CVE Vulnerabilities - 4 March 2026

Mail Mint WordPress plugin: Exposed User Email Addresses

CVE-2026-2025

The Mail Mint WordPress plugin before 1.19.5 does not have authorization in one of its REST API endpoint, allowing unauthenticated users to call it a...

7.5

OpenClaw Canvas Authentication Bypass

GHSA-vvjh-f6p9-5vcf

ZDI-CAN-29311: OpenClaw Canvas Authentication Bypass Vulnerability -- ABSTRACT ------------------------------------- Trend Micro's Zero Day Initiati...

7.4

Guardian Properties Can Be Injected with Malicious HTML on CMC Sensor Map

CVE-2025-40895

A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map functionality due to improper validation on connected Guardians' properti...

7.3

Cisco Firewall ASA Software allows unauthorized file access

CVE-2026-20062

A vulnerability in the CLI of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software in multiple context mode could allow an authenticated, ...

7.2

2N Access Commander: Password Bypass in Backup File Encryption

CVE-2025-59785

Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encrypti...

5.3

2N Access Commander Log Pollution Risk on Unvalidated API Parameters

CVE-2025-59784

2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior...

6.9

2N Access Commander: Unauthenticated Admins Can Execute Unauthorized Commands

CVE-2025-59783

API endpoint for user synchronization in 2N Access Commander version 3.4.1 did not have a sufficient input validation allowing for OS command injectio...

8.8

Concrete CMS < 9.4.8 allows attackers to execute malicious code

CVE-2026-3452 GHSA-gj26-w59c-29mf

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the colum...

8.9

WPBookit Plugin for WordPress Allows Attackers to Inject Malicious Scripts

CVE-2026-1945

The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpb_user_name' and 'wpb_user_email' parameters in all versions...

7.2

PostX plugin for WordPress allows hackers to access internal systems

CVE-2026-1273

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to Server-Side Request Forgery in all ver...

7.2

Slack integration in OpenClaw may let unauthorized users send messages

GHSA-x2ff-j5c2-ggpr

## Impact In shared Slack workspace deployments that rely on sender restrictions (`allowFrom`, DM policy, or channel user allowlists), some interacti...

7.1

Tradebox 5.4: Attackers can steal sensitive database information

CVE-2019-25505

Tradebox 5.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through ...

7.1

PHPads 2.0 allows unauthorized access to database info

CVE-2019-25503

PHPads 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code ...

7.1

OpenClaw Allows Malicious Files to be Stolen

GHSA-jjgj-cpp9-cvpv

## Summary A malicious or compromised MCP (Model Context Protocol) tool server can exfiltrate arbitrary local files from the host system by injecting...

6.9

OpenClaw allows access to blocked IP addresses via web fetch

GHSA-4rqq-w8v4-7p47

### Summary `isPrivateIpv4()` in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so `web_fetch` could allow targets that sh...

6.9

OpenClaw: Malicious Avatar Traversal in Gateway Session

GHSA-9mph-4f7v-fmvh

## Summary A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 `data:` URL i...

6.9

OpenClaw allows access to internal network targets via crafted URLs

GHSA-8cp7-rp8r-mg77

## Summary OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses (`...:5efe:w.x.y.z`). A crafted URL containing an ISATAP IP...

6.9

Cisco Firewalls Crash When Attacker Sends Malicious OSPF Packets

CVE-2026-20025

A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an authenticated, adjacent attack...

6.8

Cisco Firewalls Can Crash When Attacked by a Nearby User with the Right Password

CVE-2026-20024

A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an authenticated, adjacent attack...

6.8

Cisco Firewalls Can Be Restarted by a Nearby Attacker

CVE-2026-20020

A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, adjacent atta...

6.8

Cisco FTD Software Denial of Service via Malformed TLS 1.2 Traffic

CVE-2026-20050

A vulnerability in the Do Not Decrypt exclusion feature of the SSL decryption feature of Cisco Secure Firewall Threat Defense (FTD) Software could all...

6.8

Concrete CMS allows attackers to bypass security settings

CVE-2026-2994 GHSA-6mxw-2vhf-42g5

Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter ...

2.3

Dell PowerScale OneFS versions 9.11.0.0 to 9.12.0.1 have a Privilege Escalation Risk

CVE-2026-22270

Dell PowerScale OneFS, versions prior to 9.10.1.6 and versions 9.11.0.0 through 9.12.0.1, contains an uncontrolled search path element vulnerability. ...

6.7

Dell PowerScale OneFS: Privilege Escalation and Data Exposure Risk

CVE-2026-21426

Dell PowerScale OneFS, versions prior to 9.10.1.6 and versions 9.11.0.0 through 9.12.0.1, contains an execution with unnecessary privileges vulnerabil...

6.7

Dell PowerScale OneFS allows attackers to gain extra access

CVE-2026-21424

Dell PowerScale OneFS, versions prior to 9.10.1.6 and versions 9.11.0.0 through 9.12.0.1, contains an execution with unnecessary privileges vulnerabil...

6.7