CVE Vulnerabilities - 7 March 2026

WordPress RSS Aggregator Plugin Allows Attackers to Steal Admin Session

CVE-2026-2433

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via p...

6.1

Wallos Password Reset Page Exposes User Data to Malicious Attacks

CVE-2026-30841

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["ema...

6.9

Defuddle: Unsanitized HTML can inject malicious code

GHSA-5mq8-78gm-pjmq CVE-2026-30830

Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attribute...

2.1

CM Custom Reports Plugin for WordPress Can Execute Malicious Code

CVE-2026-2431

The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'date_from' and 'date_to' parameters in all version...

6.1

Parse Server: File metadata exposed to unauthorized users

CVE-2026-30850 GHSA-hwx8-q9cg-mqmc

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the...

6.3

cpp-httplib: Malicious HTTP Request Can Crash Server

CVE-2026-29076

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to ...

5.9

Firefly III User API Endpoints Expose All Users' Information

GHSA-5q8v-j673-m5v4

### Summary The User management API endpoints (`GET /api/v1/users` and `GET /api/v1/users/{id}`) are accessible to any authenticated user without adm...

5.7

Microsoft Excel File Parsing Flaw Allows Local Code Execution

CVE-2026-3665

A vulnerability was identified in xlnt-community xlnt up to 1.6.1. The affected element is the function xlnt::detail::xlsx_consumer::read_office_docum...

4.8

eml_parser: Malicious email attachments can write files outside target directory

GHSA-389r-rccm-h3h5 CVE-2026-29780

eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prio...

5.5

xlnt-community xlnt: Data Exposure in Local File Reading

CVE-2026-3664

A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::compound_document::read_directory of the fil...

4.8

XikeStor SKS8310-8X Switches: Authenticated XSS via Malicious System Name

CVE-2026-25073

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a stored cross-site scripting vulnerability that allows authenticated ...

5.1

Freedom Factory dGEN1: Unauthorized Access Risk from Local Execution

CVE-2026-3675

A vulnerability was determined in Freedom Factory dGEN1 up to 20260221. Affected by this issue is the function FakeAppReceiver of the component org.et...

4.8

dGEN1 FakeAppProvider Security Risk: Unauthorized Access from Local Network

CVE-2026-3674

A vulnerability was found in Freedom Factory dGEN1 up to 20260221. Affected by this vulnerability is the function FakeAppProvider of the component org...

4.8

Freedom Factory dGEN1 Allows Unauthorized Access

CVE-2026-3670

A vulnerability was detected in Freedom Factory dGEN1 up to 20260221. Affected is an unknown function of the component com.dgen.alarm. Performing a ma...

4.8

Freedom Factory dGEN1 Allows Unauthorized Access to Alarm Service

CVE-2026-3669

A security vulnerability has been detected in Freedom Factory dGEN1 up to 20260221. This impacts the function AlarmService of the component com.dgen.a...

4.8

Parse Server GraphQL Introspection Bypass

CVE-2026-30854 GHSA-q5q9-2rhp-33qw

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9...

6.9

Freedom Factory dGEN1: Unauthorized Access to Internal Data

CVE-2026-3667

A security flaw has been discovered in Freedom Factory dGEN1 up to 20260221. The impacted element is the function FakeAppService of the component org....

4.8

mcp-memory-service exposes sensitive system information to the network

GHSA-73hc-m4hx-79pj CVE-2026-29787

mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.21.0, the /api/health/detailed endpoint returns detai...

5.3

Karapace backup reader can read unauthorized system files

CVE-2026-29190

Karapace is an open-source implementation of Kafka REST and Schema Registry. Prior to version 6.0.0, there is a Path Traversal vulnerability in the ba...

5.3

Unauthenticated Access to Internal Server Status Pages in Checkmate

CVE-2026-30829

Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with b...

5.3

Homarr Dashboard: Unauthenticated Remote Server Access

CVE-2026-27797

Homarr is an open-source dashboard. Prior to version 1.54.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows a remote attac...

5.3

MDJM Event Management plugin for WordPress allows unauthorized data deletion

CVE-2026-1650

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields...

5.3

MANUAL TEST

CVE-2026-2371

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and i...

5.3

WordPress Community Events plugin: SQL Injection via CSV Upload

CVE-2026-2429

The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'ce_venue_name' CSV field in the `on_save_changes_venues` function in...

4.9

Stock Ticker plugin for WordPress allows attackers to inject malicious scripts

CVE-2026-2722

The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.26.1 due...

4.8