Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 10 March 2026
RSS661 vulnerabilities published on 10 March 2026
Severity:
Craft Commerce: Malicious scripts can run when viewing order details
GHSA-mj32-r678-7mvp
CVE-2026-29177
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craf...
1.9
Craft Commerce Ecommerce Platform: Malicious Code Injection Risk
GHSA-cfpv-rmpf-f624
CVE-2026-29175
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Ti...
8.6
IBM Aspera Faspex 5 allows attackers to inject malicious headers
CVE-2025-36227
IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This c...
5.4
IBM Aspera Faspex 5: Malicious Code Can Be Injected in Web Interface
CVE-2025-36226
IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary J...
5.4
Copyparty's nohtml Flag Fails to Stop Malicious SVG Files
GHSA-m6hv-x64c-27mm
CVE-2026-30974
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML f...
5.4
Admidio User Management Software Allows Unwanted User Registration
GHSA-7pfv-hr63-h7cw
CVE-2026-30927
Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any us...
5.3
FacileManager Stored XSS in fmDNS Module, Prior to 6.0.4
CVE-2026-30919
facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , stored XSS (also known as persistent or second-order XS...
5.4
Webauthn Framework: Insecure Origin Validation for Allowed Origins
GHSA-f7pm-6hr8-7ggm
CVE-2026-30964
### Summary
When `allowed_origins` is configured, `CheckAllowedOrigins` reduces URL-like values to their `host` component and accepts on host match al...
5.4
Malformed WMV/WMA Files Can Freeze File-Type Detector
CVE-2026-31808
GHSA-5v7r-6r5c-r473
### Impact
A denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-hea...
5.3
LinkAce: Authenticated Users Can Access Private Tags and Lists
CVE-2026-30954
LinkAce is a self-hosted archive to collect website links. In 2.1.0 and earlier, the processTaxonomy() method in LinkRepository.php allows authenticat...
5.3
Envoy Proxy Can Crash or Read Data Incorrectly Due to String Corruption
GHSA-56cj-wgg3-x943
CVE-2026-26309
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escape...
5.3
PluXml 5.8.22 and earlier: Automated Spam Comments
CVE-2025-70129
If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be au...
5.3
Windows Shell Link files can leak sensitive information
CVE-2026-25185
Exposure of sensitive information to an unauthorized actor in Windows Shell Link Processing allows an unauthorized attacker to perform spoofing over a...
5.3
Apache PDFBox Extracts Files to Wrong Location
CVE-2026-23907
GHSA-jjwr-xmw6-gf78
This issue affects the
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.
The ExtractEmbeddedFile...
5.3
Fortinet FortiSwitchAX Fixed: Unauthenticated admin can run commands via SSH config
CVE-2026-22628
An improper access control vulnerability in Fortinet FortiSwitchAXFixed 1.0.0 through 1.0.1 may allow an authenticated admin to execute system command...
5.3
FortiWeb: Unauthenticated Attackers Can Access Your Network
CVE-2025-48840
An authentication bypass by spoofing vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.8, FortiWeb 7.2 all versions, ...
5.3
Atlassian Confluence Server: Passwords at Risk from Insufficient Firmware Verification
CVE-2025-41711
An unauthenticated remote attacker can use firmware images to extract password hashes and brute force plaintext passwords of accounts with limited acc...
5.3
AVideo Platform Exposes User Playlists Without Login
GHSA-6w2r-cfpc-23r5
CVE-2026-30885
WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user witho...
5.5
Booktics plugin for WordPress allows unauthorized data changes
CVE-2026-1920
The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to...
5.3
Booktics plugin for WordPress exposes sensitive data to unauthorized users
CVE-2026-1919
The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a mis...
5.3
Parse Server allows unauthorized data to be sent with certain requests
GHSA-q342-9w2p-57fp
CVE-2026-30938
BIT-parse-2026-30938
### Impact
The `requestKeywordDenylist` security control can be bypassed by placing any nested object or array before a prohibited keyword in the req...
7.8
Giflib: Double-free error in image processing can cause system crashes
CVE-2026-23868
Giflib contains a double-free vulnerability that is the result of a shallow copy in GifMakeSavedImage and incorrect error handling. The conditions nee...
5.1
Safari Browser Cross-Site Scripting Risk: Malicious Code Execution
CVE-2025-13902
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where auth...
5.1
OneUptime: Any authenticated user can resend WhatsApp verification codes
GHSA-cw6x-mw64-q6pv
CVE-2026-30959
OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a ...
5.3
SAP NetWeaver ABAP Server: Unauthorized access to log files
CVE-2026-27688
Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database ...
5.0