Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 5 March 2026
RSS521 vulnerabilities published on 5 March 2026
Severity:
Adobe Commerce Payment Orchestrator Privilege Escalation Risk
CVE-2026-26125
Payment Orchestrator Service Elevation of Privilege Vulnerability...
8.6
OpenClaw versions prior to 2026.2.2 allow hackers to access internal files
CVE-2026-28467
GHSA-wfp2-v9c7-fh79
OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attac...
6.3
Secudeal Payments for Ecommerce allows Malicious Data to Be Injected
CVE-2026-22471
Deserialization of Untrusted Data vulnerability in maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce allows Object Injecti...
8.6
FormGent Path Traversal Vulnerability Exposes Sensitive Server Files
CVE-2026-22460
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpWax FormGent formgent allows Path Traversal.This iss...
8.6
Crocoblock JetEngine allows hackers to inject malicious code
CVE-2026-28134
Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetEngine jet-engine allows Remote Code Inclusion.This issue aff...
8.5
Eagle Booking allows hackers to access sensitive data
CVE-2026-27428
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eagle-Themes Eagle Booking eagle-booking allows ...
8.5
Tablesome SQL Injection Risk: Data Theft or Manipulation
CVE-2026-27373
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Essekia Tablesome tablesome allows Blind SQL Inj...
8.5
SageMaker Python SDK: Malicious Input Could Execute Arbitrary Code
GHSA-5r2p-pjr8-7fh7
## Summary
This advisory addresses the use of the search_hub() function within the SageMaker Python SDK's JumpStart search functionality. An actor wi...
8.4
Pingora HTTP Proxy Cache Key Construction Flaw Exposes User Data
GHSA-2m8c-2374-465f
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-f93w-pcj3-rggc. This link is maintained to preserve external...
8.4
OpenClaw with Nostr plugin exposed to unauthenticated access
CVE-2026-28450
GHSA-mv9j-6xhh-g383
OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/pr...
8.3
RustDesk Client on Windows, MacOS, Linux May Expose Sensitive Data
CVE-2026-30785
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), Use of Password Hash With Insufficient Computational Effort...
8.2
OpenShift Container Platform 4.19.25 security update affects authentication
RHSA-2026:3391
8.2
Royal Elementor Addons: Unrestricted Access to Sensitive Features
CVE-2026-28135
Inclusion of Functionality from Untrusted Control Sphere vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Accessing Func...
8.2
OpenClaw versions prior to 2026.2.2 allow unauthorized approval of requests
CVE-2026-28473
GHSA-mqpw-46fh-299h
OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec app...
7.2
OpenClaw Prior to 2026.2.12: Unvalidated Session File Path
CVE-2026-28459
GHSA-64qx-vpxx-mvqf
OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data ...
7.1
Keycloak: Authentication bypass using disabled Identity Provider
CVE-2026-3009
GHSA-m297-3jv9-m927
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even ...
8.1
File Browser: Malicious Users Can Delete Any Files
CVE-2026-29188
GHSA-79pf-vx4x-7jmm
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Pri...
8.1
The Graph Token Vesting Contract Flaw: Unlocked Tokens
CVE-2026-28410
The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the tok...
5.3
OpenCode Systems OCC Messaging/ USSD Gateway: Unprivileged Access to SMS Messages
CVE-2025-70614
OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2 contains a broken access control vulnerability in the web-based control panel allowing ...
8.1
Hexpm API Key Can Be Used to Access Full Account Permissions
CVE-2026-21621
EEF-CVE-2026-21621
GHSA-739m-8727-j6w3
Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation.
An API key cre...
8.1
Contact Form 7 Plugin Allows Unrestricted File Uploads
CVE-2026-3459
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type val...
8.1
Tata Consultancy Services Cognix Recon Client v3.0: Passwords Reset by Any User
CVE-2026-26417
A broken access control vulnerability in the password reset functionality of Tata Consultancy Services Cognix Recon Client v3.0 allows authenticated u...
8.1
WordPress Restrict Content Plugin Allows Unauthorized Access to Premium Roles
CVE-2026-1321
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This...
8.1
Authentication Bypass in Device Authentication Module
CVE-2026-28536
Authentication bypass vulnerability in the device authentication module. Impact: Successful exploitation of this vulnerability will affect integrity a...
8.1
WordPress Filr plugin allows attackers to upload malicious files to a web server
CVE-2026-28133
Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue af...
8.1