Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 6 March 2026

RSS

3241 vulnerabilities published on 6 March 2026

Severity:
WeKnora Database Query Tool Allows Attackers to Execute Malicious Code
GHSA-8w32-6mrw-q5wv CVE-2026-30860
## Summary A critical Remote Code Execution (RCE) vulnerability exists in the application's database query functionality. The validation system fails...
10.0
Vito Prior to 3.20.3: Unsecured Access to Other Projects' Servers
CVE-2026-29789
Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missin...
9.9
WeKnora Tenant Management Allows Unauthorized Access and Deletion
GHSA-ccj6-79j6-cq5q CVE-2026-30855
### Summary An authorization bypass in tenant management endpoints of WeKnora application allows any authenticated user to read, modify, or delete any...
9.8
Rocket.Chat: Unauthenticated Users Can Access Accounts
CVE-2026-30831
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and...
8.0
Mesa: Untrusted code can run with elevated privileges in benchmarks
CVE-2026-29075
Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prio...
9.8
OOP CMS BLOG 1.0 Allows Unauthenticated SQL Query Execution
CVE-2018-25199
OOP CMS BLOG 1.0 contains SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious c...
8.8
Unauthenticated access to sensitive AppEngine file areas via HTTP
CVE-2026-2331
An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper...
9.8
AVideo 7.0 or earlier: Unauthenticated attackers can take control of the server
CVE-2026-29058 GHSA-9j26-99jh-v26q
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by inje...
9.8
Nuclio Serverless Framework Command Injection in Shell Runtime
CVE-2026-29042 GHSA-95fj-3w7g-4r27
Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a c...
8.9
Authlib: Malicious JWTs Can Bypass Signature Verification
DEBIAN-CVE-2026-28802
Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passin...
9.8
Authlib: Malicious JWTs Can Bypass Security Checks in Older Versions
CVE-2026-28802 GHSA-7wc2-qxgw-g8gg
Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passin...
7.7
OpenChatBI Save Report Tool Allows Malicious File Upload
CVE-2026-28795 GHSA-vmwq-8g8c-jm79
OpenChatBI is an intelligent chat-based BI tool powered by large language models, designed to help users query, analyze, and visualize data through na...
8.7
CocoIndex Doris Connector Allows SQL Injection via Malicious Table Names
CVE-2026-28438 GHSA-59g6-v3vg-f7wc
CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name befor...
6.9
LearnDash PowerPack Plugin Allows Unauthenticated User Actions
CVE-2026-2446
The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated user...
9.8
oRPC before 1.13.6 allows attackers to inject malicious code
CVE-2026-28794 GHSA-m272-9rp6-32mc
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vu...
9.3
Ghostfolio Prior to 2.244.0 Allows SQL Attacks on User Data
CVE-2026-28785
Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary S...
9.3
Chartbrew version prior to 4.8.3 allows database data access without login
CVE-2026-27005
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3,...
8.8
Acronis Cyber Protect 17: Unauthorized Access to Sensitive Data
CVE-2026-28710
Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 17 (Linux...
9.8
JBoss Enterprise Application Platform 8.0.12 Security Update: Remote Code Execution Risk
RHSA-2026:3891
9.6
Red Hat JBoss EAP 8.0.12 Security Update Exposes Data
RHSA-2026:3889
9.6
OCPP WebSocket endpoint fails to verify user identity
CVE-2026-26288
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent t...
9.3
OCPP WebSocket Endpoints Allow Unauthorized Access to Charging Stations
CVE-2026-26051
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent t...
9.3
Unauthenticated access to restricted device settings via CROWN REST interface
CVE-2026-2330
An attacker may access restricted filesystem areas on the device via the CROWN REST interface due to incomplete whitelist enforcement. Certain directo...
9.4
OCPP WebSocket Endpoints Allow Unauthorized Access to Charging Stations
CVE-2026-22552
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent t...
9.3
Old Rocket.Chat versions allow attackers to log in with any password
CVE-2026-28514
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and...
9.3
5 Mar 2026 All days 7 Mar 2026