CVE Vulnerabilities - 10 March 2026

SAP GUI for Windows loads malicious DLLs from any directory, allowing remote code execution

CVE-2026-24317

SAP GUI for Windows allows DLL files to be loaded from arbitrary directories within the application. An unauthenticated attacker could exploit this vu...

5.0

SAP Solution Tools Plug-In leaks sensitive system information

CVE-2026-24313

SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowi...

5.0

Craft Commerce Inventory Locations Page Allows Malicious Code Execution

GHSA-wj89-2385-gpx3 CVE-2026-29176

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Location...

4.8

Craft Commerce: Stored XSS in Order Status Updates

GHSA-mqxf-2998-c6cp CVE-2026-29173

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Or...

1.9

Windows Kerberos allows unauthorized access over the network

CVE-2026-24297

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kerberos allows an unauthorized attacker to byp...

4.8

FortiSandbox: Attackers can run malicious code on your system

CVE-2025-53608

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox ...

4.8

ImageMagick: Unintended data accessed when handling certain image files

CVE-2026-28692 GHSA-mrmj-x24c-wwcv

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, MAT decoder u...

4.8

Microsoft Office Excel Cross-Site Scripting Flaw Allows Information Disclosure

CVE-2026-26144

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disc...

4.7

Specially crafted data can be injected into web pages

CVE-2026-3862

Cross-site Scripting (XSS) allows an attacker to submit specially crafted data to the application which is returned unaltered in the resulting web pag...

4.6

Flarum Forum Software: Malicious Email Links in Nicknames

GHSA-3c4m-j3g4-hh25 CVE-2026-30913

Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email ...

4.6

IBM Planning Analytics Container Exposes Sensitive Environment Variables

CVE-2025-36105

IBM Planning Analytics Advanced Certified Containers 3.1.0 through 3.1.4 could allow a local privileged user to obtain sensitive information from envi...

4.4

GitHub Enterprise Server allows unauthorized access to private code

CVE-2026-3582

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access ...

5.3

Craft CMS: Attackers can access sensitive content

GHSA-vg3j-hpm9-8v5v CVE-2026-29113

Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/cr...

2.3

GitHub Enterprise Server: Unauthorized Project Modifications Possible

CVE-2026-3306

An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and write acce...

5.3

SINEC Security Monitor Leaks Confidential Information

CVE-2026-27661

A vulnerability has been identified in SINEC Security Monitor (All versions < V4.9.0). The affected application leaks confidential information in meta...

5.3

Kubernetes Policy Engine Configuration Bypass via Deprecated APIs

GHSA-6r7f-3fwq-hq74 CVE-2026-29773

Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and A...

4.3

WordPress Court Reservation Plugin Deletes Events Without Permission

CVE-2026-1508

The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a lo...

4.3

MariaDB Audit Plugin Fails to Log Certain SQL Statements

CVE-2026-3494 BIT-mariadb-min-2026-3494

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, ...

5.3

Misskey: Data is imported from other users without permission

CVE-2026-28433

Misskey is an open source, federated social media platform. All Misskey servers running versions 10.93.0 and later, but prior to 2026.3.1, contain a v...

2.3

PowerVR GPU Exposes Sensitive Data with Incorrect Register Protection

CVE-2026-0108

The register protection of the PowerVR GPU is incorrectly configured. This could lead to local information disclosure with no additional execution pri...

4.0

Fortinet FortiMail and FortiRecorder Store Sensitive Info in Plain Text

CVE-2025-55717

A cleartext storage of sensitive information vulnerability [CWE-312] vulnerability in Fortinet FortiMail 7.6.0 through 7.6.2, FortiMail 7.4.0 through ...

4.0

Fortinet FortiAnalyzer and FortiManager: Easy Password Guessing

CVE-2026-22629

An improper restriction of excessive authentication attempts vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4 all versio...

3.7

SAP NetWeaver ABAP Server Leaks Sensitive Data

CVE-2026-24310

Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module...

3.5

HCL Sametime for Android Leaks Sensitive Hostnames in Logs

CVE-2026-21791

HCL Sametime for Android is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URL...

3.3

VPU: Data Exposure Risk Through Malicious Actions

CVE-2026-0121

In VPU, there is a possible use-after-free read due to a race condition. This could lead to local information disclosure with no additional execution ...

2.9