Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 7 March 2026

RSS

696 vulnerabilities published on 7 March 2026

Severity:
WeKnora's MCP Stdio Allows Unrestricted Command Execution
GHSA-r55h-3rwj-hcmg CVE-2026-30861
### Summary A critical unauthenticated remote code execution (RCE) vulnerability exists in the MCP stdio configuration validation introduced in versi...
10.0
OneUptime Synthetic Monitor Allows Execution of Arbitrary Code
GHSA-4j36-39gm-8vq8
Summary OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the `oneuptime-probe` se...
9.9
OneUpTime Synthetic Monitors Allow Untrusted Code Execution
GHSA-h343-gg57-2q67
### Summary OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system exe...
9.9
Parse Server: Malicious Tokens Can Bypass Authentication
CVE-2026-30863 GHSA-x6fw-778m-wr9v
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, t...
9.3
Backstage developer portal has a security flaw in older versions
GHSA-928r-fm4v-mvrw CVE-2026-29186
Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbi...
9.8
Ghost Themes Can Execute Malicious Code on Your Server
CVE-2026-29053 GHSA-cgc2-rcrh-qr5x BIT-ghost-2026-29053
Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the se...
9.8
XikeStor SKS8310-8X Firmware Allows Remote Session Hijacking
CVE-2026-25072
XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a predictable session identifier vulnerability in the /goform/SetLogin...
8.6
XikeStor SKS8310-8X Network Switch: Remote Code Execution via Malicious Ping Request
CVE-2026-25070
XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command injection vulnerability in the /goform/PingTestSet endpo...
9.3
Using @octokit/endpoint with mongosh can expose sensitive data
CLEANSTART-2026-QY24299
Multiple security vulnerabilities affect the mongosh package. @octokit/endpoint turns REST API endpoints into generic request options. See references ...
9.8
OpenTelemetry-Go: Unprivileged Process Privilege Escalation
CLEANSTART-2026-GI57625
Security vulnerability affects the fluent-operator-fips package. OpenTelemetry-Go is the Go implementation of OpenTelemetry....
9.8
OpenTelemetry-Go: Multiple Security Risks in FIPS Module
CLEANSTART-2026-PP62083
Multiple security vulnerabilities affect the fluent-operator-fips package. OpenTelemetry-Go is the Go implementation of OpenTelemetry. See references ...
9.8
Zitadel Login Interface Allows Attackers to Hijack User Accounts
GHSA-pr34-2v5x-6qjq CVE-2026-29191
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered t...
9.3
ZITADEL: Password reset links can be manipulated by attackers
CVE-2026-29067 GHSA-pfrf-9r5f-73f5
ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset...
9.3
SiYuan Allows Unauthorized Access to Sensitive Files
GHSA-2h2p-mvfx-868w
### Summary A path traversal vulnerability in the `/export` endpoint allows an attacker to read arbitrary files from the server filesystem. By exploit...
9.3
Soft Serve Git Server: Unauthenticated Access to Internal Services
GHSA-3fvx-xrxq-8jvv CVE-2026-30832
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the se...
9.1
DSA Study Hub: Unprotected Login Tokens Exposed in Cookies
CVE-2026-28678
DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was foun...
9.1
Tenda FH451 Router: Unsecured Function Can Be Exploited Remotely
CVE-2026-3679
A vulnerability was identified in Tenda FH451 1.0.0.9. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex. S...
7.4
Tenda FH451's WAN Configuration Page Allows Remote Code Execution
CVE-2026-3678
A vulnerability was determined in Tenda FH451 1.0.0.9. Affected is the function sub_3C434 of the file /goform/AdvSetWan. This manipulation of the argu...
7.4
Tenda FH451 Router: Remote Code Execution via Buffer Overflow
CVE-2026-3677
A vulnerability was found in Tenda FH451 1.0.0.9. This impacts the function fromSetCfm of the file /goform/setcfm. The manipulation of the argument fu...
7.4
Wallos: Malicious Actions Can Be Performed Via Notification Testers
CVE-2026-30840
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in...
8.8
WordPress Paid Videochat Plugin Allows Attackers to Create Administrator Accounts
CVE-2025-8899
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and includi...
8.8
GitHub Action using Black may execute malicious code
GHSA-v53h-f6m7-xcgm CVE-2026-31900
### Impact Black provides a [GitHub action](https://black.readthedocs.io/en/stable/integrations/github_actions.html) for formatting code. This action...
8.7
GitHub Action for Black code formatter allows code execution
GHSA-v53h-f6m7-xcgm
### Impact Black provides a [GitHub action](https://black.readthedocs.io/en/stable/integrations/github_actions.html) for formatting code. This action...
8.7
Red Hat Ansible Automation Platform 2.5 has security and bug fixes
RHSA-2026:3959
8.5
Red Hat Ansible Automation Platform 2.6 Update Exposes Sensitive Data
RHSA-2026:3958
8.5
6 Mar 2026 All days 8 Mar 2026