CVE Vulnerabilities - 11 March 2026

Modular DS Plugin for WordPress: Attackers can hijack admin actions

CVE-2026-3903

The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, ...

4.3

Adobe Commerce versions 2.4.9-alpha3 to 2.4.4-p16 have a security bypass flaw

CVE-2026-21297

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulne...

4.3

Adobe Commerce: Unauthorized Access to Data

CVE-2026-21296

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulne...

4.3

Adobe Commerce versions 2.4.9-alpha3 and earlier: Unauthorized access to sensitive features

CVE-2026-21285

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulne...

4.3

Keycloak: Attacker Can Delete MFA and Take Over Accounts

CVE-2026-3429 GHSA-8g9r-9wjw-37j4

A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions inte...

4.2

Palo Alto Networks Cortex XDR Agent on macOS Can Be Disabled by Local Admin

CVE-2026-0230

A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on macOS allows a local administrator to disable the agent. This issu...

4.0

perfree go-fastdfs-web: Unauthorized Access via Hard-Coded Key

CVE-2026-3963

A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/p...

6.3

HCL Nomad server on Domino: Sensitive information at risk from malicious frames

CVE-2025-62328

HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attac...

3.7

Dell Alienware Command Center: Local Attackers Can Crash the Program

CVE-2026-24509

Dell Alienware Command Center (AWCC), versions prior to 6.12.24.0, contain an Improper Access Control vulnerability. A low privileged attacker with lo...

3.6

Anytype Desktop and CLI risk of unauthorized access on local machines

GHSA-vv3h-7qwr-722v CVE-2026-31863

#### Impact The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit ...

3.6

PHPEMS 11.0: Cross-site scripting in askcontent input

CVE-2026-3946

A vulnerability was detected in PHPEMS 11.0. The affected element is an unknown function of the file /index.php?ask=app-ask. Performing a manipulation...

5.1

Libheif: Malicious Local Files Can Cause Data Exposure

CVE-2026-3950

A vulnerability was identified in strukturag libheif up to 1.21.2. This impacts the function Track::load of the file libheif/sequences/track.cc of the...

4.8

libheif Image Parser Allows Unwanted Data Access

CVE-2026-3949

A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvde...

3.3

libheif: Local data corruption when parsing HEIF files

CVE-2026-3949

A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvde...

4.8

Easy Grade Pro 4.1.0.2 crashes when opening manipulated grade files

CVE-2025-70330

Easy Grade Pro 4.1.0.2 contains a file parsing logic flaw in the handling of proprietary .EGP gradebook files. By modifying specific fields at precise...

3.3

Google Chrome Leaks Sensitive Data from Other Websites

CVE-2026-3929

Side-channel information leakage in ResourceTiming in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to leak cross-origin data via a c...

3.1

Adobe Commerce: Malicious Redirects to Untrusted Sites

CVE-2026-21295

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a URL Redirection to Untrusted S...

3.1

OpenProject allows attackers to scan internal network

CVE-2026-31974

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notif...

3.0

Lenovo FileZ app leaks sensitive data in rare circumstances

CVE-2026-0520

A potential vulnerability was reported in the Lenovo FileZ Android application that, under certain conditions, could allow a local authenticated user ...

2.4

Keycloak: Unauthorized access to hidden user data

CVE-2026-3911 GHSA-xh32-c9wx-phrp

A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing...

2.7

Dell Alienware Command Center (AWCC) fails to verify digital certificates

CVE-2026-24508

Dell Alienware Command Center (AWCC), versions prior to 6.12.24.0, contain an Improper Certificate Validation vulnerability. A low privileged attacker...

2.5

Neo4j Enterprise: Unauthorised Access via SSO Configuration Error

CVE-2026-1524

An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following co...

2.1

Neo4j Enterprise Edition: Insecure Authentication Context Caching

CVE-2026-1471

Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.01.4 leads to authenticated users inheriting the contex...

2.1

Neo4j Enterprise Edition: Unintended Access to Local or Remote Databases

CVE-2026-1497

Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following s...

2.0

Craft CMS User Permissions Page Allows Malicious Code Execution

GHSA-g3hp-vvqf-8vw6

## Summary A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permiss...

1.8