CVE Vulnerabilities - 4 March 2026

BioStar 2 Password Reset Allows New Password Without Old One

CVE-2025-41257

Suprema’s BioStar 2 in version 2.9.11.6 allows users to set new password without providing the current one. Exploiting this flaw combined with other v...

4.8

Arc Agent Fails to Verify Server Certificate, Allowing Man-in-the-Middle Attacks

CVE-2025-40896

The server certificate was not verified when an Arc agent connected to a Guardian or CMC. A malicious actor could perform a man-in-the-middle attac...

4.8

Arc Agent Connection to Guardian or CMC Not Secure

CVE-2025-40896

The server certificate was not verified when an Arc agent connected to a Guardian or CMC. A malicious actor could perform a man-in-the-middle attac...

6.3

CMC Sensor Map allows malicious user to inject HTML code

CVE-2025-40895

A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map functionality due to improper validation on connected Guardians' properti...

2.0

Concrete CMS: Malicious Code Can Run in Administrator's Browser

CVE-2026-3242 GHSA-w9qg-chfh-g3q9

In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block.   The Concrete CMS security team gave th...

4.8

Concrete CMS Search Results Can Run Malicious Code

CVE-2026-3244 GHSA-mm5f-5rqw-574f

In Concrete CMS below version 9.4.8, A stored Cross-site Scripting (XSS) vulnerability exists in the search block where page names and content are ren...

4.8

Concrete CMS: Rogue Admins Can Inject Malicious Code in Forms

CVE-2026-3241 GHSA-f4vq-pj32-gr4q

In Concrete CMS below version 9.4.8, a Cross-site Scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissi...

4.8

Concrete CMS Stored XSS Allows Attackers to Hijack Admin Accounts

CVE-2026-3240 GHSA-45fj-fvmm-xcc5

In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privi...

4.8

Traefik crashes when handling large auth server responses

CVE-2026-26998 GHSA-fw45-f5q2-2p4x

## Impact There is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the Forward...

4.4

Dell Device Management Agent stores passwords in plain text

CVE-2026-22285

Dell Device Management Agent (DDMA), versions prior to 26.02, contain a Plaintext Storage of Password vulnerability. A high privileged attacker with l...

4.4

Morkva UA Shipping plugin for WordPress allows attackers to inject malicious scripts

CVE-2026-2292

The Morkva UA Shipping plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7....

4.4

Taskbuilder Plugin for WordPress: Inject Malicious Scripts on Admin Settings

CVE-2026-2289

The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due t...

4.4

Cisco Firewalls: OSPF Attack Can Crash Device

CVE-2026-20021

A vulnerability in the OSPF protocol of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD...

4.3

Cisco Firewall Software: Unauthenticated Attackers Can Hijack Users' Browsers

CVE-2026-20069

A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat...

4.3

Seraphinite Accelerator for WordPress: Unauthorized Access to Sensitive Data

CVE-2026-3058

The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the...

4.3

Seraphinite Accelerator Plugin Allows Unauthorized Log Deletion

CVE-2026-3056

The Seraphinite Accelerator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `seraph_a...

4.3

TP-Link Router Allows Hackers to Steal Data by Pretending to be the Internet

CVE-2026-23812

A vulnerability has been identified where an attacker connecting to an access point as a standard wired or wireless client can impersonate a gateway b...

4.2

OpenClaw: Approved Senders Can Be Shared Across Accounts

GHSA-vjp8-wprm-2jw9

### Summary OpenClaw had account-scope gaps in pairing-store access for DM pairing policy, which could let a pairing approval from one account authori...

3.7

Dark Reader allows websites to request local files without permission

CVE-2025-68467 GHSA-x369-mcw8-8rvj

### Description Dark Reader versions prior to 4.9.117 included a behavior where a website could request a style sheet from a locally running web serve...

3.4

Wi-Fi Network: Attacker Can Redirect Client Traffic

CVE-2026-23811

A vulnerability in the client isolation mechanism may allow an attacker to bypass Layer 2 (L2) communication restrictions between clients and redirect...

3.1

Wi-Fi Access Point Allows Malicious Frame Injection

CVE-2026-23810

A vulnerability in the packet processing logic may allow an authenticated attacker to craft and transmit a malicious Wi-Fi frame that causes an Access...

3.1

Malicious code in time_calibrators crate exposed sensitive files online

GHSA-wf45-3gpw-vrqv

The `time_calibrators` crate attempted to exfiltrate `.env` files to a server that was in turn impersonating the legitimate `timeapi.io` service. The...

Malicious Code Found in time_calibrator Rust Library

GHSA-77xj-rrh3-wx3v

It was reported `time_calibrator` contained malicious code, that would try to upload `.env` files to a server. The malicious crate had only 1 version...

SUSE Linux Enterprise 16 Kernel Update Fixes Data Corruption Risk

openSUSE-SU-2026:20314-1

This update for the SUSE Linux Enterprise kernel 6.12.0-160000.8.1 fixes one security issue The following security issue was fixed: - CVE-2025-4013...

Linux Kernel: Incorrect Block Size Can Crash the System

CVE-2026-23238

In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the retu...