CVE Vulnerabilities - 6 March 2026

Acronis Cyber Protect: Sensitive Data Leaked by Insufficient Access Controls

CVE-2026-28715

Sensitive information disclosure due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) ...

6.5

Electric Vehicle Charging Station Authentication Compromised via Online Maps

CVE-2026-27770

Charging station authentication identifiers are publicly accessible via web-based mapping platforms....

6.9

Gokapi file sharing server leaks sensitive file information

CVE-2026-28682 GHSA-c36c-7pc2-f2ph

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementa...

6.4

CKEditor 5: Malicious code injection through crafted HTML

UBUNTU-CVE-2026-28343

CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has b...

6.4

CoreDNS: Bypassing DNS Access Controls with Older Versions

CVE-2026-26017 GHSA-c9v3-4pv7-87pr

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due...

6.3

LangBot Web UI allows malicious code to be injected

CVE-2026-28509

LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot’s web UI renders user-supplied raw HTML using rehypeRaw, which ...

6.3

DefaultFuction CRM System 1.0.0: SQL Injection Risk via Customer Edit

CVE-2026-3616

A vulnerability was detected in DefaultFuction Jeson Customer Relationship Management System 1.0.0. Impacted is an unknown function of the file /modul...

5.3

Acronis Cyber Protect 17 for Windows: Unprivileged Access to Admin Tools

CVE-2026-28712

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41...

6.3

Acronis Cyber Protect 17 (Windows) allows unauthorized access to sensitive data

CVE-2026-28711

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41...

6.3

GNU Binutils readelf crashes with malformed ELF file

CVE-2025-69652

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abb...

6.2

GNU Binutils: Denial of Service when processing malformed ELF files

DEBIAN-CVE-2025-69652

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abb...

6.2

eToolz 3.4.8.0 Crashes When Given Too Much Data

CVE-2018-25198

eToolz 3.4.8.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying oversized input buffers. A...

6.9

Surreal ToDo 0.6.1.2 allows unauthorized access to sensitive system files

CVE-2018-25184

Surreal ToDo 0.6.1.2 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the c...

6.9

WP All Import plugin for WordPress allows hackers to inject malicious scripts

CVE-2026-2830

The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via th...

6.1

SiYuan 3.5.8 and earlier: Unauthenticated Attack via Malicious Icon Link

CVE-2026-29183 GHSA-6865-qjcf-286f

SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon AP...

6.1

HumHub 1.18.0: Malicious scripts can run on users' browsers

CVE-2026-29048

HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulnerability was identified in the Button component of ...

6.9

changedetection.io: Malicious code execution via tag UUID

CVE-2026-29038 GHSA-8whx-v8qq-pq64

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vuln...

6.1

Lxml_html_clean: CSS Loading or XSS in Older Browsers

UBUNTU-CVE-2026-28348

lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() met...

6.1

lxml_html_clean: Unpatched <base> tag lets attackers hijack links

UBUNTU-CVE-2026-28350

lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the <base> tag passes through th...

6.1

Flare file sharing platform allows unauthorized access to private files

CVE-2026-30231

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the raw and direct file r...

6.0

WeKnora Allows Unauthorized Knowledge Base Duplication

GHSA-8rf9-c59g-f82f CVE-2026-30857

### Summary A cross-tenant authorization bypass in the knowledge base copy endpoint allows any authenticated user to clone (duplicate) another tenant’...

5.9

Apache HTTP Server crashes when verifying certain certificates

CVE-2026-27138 BIT-golang-2026-27138

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constr...

5.9

Preferred Languages Website Allows Hackers to Run Malicious Code

CVE-2024-35644

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pascal Birchler Preferred Languages allow...

5.9

Caddy Exposes Environment Variables and Files via User Input

GHSA-m2w3-8f23-hxxf CVE-2026-30852

### Summary The `vars_regexp` matcher in `vars.go:337` double-expands user-controlled input through the Caddy replacer. When `vars_regexp` matches ag...

5.5

GNU Binutils readelf crashes when processing malformed ELF files

CVE-2025-69651

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relo...

5.5