Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 7 March 2026

RSS

696 vulnerabilities published on 7 March 2026

Severity:
Wavlink Router Vulnerability: Remote Code Execution via Pr_mode
CVE-2026-3662
A vulnerability has been found in Wavlink WL-NU516U1 240425. This vulnerability affects the function usb_p910 of the file /cgi-bin/adm.cgi. Such manip...
5.1
Wavlink WL-NU516U1 240425 Allows Unwanted Remote Code Execution
CVE-2026-3661
A flaw has been found in Wavlink WL-NU516U1 240425. This affects the function ota_new_upgrade of the file /cgi-bin/adm.cgi. This manipulation of the a...
5.1
Meta Box Plugin for WordPress: Attackers Can Delete Server Files
CVE-2025-14675 GHSA-m4q3-832v-44j6
The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function...
7.2
WP App Bar plugin for WordPress: Unauthenticated admin settings page injection
CVE-2026-1074
The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and inclu...
7.2
Easy PHP Settings Plugin for WordPress Allows Harmful Code Execution
CVE-2026-3352
The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_c...
7.2
Xlnt XLSX Parser Allows Data Theft with Local Access
CVE-2026-3663
A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compound_document_istreambuf::xsgetn of th...
4.8
Netmaker allows admin users to elevate their own permissions
CVE-2026-29195 GHSA-ch3w-9456-38v3
Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) lacks validation to prevent an adm...
6.9
Sliver C2 Server Crashes if Sent Malformed Messages
GHSA-hx52-cv84-jr5v CVE-2026-29781
Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Slive...
5.3
pyLoad Download Manager: Unvalidated Input Allows Path Traversal
GHSA-6px9-j4qr-xfjw CVE-2026-29778
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implemen...
6.5
Netmaker Server Can Be Shut Down Repeatedly by Any User
GHSA-rhr9-hgcm-x289 CVE-2026-29771
Netmaker makes networks with WireGuard. Prior to version 1.2.0, the /api/server/shutdown endpoint allows termination of the Netmaker server process vi...
8.7
Authenticated users can delete other users' API access tokens in Hoppscotch
CVE-2026-30825
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticat...
6.5
PowerSync: Unauthorized Data Sync on Version 1.20.0
GHSA-q6wc-xx4m-92fj
### Impact In version **1.20.0**, when using new sync streams with `config.edition: 3`, certain subquery filters were ignored when determining which ...
6.5
YouTube Video Plugin for WordPress allows attackers to inject malicious scripts
CVE-2026-1825
The Show YouTube video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'syv' shortcode in all versions up to, and i...
6.4
Infomaniak Connect for OpenID plugin allows attackers to inject malicious scripts
CVE-2026-1824
The Infomaniak Connect for OpenID plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'endpoint_login' parameter of the infomani...
6.4
WordPress Consensus Embed Plugin Allows Malicious Code Injection
CVE-2026-1823
The Consensus Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's consensus shortcode in all versions up to, and ...
6.4
WordPress Media Library Alt Text Editor plugin allows malicious scripts to run
CVE-2026-1820
The Media Library Alt Text Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bvmalt_sc_div_update_alt_text' s...
6.4
DA Media GigList plugin for WordPress allows attackers to inject malicious code
CVE-2026-1805
The DA Media GigList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's damedia_giglist shortcode in all versions up t...
6.4
MyQtip WordPress Plugin Allows Attackers to Inject Malicious Code
CVE-2026-1574
The MyQtip – easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `myqtip` shortcode in all versions up to, a...
6.4
Wueen Plugin for WordPress Allows Attackers to Inject Malicious Code
CVE-2026-1569
The Wueen plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wueen-blocket` shortcode in all versions up to, and incl...
6.4
Hammas Calendar Plugin Allows Attackers to Inject Malicious Code
CVE-2026-1902
The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apix' parameter in the 'hp-calendar-manage-redirect' sh...
6.4
FFmate Server-Side Request Forgery Risk if Malicious Webhooks Sent
CVE-2026-3681
A weakness has been identified in welovemedia FFmate up to 2.0.15. This affects the function fireWebhook of the file /internal/service/webhook/webhook...
5.3
RyuzakiShinji biome-mcp-server allows remote attackers to inject malicious commands
CVE-2026-3680
A security flaw has been discovered in RyuzakiShinji biome-mcp-server up to 1.0.0. Affected by this issue is some unknown functionality of the file bi...
5.3
JeecgBoot SQL Injection in getDictItems Function
CVE-2026-3672
A vulnerability has been found in JeecgBoot up to 3.9.1. Affected is the function isExistSqlInjectKeyword of the file /jeecg-boot/sys/api/getDictItems...
5.3
Node.js Tar Library Can Create Malicious Hardlinks
GHSA-qffp-2rhf-9h96 CVE-2026-29786
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction d...
8.2
Commonmark PHP Parser Fails to Block Malicious HTML
GHSA-4v6x-c7xx-hw9f CVE-2026-30838
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or ot...
5.1
6 Mar 2026 All days 8 Mar 2026