CVE Vulnerabilities - 5 March 2026

File Browser in File Manager Allows Access to Sibling Directories

CVE-2026-28492 GHSA-mr74-928f-rw69

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Pri...

7.1

Omada EAP610 Crashes When Sent Malicious Network Requests

CVE-2025-7375

A denial-of-service (DoS) vulnerability was identified in Omada EAP610 v3. An attacker with adjacent network access can send crafted requests to caus...

6.9

WordPress Page and Post Clone Plugin Exposes Sensitive Data

CVE-2026-2893

The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versio...

6.5

EC-CUBE: Administrator Access Bypass with Valid Credentials

CVE-2026-30777

EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication (MFA) bypass vulnerability. An attacker who has obtained a valid administr...

6.9

Site Suggest: Unauthorized Access to Restricted Features

CVE-2026-28104

Missing Authorization vulnerability in Aryan Shirani Bid Abadi Site Suggest site-suggest allows Accessing Functionality Not Properly Constrained by AC...

6.5

Brainstorm_Force Ultimate Addons for WPBakery Page Builder: Unauthorized Access Risk

CVE-2026-28038

Missing Authorization vulnerability in Brainstorm_Force Ultimate Addons for WPBakery Page Builder ultimate_vc_addons allows Exploiting Incorrectly Con...

6.5

WP Bakery Autoresponder Addon Allows Unauthorized Access

CVE-2026-27362

Missing Authorization vulnerability in kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon allows Exploiting Incorrectly Configured Acce...

6.5

WooCommerce Coming Soon Product with Countdown allows Attackers to Inject Malicious Code

CVE-2026-27354

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace WooCommerce Coming Soon Product w...

6.5

Tutor LMS Missing Authorization Allows Unrestricted Access

CVE-2026-23799

Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affe...

6.5

RadiusTheme Classified Listing Leaks Sensitive Data in Sent Messages

CVE-2026-23546

Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitiv...

6.5

Blend Media WordPress CTA easy-sticky-sidebar: Unauthorized Access Allowed

CVE-2026-22459

Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security ...

6.5

Jeroen Schmit Theater for WordPress allows hackers to inject malicious scripts

CVE-2025-69343

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allo...

6.5

Fluent Forms Pro Add On Pack plugin can delete WordPress files without permission

CVE-2026-2899

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due...

6.5

Greenshift Plugin Allows Attackers to Inject Malicious Code into WordPress Pages

CVE-2026-2593

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_gspb_post_css` post met...

6.4

SkatDesign Ratatouille allows hackers to make fake requests from your server

CVE-2026-28036

Server-Side Request Forgery (SSRF) vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouil...

6.4

OoohBoi Steroids for Elementor plugin allows attackers to inject malicious scripts

CVE-2026-3034

The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _ob_spacerat_link, _ob_bbad_link, and _ob...

6.4

PixFort Core: Incorrect Access Control Lets Attackers Access Sensitive Data

CVE-2026-28071

Missing Authorization vulnerability in PixFort pixfort Core pixfort-core allows Exploiting Incorrectly Configured Access Control Security Levels.This ...

6.3

lxml_html_clean: Unchecked <base> tag allows link hijacking

DEBIAN-CVE-2026-28350

lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the <base> tag passes through th...

6.1

lxml_html_clean: Malicious CSS Can Bypass Security Filters

DEBIAN-CVE-2026-28348

lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() met...

6.1

Wagtail Admin Panel Allows Malicious JavaScript to Run

CVE-2026-28223 GHSA-p4v8-rw59-93cq

Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (...

6.1

Wagtail Content Management System: TableBlock XSS Vulnerability

CVE-2026-28222 GHSA-p5cm-246w-84jm

Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (...

6.1

Gogs: Stored XSS in branch and wiki views through author and committer names

CVE-2026-26195 GHSA-vgvf-m4fw-938j

### Summary Stored XSS is still possible through unsafe template rendering that mixes user input with `safe()` plus permissive sanitizer handling of ...

6.9

HumHub Calendar Module: Admin Events Can Contain Malicious Code

CVE-2026-29052

The Calendar module for HumHub enables users to create one-time or recurring events, manage attendee invitations, and efficiently track all scheduled ...

6.9

Django Allauth Security Risk: Malicious Redirects via SAML SSO

DEBIAN-CVE-2026-27982

An open redirect vulnerability exists in django-allauth versions prior to 65.14.1 when SAML IdP initiated SSO is enabled (it is disabled by default), ...

6.1

Django Allauth SAML SSO Redirects Users to Malicious Sites

CVE-2026-27982 GHSA-2jpr-83rg-v67j

An open redirect vulnerability exists in django-allauth versions prior to 65.14.1 when SAML IdP initiated SSO is enabled (it is disabled by default), ...

5.1