Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 7 March 2026
RSS696 vulnerabilities published on 7 March 2026
Severity:
Zitadel Identity Management Platform: Login Bypass in Version 4.0.0 to 4.12.0
GHSA-25rw-g6ff-fmg8
CVE-2026-29193
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass...
8.2
FUXA has a hardcoded secret that can be used to fake authentication
GHSA-c8m8-3jcr-6rj5
FUXA used a static fallback JWT signing secret (`frangoteam751`) when no `secretCode` was configured.
If authentication was enabled without explicitl...
8.1
FUXA uses default JWT secret that can be guessed
GHSA-c8m8-3jcr-6rj5
FUXA used a static fallback JWT signing secret (`frangoteam751`) when no `secretCode` was configured.
If authentication was enabled without explicitl...
8.1
Memory Service Exposes Data to Any Website
GHSA-g9rg-8vq5-mpwm
### Summary
When the HTTP server is enabled (`MCP_HTTP_ENABLED=true`), the application configures FastAPI's CORSMiddleware with `allow_origins=['*']`,...
8.1
mcp-memory-service Allows Any Website to Access API Responses
GHSA-g9rg-8vq5-mpwm
### Summary
When the HTTP server is enabled (`MCP_HTTP_ENABLED=true`), the application configures FastAPI's CORSMiddleware with `allow_origins=['*']`,...
8.1
Soroban: Muxed address conversions may fail after error
GHSA-pm4j-7r4q-ccg8
### Summary
Soroban host ensures that `MuxedAddress` objects can't be used as storage keys in order to proactively prevent the contract logic bugs. H...
7.8
Shescape May Identify Wrong Shell Via Malicious Link Chain
GHSA-6f6w-6j58-rq76
### Impact
This impacts users of Shescape that configure their `shell` to point to a file on disk that is a link to a link. The precise result of bei...
7.8
AVideo: Unauthenticated Access to User Playlists
GHSA-6w2r-cfpc-23r5
**Product:** AVideo (https://github.com/WWBN/AVideo)
**Version:** Latest (tested March 2026)
**Type:** Insecure Direct Object Reference (IDOR)
**Auth ...
7.8
Firefly III User API Exposes All User Information to Authenticated Users
GHSA-5q8v-j673-m5v4
### Summary
The User management API endpoints (`GET /api/v1/users` and `GET /api/v1/users/{id}`) are accessible to any authenticated user without adm...
7.8
Zitadel login interface allows account takeover via default redirect
GHSA-6rx5-m2rc-hmf7
CVE-2026-29192
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered t...
7.7
Node.js Tar Creates Hardlinks Outside Extraction Directory
DEBIAN-CVE-2026-29786
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction d...
7.6
PinchTab: Unapproved Browser Access to Internal Systems
GHSA-rw8p-c6hf-q3pg
CVE-2026-30834
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery ...
7.5
Sensitive data exposed in UptimeFlare configuration file
CVE-2026-29779
UptimeFlare is a serverless uptime monitoring & status page solution, powered by Cloudflare Workers. Prior to commit 377a596, configuration file uptim...
7.5
Apache ZooKeeper exposes sensitive config data in logs
CVE-2026-24308
GHSA-crhr-qqj8-rpxc
BIT-zookeeper-2026-24308
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive info...
8.3
Debian Package Manager Fails to Properly Uncompress Files
CVE-2026-2219
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when...
7.5
dpkg on Linux systems can be crashed by a malicious .deb file
DEBIAN-CVE-2026-2219
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when...
7.5
Wallos: Malicious files can be accessed through URL parameter
CVE-2026-30828
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system ...
8.7
Express Rate Limiter Can Block All IPv4 Traffic
GHSA-46wh-pxpv-q5gq
CVE-2026-30827
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3...
7.5
Homarr: Publicly Accessible Integration List Exposes Sensitive Data
CVE-2026-27796
Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing una...
7.5
WeKnora: Unpatched Redirects Allow Access to Internal Services
GHSA-595m-wc8g-6qgc
CVE-2026-30247
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, the application's "Impor...
7.5
JS Archive List for WordPress: Untrusted Input Can Cause Harm
CVE-2026-2020
The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcod...
7.5
WordPress ZIP Code Plugin Lets Attackers Access Sensitive Information
CVE-2025-14353
The ZIP Code Based Content Protection plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.0.2 via the 'zipcode...
7.5
XikeStor SKS8310-8X Switch Firmware Missing Authentication
CVE-2026-25071
XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a missing authentication vulnerability in the /switch_config.src endpo...
8.7
Apache ZooKeeper: Spoofing ZooKeeper servers or clients with fake certificate
CVE-2026-24281
BIT-zookeeper-2026-24281
GHSA-7xrh-hqfc-g7qr
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control ...
7.4
League Commonmark Markdown Parser: XSS Through HTML Tag Bypass
DEBIAN-CVE-2026-30838
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or ot...
7.3