Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 5 March 2026
RSS521 vulnerabilities published on 5 March 2026
Severity:
Perl Compress::Raw::Zlib uses outdated, insecure zlib library
UBUNTU-CVE-2026-3381
Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib. Compress::Raw::Zlib includes a copy of the zlib library...
9.8
hexpm: Password Reset Tokens Never Expire, Leaving Accounts Open to Hackers
CVE-2026-21622
EEF-CVE-2026-21622
GHSA-6r94-pvwf-mxqm
Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover.
Password r...
9.4
Couch-Auth Email System Allows Attackers to Hijack Accounts
CVE-2025-70948
GHSA-qw8v-34ww-6q9p
A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an ac...
8.6
Gogs: Malicious LFS file uploads can overwrite files across repositories
CVE-2026-25921
GHSA-cj4v-437j-jq4c
### Summary
Overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten ...
9.3
RustDesk Client: Data Stealing or Tampering on Unsecured Network
CVE-2026-30797
Missing Authorization vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme hand...
9.3
RustDesk Client allows attackers to take control of your account on Windows, MacOS, Linux, iOS, and Android
CVE-2026-30793
Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI...
9.3
RustDesk Server Pro and OSS allow brute-force login attacks
CVE-2026-30790
Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-serve...
9.3
RustDesk Client: Stolen Session IDs Can Reveal Passwords
CVE-2026-30789
Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client ...
9.3
Loopus WP Attractive Donations System vulnerable to data theft
CVE-2026-28115
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in loopus WP Attractive Donations System - Easy Str...
9.3
Riode Core: Malicious Requests Can Expose Sensitive Data
CVE-2025-69338
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in don-themes Riode Core riode-core allows Blind SQ...
9.3
Pingora allows attackers to bypass proxy controls and hijack sessions
GHSA-262p-vjx5-45xh
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hj7x-879w-vrp7. This link is maintained to preserve external...
9.3
Pingora Proxy Can Allow Attackers to Bypass Security Controls
GHSA-f9v3-j2m7-4hpg
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xq2h-p299-vjwv. This link is maintained to preserve external...
9.3
OpenClaw Browser Control API Allows Unauthorized File Writing
CVE-2026-28462
GHSA-gq9c-wg68-gwj2
OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and d...
8.7
OpenClaw Chrome Extension Relay Server Exposes Relay Endpoints to Remote Attack
CVE-2026-28395
GHSA-qw99-grcx-4pvm
OpenClaw version 2026.1.14-1 prior to 2026.2.12 contain an improper network binding vulnerability in the Chrome extension (must be installed and enabl...
6.3
RustDesk Client on Multiple Platforms Fails to Validate Certificates
CVE-2026-30794
Improper Certificate Validation vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (HTTP API clie...
9.1
RustDesk Client allows hackers to manipulate messages on Windows, MacOS, Linux, iOS, Android, and Web.
CVE-2026-30792
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, ...
9.1
Salesforce Login Plugin on WordPress Fails to Check User Permissions
CVE-2026-2418
The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticate...
9.1
Firassaidi WooCommerce License Manager allows upload of malicious files
CVE-2026-28114
Unrestricted Upload of File with Dangerous Type vulnerability in firassaidi WooCommerce License Manager fs-license-manager allows Upload a Web Shell t...
9.1
Jordy Meow AI Engine allows uploading malicious files
CVE-2026-23802
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Eng...
9.1
Perl's NSCA Client Uses Weak Random Number Generator
CVE-2024-57854
Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator.
Version v0.003 switched to use Data::Rand::Obscure instead ...
9.1
Apache::Session::Generate::MD5 creates predictable session IDs
CVE-2025-40931
Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id.
Apache::Session::Generate::MD5 generates session ids insecu...
9.1
Pingora HTTP Request Forgery can Hijack Sessions and Bypass Security Rules
CVE-2026-2835
GHSA-hj7x-879w-vrp7
RUSTSEC-2026-0034
An HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due...
9.3
Pingora Proxy Allows Malicious Data to Bypass Security Controls
CVE-2026-2833
GHSA-xq2h-p299-vjwv
RUSTSEC-2026-0033
An HTTP request smuggling vulnerability (CWE-444) was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora pro...
9.3
Chamilo Learning Management System: Admin Account Takeover via Malicious File Uploads
CVE-2025-55208
Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in `Social Networks`. Through it, a...
9.0
Marketing Fire Widget Options allows malicious code to be injected
CVE-2026-27984
Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This iss...
9.0