Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 11 March 2026
RSS362 vulnerabilities published on 11 March 2026
Severity:
WellChoose IFTOP allows remote code execution on server
CVE-2026-3826
IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the ser...
9.3
WordPress Datalogics Ecommerce Delivery plugin allows unauthorized config changes
CVE-2026-2631
The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the o...
9.8
MR-GM5L-S1 and MR-GM5A-L1: Authentication Bypass Allows Configuration Changes
CVE-2026-27842
Authentication bypass issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to bypass authentication and change the device configurat...
9.3
MR-GM5L-S1 and MR-GM5A-L1 Use Stolen Administrator Credentials
CVE-2026-24448
Use of hard-coded credentials issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to obtain administrative access....
9.3
AOS-CX Switches: Unauthorized Access to Web Interface
CVE-2026-23813
A vulnerability has been identified in the web-based management interface of AOS-CX switches that could potentially allow an unauthenticated remote ac...
9.8
Google Chrome: Malicious Web Page Can Escape Browser
CVE-2026-3916
Out of bounds read in Web Speech in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially perform a sandbox escape via a craft...
9.6
Zoom Workplace for Windows allows unauthenticated access to sensitive files
CVE-2026-30903
External Control of File Name or Path in the Mail feature of Zoom Workplace for Windows before 6.6.0 may allow an unauthenticated user to conduct an e...
9.6
Git repository compromised: malicious code runs in GitHub Actions workflows
CVE-2026-31976
GHSA-f8q5-h5qh-33mh
### Description
On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests (#46, #47, #48) injecting obfu...
9.3
Plunk: Unauthenticated attackers could send fake emails through AWS SES
CVE-2026-32096
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery (SSRF) vulnerability existed in the SNS ...
9.3
Frappe Framework: Unsecured Data Exposure Through Malicious Requests
CVE-2026-31877
Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in...
9.3
Cosmos EVM: Incorrect State Handling Exposes Chains to Data Loss
GHSA-54gx-3cgr-7mfm
**Advisory ID:** ASA-2026-002
**Component:** ICS20 Precompile
**Status:** Resolved
**Published:** March 2026
**Contact:** [[email protected]]...
9.3
MiCode FileExplorer's FTP Server Can Be Tricked into Letting Anyone In
CVE-2026-29515
MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log i...
9.3
Parse Server on PostgreSQL vulnerable to SQL Injection via malicious keys
GHSA-gqpp-xgvh-9h7h
CVE-2026-31871
### Impact
A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing `Increment` operations on nested object fields usin...
9.3
2FAuth web app allows attackers to access internal networks
CVE-2026-32133
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability e...
7.8
Unity Catalog Exposes Data to Unauthorized Access
CVE-2026-27478
Unity Catalog is an open, multi-modal Catalog for data and AI. In 0.4.0 and earlier, a critical authentication bypass vulnerability exists in the Unit...
9.1
Lantronix EDS3000PS: Unauthorized Access to Management Pages
CVE-2025-67039
An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The authentication on management pages can be bypassed by appending a specific suffix to the...
9.1
Claude Code UI's Git Integration Vulnerable to Malicious Command Execution
GHSA-f2fc-vc88-6w7q
CVE-2026-31862
### Summary
Multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit)...
9.1
Parse Server: Unsecured Access to GraphQL and Audience Data
CVE-2026-31800
GHSA-7xg7-rqf6-pw6c
### Impact
The `_GraphQLConfig` and `_Audience` internal classes can be read, modified, and deleted via the generic `/classes/_GraphQLConfig` and `/c...
8.8
Parse Server allows attackers to steal user session tokens
CVE-2026-30965
GHSA-6r2j-cxgf-495f
### Impact
A vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other...
9.9
OpenEMR Graphical Pain Map allows attackers to hijack user sessions
CVE-2026-32118
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting...
9.0
Netbox Docker Default Admin Account and API Token
CVE-2023-27573
netbox-docker before 2.5.0 has a superuser account with default credentials (admin password for the admin account, and 0123456789abcdef0123456789abcde...
9.0
Shopware App Credentials Can Be Hijacked, Data Tampered With
CVE-2026-31889
GHSA-c4p7-rwrg-pf6p
### Summary
We identified and fixed a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to t...
8.9
Shopware: Attackers can steal customer order data without a password
CVE-2026-31887
GHSA-7vvp-j573-5584
### Summary
An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the `...
8.9
Google Chrome on Android: Heap Corruption via Malicious Webpage
CVE-2026-3936
Use after free in WebView in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a cr...
8.8
Google Chrome: Out of bounds memory access in Skia library
CVE-2026-3931
Heap buffer overflow in Skia in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform out of bounds memory access via a crafted HT...
8.8