CVE Vulnerabilities - 6 March 2026

Flowise allows attackers to upload malicious files

GHSA-j8g8-j7fc-43v6 CVE-2026-30821

### Vulnerability **Description** --- **Vulnerability Overview** - The `/api/v1/attachments/:chatflowId/:chatId` endpoint is listed in `WHITELIST_...

8.2

Zarf Package Manager Allows Malicious File Access

CVE-2026-29064 GHSA-hcm4-6hpj-vghm

Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extr...

8.2

PlayJoom 0.10.1: Unauthenticated SQL Injection Allows Data Exposure

CVE-2018-25197

PlayJoom 0.10.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious ...

8.8

ServerZilla 1.0: Unauthenticated database access via email manipulation

CVE-2018-25196

ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code thr...

8.8

Nominas 0.27 allows attackers to steal database information

CVE-2018-25194

Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious cod...

8.8

GPS Tracking System 2.12: Unauthenticated Access via Username Input

CVE-2018-25192

GPS Tracking System 2.12 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code ...

8.8

Data Center Audit 2.6.2: Unauthorized Access to Sensitive Database Info

CVE-2018-25189

Data Center Audit 2.6.2 contains an SQL injection vulnerability in the username parameter of dca_login.php that allows unauthenticated attackers to ex...

8.8

Webiness Inventory 2.3: Unauthenticated SQL Injection Attack

CVE-2018-25188

Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting mal...

8.8

Tina4 Stack 1.0.3: Unauthenticated Access to Sensitive Database Files and SQL Injection

CVE-2018-25187

Tina4 Stack 1.0.3 contains multiple vulnerabilities allowing unauthenticated attackers to access sensitive database files and execute SQL injection at...

8.8

Silurus Classifieds Script 2.0: Malicious Code Execution via Malicious ID Parameter

CVE-2018-25182

Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injec...

8.8

Gumbo CMS allows attackers to steal database secrets

CVE-2018-25179

Gumbo CMS 0.99 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious c...

8.8

Alive Parish 2.0.4 allows hackers to access sensitive data and execute malicious code

CVE-2018-25176

Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicio...

8.8

Alienor Web Libre 2.0 allows hackers to steal sensitive database info

CVE-2018-25175

Alienor Web Libre 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting mali...

8.8

Rmedia SMS 1.0 allows attackers to extract sensitive database information

CVE-2018-25173

Rmedia SMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code thr...

8.8

Pedidos 1.0 allows attackers to access sensitive database info

CVE-2018-25172

Pedidos 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code...

8.8

EdTv 2: Unauthenticated Access to Database Information via GET Request

CVE-2018-25171

EdTv 2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code thro...

8.8

DoceboLMS 1.2 allows unauthorized data access through malicious requests

CVE-2018-25170

DoceboLMS 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code throu...

8.8

Net-Billetterie 2.9: Unauthenticated Users Can Access Sensitive Data

CVE-2018-25167

Net-Billetterie 2.9 contains an SQL injection vulnerability in the login parameter of login.inc.php that allows unauthenticated attackers to execute a...

8.8

Meneame English Pligg 5.8 allows attackers to access sensitive database info

CVE-2018-25166

Meneame English Pligg 5.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting ...

8.8

BitZoom 1.0 allows attackers to access sensitive database information

CVE-2018-25163

BitZoom 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code...

8.8

Warranty Tracking System 11.06.3 allows unauthorized database access

CVE-2018-25161

Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious...

8.8

OpenSift AI Tool Allows Access to Unauthorized Remote Data

CVE-2026-28677

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, the URL ingest p...

8.2

Caddy Forward Auth Allows Identity Injection and Privilege Escalation

GHSA-7r4p-vjf4-gxv4 CVE-2026-30851

## Summary Caddy's `forward_auth` directive with `copy_headers` generates conditional header-set operations that only fire when the upstream auth ser...

8.1

Wekan versions 8.32 and 8.33 allow attackers to access internal data

CVE-2026-30844

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL ...

9.3

Locutus JavaScript Library Allows Remote Code Execution

GHSA-fp25-p6mj-qqg6 CVE-2026-29091

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) fl...

8.1