Sourcecodester Logistic Hub Parcel's Management System

CVE-2026-26892

Sourcecodester Logistic Hub Parcel's Management System v1.0 is vulnerable to SQL Injection in /manage_carrier.php....

7.2

Cohesity TranZman API Allows Authorized Users to Execute Unintended System Commands

CVE-2025-67840

Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060...

7.2

Cohesity TranZman Migration Appliance 4.0 Build 14614: Command Injection Risk

CVE-2025-63911

Cohesity TranZman Migration Appliance Release 4.0 Build 14614 was discovered to contain an authenticated command injection vulnerability....

7.2

Cohesity TranZman Migration Appliance: Untrusted File Upload Risk

CVE-2025-63910

An authenticated arbitrary file upload vulnerability in Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers with Administra...

7.2

WatchGuard Fireware OS allows unapproved system changes via administration interface

CVE-2026-3342

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow an authenticated privileged administrator to execute arbitrary code with root...

8.6

WP Zendesk plugin for popular WordPress form plugins allows malicious code execution

CVE-2026-2568

The WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi...

7.2

Uncanny Automator Plugin Allows Attackers to Access and Modify Internal Services

CVE-2026-2269

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request For...

7.2

OpenClaw Commands Allowlist Can Be Exploited by Conversation Members

GHSA-2ch6-x3g4-7759

### Summary `commands.allowFrom` is documented as a sender authorization allowlist for commands/directives, but command authorization could include `c...

7.1

OpenClaw: Bypassing Security Restrictions Through Wrapper Binaries

GHSA-jj82-76v6-933r

### Summary `system.run` exec allowlist analysis treated wrapper binaries as the effective executable and did not fully unwrap `env`/shell-dispatch wr...

7.1

OpenClaw: Malicious Archives Can Write Outside Intended Folder

GHSA-jxrq-8fm4-9p58

### Summary A path confinement bypass in OpenClaw ZIP extraction allowed writes outside the intended destination when a pre-existing symlink was prese...

7.1

OpenClaw Service Can Run Arbitrary Commands with Elevated Privileges

GHSA-vffc-f7r7-rx2w

OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled e...

6.9

OpenClaw Windows Task Scheduler Script May Execute Malicious Code

GHSA-pj5x-38rw-6fph

### Summary A command injection vulnerability existed in Windows Scheduled Task script generation for OpenClaw. Environment values were written into `...

7.1

HP System Event Utility allows denial of service and file tampering

CVE-2026-2915

HP System Event Utility might allow denial of service with elevated arbitrary file writes. This potential vulnerability was remediated ...

5.2

OpenClaw's Telegram Message Reaction Hack Allows Unauthorized Access

GHSA-qj22-xqjr-v83v

A missing sender-authorization check in Telegram `message_reaction` handling allowed unauthorized users to trigger reaction-derived system events. ##...

7.1

Wise Force Deleter deletes arbitrary files with malicious input

CVE-2025-66680

An issue in the WiseDelfile64.sys component of WiseCleaner Wise Force Deleter 7.3.2 and earlier allows attackers to delete arbitrary files via a craft...

7.1

libbiosig: Malicious .abf files can reveal sensitive data

CVE-2025-64736

An out-of-bounds read vulnerability exists in the ABF parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (5462afb0). A spec...

7.1

Rancher allows containers to run as a privileged user

GHSA-hwm2-4ph6-w6m5

### Impact The `restricted` pod security policy (PSP), provided in Rancher versions from 2.0 up to and including 2.6.3, has a deviation from the [upst...

7.1

Update your Red Hat kernel to prevent remote access

RHSA-2026:3579

7.1

OpenClaw Sandbox Bypass via Symlink and Missing Path

GHSA-m8v2-6wwh-r4gc

### Summary In `openclaw` up to and including **2026.2.23** (latest npm release as of **February 24, 2026**), sandbox bind-source validation could be ...

7.0

OpenClaw Sandbox Registry Can Lose Updates or Restore Deleted Entries

GHSA-gq83-8q7q-9hfx

## Impact Concurrent `updateRegistry`/`removeRegistryEntry` operations for sandbox containers and browsers could lose updates or resurrect removed en...

6.9

OpenClaw bypasses allowlist and permits file write with short-option payloads

GHSA-3x3x-h76w-hp98

### Summary OpenClaw `exec` allowlist/safeBins policy could be bypassed with attached short-option payloads (for example `sort -o/tmp/poc`), enabling ...

6.9

OpenClaw plugin execution can run system commands with same privileges

GHSA-ff98-w8hj-qrxf

### Summary OpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugi...

6.9

BlueBubbles iMessage Plugin Exposes Webhooks to Unauthenticated Access

GHSA-5mx2-2mgw-x8rm

### Summary BlueBubbles webhook auth in the optional beta iMessage plugin allowed a passwordless fallback path. In some reverse-proxy/local routing se...

6.9