Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 5 March 2026

RSS

521 vulnerabilities published on 5 March 2026

Severity:
Trivy VS Code Extension stole sensitive data from users' machines
CVE-2026-28353
Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version 1.8.12, which was distributed vi...
10.0
zeptoclaw Allows Malicious Commands via Command Injection
GHSA-5wp8-q9mx-8jx8
### Summary [zeptoclaw](https://github.com/qhkm/zeptoclaw) implements a allowlist combined with a blocklist to prevent malicious shell commands in [sr...
10.0
OpenClaw Gateway: Authentication Bypass via Unsanitized Parameters
CVE-2026-28466 GHSA-gv46-4xfq-jv58
OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke para...
9.4
zozothemes Charety allows uploading malicious files
CVE-2026-24960
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Charety charety allows Using Malicious Files.This issue affects Charety: f...
9.9
Malicious Code Can Be Injected into Builderall for WordPress
CVE-2026-22390
Improper Control of Generation of Code ('Code Injection') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allow...
9.9
Nutrie allows uploading a web shell to the web server
CVE-2025-68555
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Nutrie nutrie allows Upload a Web Shell to a Web Server.This issue affects...
9.9
Keenarch allows attackers to upload malicious files
CVE-2025-68554
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Keenarch keenarch allows Using Malicious Files.This issue affects Keenarch...
9.9
Lendiz allows attackers to upload malicious files to a web server
CVE-2025-68553
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Lendiz lendiz allows Upload a Web Shell to a Web Server.This issue affects...
9.9
Microsoft Devices Pricing Program Allows Hackers to Run Malicious Code
CVE-2026-21536
Microsoft Devices Pricing Program Remote Code Execution Vulnerability...
9.8
OpenClaw versions prior to 2026.2.2 allow unauthorized command execution
CVE-2026-28470 GHSA-3hcm-ggvf-rch5
OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitr...
9.2
OpenClaw fails to validate Telegram webhook secrets
CVE-2026-28454 GHSA-fhvm-j76f-qmjv
OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST re...
8.2
OpenClaw fails to validate TAR archive paths, potentially allowing attackers to write files anywhere
CVE-2026-28453 GHSA-p25h-9q54-ffvw
OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outs...
8.3
OpenClaw Voice-Call Extension Allows Unauthenticated Calls
CVE-2026-28446 GHSA-4rj2-gpmh-qq5x
OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allo...
9.2
OpenClaw 2.0.0-beta3 allows attackers to run malicious code
CVE-2026-28393 GHSA-7xhj-55q9-pc3m
OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScr...
8.3
D-Link DIR-1253 MESH: Privilege Escalation Risk
CVE-2025-29165
An issue in D-Link DIR-1253 MESH V1.6.1684 allows an attacker to escalate privileges via the etc/shadow.sample component...
9.8
Nginx UI Exposes Encryption Keys Without Authentication
CVE-2026-27944 GHSA-g9w5-qffc-6762
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and d...
9.8
Apache ActiveMQ Remote File Access via Malicious Configuration
CVE-2026-24457
An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server. A full exploitation could rea...
9.8
D-Link DIR-513 router allows arbitrary code execution
CVE-2025-70233
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetEnableWizard....
9.8
D-Link DIR-513 Router: Unauthenticated Remote Code Execution
CVE-2025-70232
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetMACFilter....
9.8
D-Link DIR-513 Version 1.10 Allows Unauthorized Code Execution
CVE-2025-70231
D-Link DIR-513 version 1.10 contains a critical-level vulnerability. When processing POST requests related to verification codes in /goform/formLogin,...
9.8
D-Link DIR-513 Router DDNS Configuration Overflow
CVE-2025-70230
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetDDNS....
9.8
Old D-Link DIR-513 Router Can Be Hacked via Scheduled Event
CVE-2025-70229
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSchedule....
9.8
Rakuten Viber's Cloak Mode Fails to Hide Traffic from Censors
CVE-2025-13476
Rakuten Viber Cloak mode in Android v25.7.2.0g and Windows v25.6.0.0–v25.8.1.0 uses a static and predictable TLS ClientHello fingerprint lacking exten...
9.8
Contact Form Plugins for WordPress Can Be Hacked by Malicious Code
CVE-2026-2599
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and includ...
9.8
Unsecured File Uploads in [Software] Allow Unauthenticated Remote Code Execution
CVE-2026-21628
A improperly secured file management feature allows uploads of dangerous data types for unauthenticated users, leading to remote code execution....
10.0
4 Mar 2026 All days 6 Mar 2026