CVE Vulnerabilities - 5 March 2026

WP Bakery Autoresponder Addon allows malicious code to be stored

CVE-2026-27363

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kamleshyadav WP Bakery Autoresponder Addon vc-au...

7.1

Awa Plugins: Malicious Code Injection in Fox-Themes

CVE-2026-27359

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Awa Plugins awa-plugins allows Reflec...

7.1

ThemeGoods Architecturer allows malicious scripts to be injected into web pages

CVE-2026-27358

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Architecturer architecturer allows Re...

7.1

Grand News Theme Allows Hackers to Inject Malicious Code

CVE-2026-27353

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand News grandnews allows Reflected...

7.1

Starto ThemeGoods: Attackers can inject malicious code on your website

CVE-2026-27352

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Starto starto allows Reflected XSS.Th...

7.1

ThemeGoods Photography allows hackers to inject malicious code into web pages

CVE-2026-27348

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Photography photography allows DOM-Ba...

7.1

Agrofood Reflected Cross-Site Scripting Allows Malicious Code Injection

CVE-2026-27332

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Agrofood agrofood allows Reflected XSS....

7.1

DeepDigital Deepdigital Allows Malicious Code Injection

CVE-2026-22467

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mwtemplates DeepDigital deepdigital allows Refle...

7.1

BuddyApp: Malicious Code Injected into Web Pages

CVE-2026-22465

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SeventhQueen BuddyApp buddyapp allows Reflected ...

7.1

Thebe: Hackers can inject malicious scripts into web pages

CVE-2026-22455

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree Thebe thebe allows Reflected XSS...

7.1

Thecs 1.4.7 and earlier allows malicious scripts to run on users' browsers

CVE-2026-22440

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree Thecs thecs allows Reflected XSS...

7.1

TheBi Software Allows Malicious Code to Run on Your Browser

CVE-2026-22438

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheBi thebi allows Reflected XSS...

7.1

Avira Internet Security: Privileged Deletion of System Directories

CVE-2026-27750

Avira Internet Security contains a time-of-check time-of-use (TOCTOU) vulnerability in the Optimizer component. A privileged service running as SYSTEM...

8.5

Flowise Exposes Sensitive User Info on Forgotten Password Request

GHSA-jc5m-wrp2-qq38

## Summary The `/api/v1/account/forgot-password` endpoint returns the full user object including PII (id, name, email, status, timestamps) in the res...

6.9

OpenReplay session replay suite has a SQL injection flaw in search endpoint

CVE-2026-28443

OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /{projectId}/cards/search endpoint has a SQL injection in the sort...

6.9

LangGraph Checkpoint Loading Can Be Tricked into Running Malicious Code

CVE-2026-28277 GHSA-g48c-2wqr-h844

LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpo...

6.8

Azure Compute Gallery Local Privilege Escalation Vulnerability

CVE-2026-26124

'.../...//' in Azure Compute Gallery allows an authorized attacker to elevate privileges locally....

6.7

Azure Compute Gallery allows unauthorized privilege escalation

CVE-2026-23651

Permissive regular expression in Azure Compute Gallery allows an authorized attacker to elevate privileges locally....

6.7

EC-CUBE Administrative Interface MFA Can Be Bypassed by Hackers

GHSA-7rhv-h82h-vpjh

# Vulnerability Allowing MFA Bypass ## Affected EC-CUBE Versions Versions: 4.1.0 – 4.3.1 ## Vulnerability Overview If an administrator’s ID and pass...

6.7

UPS Multi-UPS Management Console allows arbitrary code execution

CVE-2026-26033

UPS Multi-UPS Management Console (MUMC) version 01.06.0001 (A03) contains an Unquoted Search Path or Element (CWE-428) vulnerability, which allows a u...

8.4

Azure Compute Gallery Has Insecure Default Settings

CVE-2026-26122

Initialization of a resource with an insecure default in Azure Compute Gallery allows an authorized attacker to disclose information over a network....

6.5

OpenClaw voice-call extension allows unauthorized access

CVE-2026-29606 GHSA-c37p-4qqg-3p76

OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests ...

6.3

OpenClaw versions prior to 2026.2.14 can be crashed by malicious archives

CVE-2026-28452 GHSA-h89v-j3x9-8wqj

OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows ...

6.7

OpenClaw Web Fetch Tool Crashes Due to Malicious HTML

CVE-2026-28394 GHSA-p536-vvpp-9mc8

OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool that allows attackers to crash the Gateway proces...

6.9

Cloudfoundry UAA Fails to Properly Revoke User Tokens

CVE-2026-22723 GHSA-6wcw-r64p-qrrw

Inappropriate user token revocation due to a logic error in the token revocation endpoint implementation in Cloudfoundry UAA v77.30.0 to v78.7.0 and i...

6.5