Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 6 March 2026
RSS3241 vulnerabilities published on 6 March 2026
Severity:
Chamilo learning management system project deletion without consent
CVE-2025-59541
Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete proj...
8.1
Bee Swarm Simulator Macro Allows Unauthorized Access to Computers
CVE-2026-28800
Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, anyone with Discord Remote Control set up in a ...
8.0
Parse Server: Leaks Database Error Details in API Response
CVE-2026-30835
GHSA-9cp7-3q5w-j92g
### Impact
A malformed $regex query parameter (e.g. `[abc)` causes the database to return a structured error object that is passed unsanitized throug...
7.8
Natro Macro Executes Malicious Code from Shared Files
CVE-2026-28801
Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, any ahk code contained inside of a pattern or p...
7.8
Acronis Cyber Protect for macOS: Local Privilege Escalation Risk
CVE-2026-28727
Local privilege escalation due to insecure Unix socket permissions. The following products are affected: Acronis Cyber Protect 17 (macOS) before build...
7.8
Unauthenticated access to NVIDIA NIM endpoints
GHSA-5f53-522j-j454
CVE-2026-30824
# Missing Authentication on NVIDIA NIM Endpoints
## Summary
The NVIDIA NIM router (`/api/v1/nvidia-nim/*`) is whitelisted in the global authenticati...
7.7
Flowise Allows Unauthenticated Users to Modify Lead Data
GHSA-mq4r-h2gh-qv7x
CVE-2026-30822
## Summary
**A Mass Assignment vulnerability in the `/api/v1/leads` endpoint allows any unauthenticated user to control internal entity fields (`id`,...
7.7
WeKnora Allows Access to Other Tenant Data
GHSA-2f4c-vrjq-rcgv
CVE-2026-30859
## Summary
A broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other ...
7.5
WeKnora web_fetch Tool Allows Unauthenticated Access to Internal Resources
GHSA-h6gw-8f77-mmmp
CVE-2026-30858
### Summary
A DNS rebinding vulnerability in the `web_fetch` tool allows an unauthenticated attacker to bypass URL validation and access internal res...
7.5
Plane (Prior to 1.2.2) Exposes Workspace Members to Unauthenticated Attackers
GHSA-87x4-j8vh-p5qf
CVE-2026-30244
Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sens...
7.5
Unescaped URLs in Meta Tags Can Allow Cross-Site Scripting
CVE-2026-27142
BIT-golang-2026-27142
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attr...
7.5
Mozilla Firefox: Certificate email address constraints not properly enforced
CVE-2026-27137
BIT-golang-2026-27137
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but di...
7.5
WordPress URL Validation Issue: Malicious URLs Accepted
CVE-2026-25679
BIT-golang-2026-25679
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs....
7.5
TSPortal: Empty Report Fields Can Be Misrepresented
CVE-2026-29788
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency...
8.4
Wekan exposes sensitive webhook credentials in older versions
CVE-2026-30846
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook inte...
8.7
QuickJS Interpreter Crashes with Out-of-Memory Error
CVE-2025-69654
A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` i...
7.5
GNU Binutils readelf: Denial of Service with Malformed ELF Binary
CVE-2025-69650
GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT re...
7.5
GNU Binutils readelf crashes when processing malformed ELF files
CVE-2025-69649
GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. Du...
7.5
Ibexa & Ciril GROUP eZ Platform/Ciril Platform 2.x: Unauthenticated Data Exposure
CVE-2025-70363
Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x allows unauthenticated attackers to access sensitive ...
7.5
GitHub Copilot CLI Allows Execution of Hidden Commands
CVE-2026-29783
GHSA-g8r9-g2v8-jv6f
## Summary
A security vulnerability has been identified in GitHub Copilot CLI's shell tool that could allow arbitrary code execution through crafted ...
7.5
CoreDNS DNS Server Can Be Crashed by Malicious DNS Queries
CVE-2026-26018
GHSA-h75p-j8xm-m278
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that...
7.5
Unlimited Auth Requests Allow Denial-of-Service or Unauthorized Access on WebSocket App
CVE-2026-24696
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow a...
8.7
WebSocket API Allows Uncontrolled Login Attempts, Threatening Service Availability
CVE-2026-20882
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow a...
8.7
Navtor NavBox exposes sensitive data to unauthorized access
CVE-2026-2754
Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote atta...
7.5
Navtor NavBox exposes sensitive files to unauthorized access
CVE-2026-2753
An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP service that fails to properly sanitize user-supplie...
7.5