Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 9 March 2026

RSS

257 vulnerabilities published on 9 March 2026

Severity:
vLLM Large Language Model Engine Can Access Unauthorized URLs
GHSA-v359-jj2v-j536 CVE-2026-25960
vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in ...
7.1
OpenClaw Dashboard Leaks Gateway Credentials
GHSA-rchv-x836-w7xp
OpenClaw's macOS Dashboard flow exposed Gateway authentication material to browser-controlled surfaces. Before the fix, the macOS app appended the sh...
7.1
OpenClaw macOS Dashboard Leaks Gateway Credentials
GHSA-rchv-x836-w7xp
OpenClaw's macOS Dashboard flow exposed Gateway authentication material to browser-controlled surfaces. Before the fix, the macOS app appended the sh...
7.1
Red Hat Linux Kernel Patch Update Exposes Systems to Privilege Escalation
RHSA-2026:3987
7.0
Libpng on Red Hat Systems: Potential Data Exposure
RHSA-2026:3969
7.0
Linux System: libpng15 Library Security Update Available
RHSA-2026:3968
7.0
LessPass 9.6.9 Stores Passwords in Plain Text
CVE-2025-70050
An issue pertaining to CWE-312: Cleartext Storage of Sensitive Information was discovered in lesspass lesspass v9.6.9 which allows attackers to obtain...
6.5
OWASP DefectDojo may crash due to malicious zip file input
CVE-2026-3816
A security vulnerability has been detected in OWASP DefectDojo up to 2.55.4. This vulnerability affects the function input_zip.read of the file parser...
5.3
Apache Download Script Allows Unauthorized File Access
CVE-2025-41763
A low‑privileged remote attacker can directly interact with the wwwdnload.cgi endpoint to download any resource available to administrators, including...
6.5
A malicious attacker can access sensitive files on your system using wwwubr.cgi
CVE-2025-41755
A low-privileged remote attacker can exploit the ubr-logread method in wwwubr.cgi to read arbitrary files on the system. The endpoint accepts a parame...
6.5
Apache HTTP Server: Arbitrary File Access via Unsecured API Endpoint
CVE-2025-41754
A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to read arbitrary files on...
6.5
OpenClaw's system.run environment override bypass possible with malicious helper-command
GHSA-j425-whc4-4jgc
### Summary `system.run` env override sanitization allowed dangerous override-only helper-command pivots to reach subprocesses. A caller who could inv...
6.3
OpenClaw's `system.run` env override filtering allows malicious process hijacking
GHSA-j425-whc4-4jgc
### Summary `system.run` env override sanitization allowed dangerous override-only helper-command pivots to reach subprocesses. A caller who could inv...
6.3
GNU Binutils readelf can crash if given a malformed file
CVE-2025-69648
GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data...
6.2
GNU Binutils readelf Can Be Hacked to Run Out of Control
CVE-2025-69647
GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A log...
6.2
Unsecured Backup on Apache Server Allows Unauthorized Access
CVE-2025-41762
An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to sensitive dat...
6.2
Sunbird-Ed Portal Redirects to Untrusted Sites
CVE-2025-70032
An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4....
6.1
Linagora Twake Allows Attackers to Steal Sensitive Information
CVE-2025-70037
An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered in linagora Twake v2023.Q1.1223. This allows attackers to obtain sens...
6.1
Eventobot: Malicious URLs Can Steal User Data or Take Control
CVE-2025-40638
A reflected Cross-Site Scripting (XSS) vulnerability has been found in Eventobot. This vulnerability allows an attacker to execute JavaScript code i...
5.1
itsourcecode Payroll Management System: Remote Code Injection Risk
CVE-2026-3812
A vulnerability was determined in itsourcecode Payroll Management System 1.0. Affected is an unknown function of the file /manage_employee_allowances....
5.3
OpenClaw: Authorized Senders Can Initialize Host ACP Sessions
GHSA-9q36-67vc-rrwg
### Summary Sandboxed requester sessions could reach host-side ACP session initialization through `/acp spawn`. OpenClaw already blocked `sessions_sp...
5.9
OpenClaw: Unauthorized Access to Host ACP Sessions Possible
GHSA-9q36-67vc-rrwg
### Summary Sandboxed requester sessions could reach host-side ACP session initialization through `/acp spawn`. OpenClaw already blocked `sessions_sp...
5.9
Devolutions Server users and roles can be restored by anyone
CVE-2026-3638
Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated use...
5.9
OpenClaw: Unintended Access to Default Account
GHSA-pjvx-rx66-r3fg
### Summary `/allowlist ... --store` resolved the selected channel `accountId` for reads, but store writes still dropped that `accountId` and wrote in...
5.4
OpenClaw: Unauthorized Access to Another Account
GHSA-pjvx-rx66-r3fg
### Summary `/allowlist ... --store` resolved the selected channel `accountId` for reads, but store writes still dropped that `accountId` and wrote in...
5.4
8 Mar 2026 All days 10 Mar 2026