Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 6 March 2026

RSS

3241 vulnerabilities published on 6 March 2026

Severity:
Ghostfolio: Unpatched, attackers can steal sensitive data from cloud services
CVE-2026-28680
Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform ...
9.3
TinyWeb Web Server: Integer Overflow Allows Unauthorized Access
CVE-2026-28497
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer c...
9.3
TinyWeb web server fails to handle malicious HTTP headers
CVE-2026-29046
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them in...
9.2
changedetection.io Web Page Change Detection Tool Allows Malicious File Overwrite
CVE-2026-29065 GHSA-25g8-2mcf-fcx9
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore funct...
8.8
OneUptime 10.0.11 and prior: Hackers can bypass second-factor authentication
CVE-2026-28787 GHSA-gjjc-pcwp-c74m
OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not...
9.0
Chamilo Learning Management System: Malicious Code Injection in Course Descriptions
CVE-2025-59543
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious ...
9.0
Chamilo Learning Management System: Malicious Code Injection Risk
CVE-2025-59542
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious ...
9.0
Chamilo LMS: Malicious Code Can Hijack Admin Accounts
CVE-2025-55289
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an atta...
9.0
Flowise allows unauthorized users to hijack other accounts and features
GHSA-cwc3-p92j-g7qm CVE-2026-30823
### Summary The Flowise platform has a critical Insecure Direct Object Reference (IDOR) vulnerability combined with a Business Logic Flaw in the PUT /...
8.8
OliveTin: Accepts Wrong Authentication Tokens from Other Services
CVE-2026-30223 GHSA-g962-2j28-3cg9
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using eithe...
8.8
Snipe-IT: Low-Privileged Users Can Take Over Admin Accounts
CVE-2025-15602 GHSA-5448-v74m-7mv7
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assign...
8.7
TimescaleDB allows malicious users to execute arbitrary code during upgrade
CVE-2026-29089
TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgres extension. From version 2.23.0 to 2.25.1, Postgr...
8.8
OOP CMS BLOG 1.0: Unauthenticated Users Can Create Admin Accounts
CVE-2018-25200
OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by c...
6.9
PostgreSQL 15 Security Update Fixes Multiple Vulnerabilities
RHSA-2026:3896
8.8
PostgreSQL 16: Critical Data Exposure Through Authentication Bypass
RHSA-2026:3887
8.8
SiYuan allows non-admin users to run database queries
CVE-2026-29073 GHSA-jqwg-75qf-vmf9
SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic au...
5.7
OpenSift: Malicious File Access Through Path Manipulation
CVE-2026-28676
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, multiple storage...
8.8
Chartbrew versions before 4.8.1: Attacker can run unauthorized code
CVE-2026-25888
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1,...
8.8
Chamilo Learning Management System: Unsecured File Uploads Allow Code Execution
CVE-2026-29041
Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability cau...
8.8
Flowise Allows Tenants to Bypass Security Checks with Spoofed Header
GHSA-wvhq-wp8g-c7vq CVE-2026-30820
### Summary Flowise trusts any HTTP client that sets the header `x-request-from: internal`, allowing an authenticated tenant session to bypass all `/...
8.7
Gokapi: Authenticated User Can Steal Data with Malicious SVG Upload
CVE-2026-28683 GHSA-3c22-5j5m-4jq7
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated use...
8.7
Plane Webhook Allows Internal Network Access
GHSA-fpx8-73gf-7x73 CVE-2026-30242
Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks...
8.5
Mercurius GraphQL Adapter Fails to Enforce Depth Limits on WebSocket Queries
GHSA-m4h2-mjfm-mp55 CVE-2026-30241
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscriptio...
2.7
Flare <= 1.7.1: Passwords Not Verified for Protected Files
CVE-2026-30230
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint do...
8.2
Wekan Open Kanban Tool Exposes Webhook Credentials
CVE-2026-30845
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integra...
6.9
5 Mar 2026 All days 7 Mar 2026