Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 11 March 2026
RSS362 vulnerabilities published on 11 March 2026
Severity:
Royal Addons for Elementor plugin allows unauthorized file uploads
CVE-2025-13067
The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due...
8.8
AOS-CX CLI Command Parameter Injection Risk
CVE-2026-23814
A vulnerability in the command parameters of a certain AOS-CX CLI command could allow a low-privilege authenticated remote attacker to inject maliciou...
8.8
Parse Server: Malicious User Can Escalate Privileges with LDAP Credentials
CVE-2026-31828
GHSA-7m6r-fhh7-r47c
### Impact
The LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (`authData.id`) is interpolated directly into LDAP Di...
7.8
Parse Server OAuth login tokens can be used by other users
CVE-2026-30967
GHSA-fr88-w35c-r596
### Impact
The OAuth2 authentication adapter, when configured without the `useridField` option, only verifies that a token is active via the provider...
7.6
Parse Server allows unauthorized access to user accounts
CVE-2026-30949
GHSA-48mh-j4p5-7j9v
### Impact
The Keycloak authentication adapter does not validate the `azp` (authorized party) claim of Keycloak access tokens against the configured ...
7.6
Cloud CLI: Unauthenticated Git Configuration Command Injection
GHSA-7fv4-fmmc-86g2
CVE-2026-31861
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, The /api/user/git-confi...
8.7
Cursor Code Editor: Malicious Website Instructions Can Execute Commands
CVE-2026-31854
Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may att...
8.7
Coppermine Photo Gallery allows unauthorized access to server files
CVE-2026-3013
Coppermine Photo Gallery in versions 1.6.09 through 1.6.27 is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit a vulne...
8.7
Adobe Commerce: Malicious scripts can run in user browsers
CVE-2026-21290
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (X...
8.7
Parse Server allows attackers to access hidden data through special syntax
GHSA-r2m8-pxm9-9c4g
CVE-2026-31872
### Impact
The `protectedFields` class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attac...
8.7
Craft CMS's Search Function Can Be Hacked
GHSA-g7j6-fmwx-7vp8
CVE-2026-31858
The `ElementSearchController::actionSearch()` endpoint is missing the `unset()` protection that
was added to ElementIndexesController in [GHSA-2453-mp...
8.7
PingPong: Authenticated users can access or delete private files
CVE-2026-32097
PingPong is a platform for using large language models (LLMs) for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retriev...
8.6
OliveTin allows attackers to write files to arbitrary locations
CVE-2026-31817
GHSA-364q-w7vh-vhpc
When the `saveLogs` feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part ...
8.5
Comtrend Router Allows Local Users to Run Unauthorized Commands
CVE-2019-25483
Comtrend AR-5310 GE31-412SSG-C01_R10.A2pG039u.d24k contains a restricted shell escape vulnerability that allows local users to bypass command restrict...
8.6
Verypdf docPrint Pro 8.0 allows local attackers to run malicious code
CVE-2019-25467
Verypdf docPrint Pro 8.0 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code ...
8.6
Easy File Sharing Web Server 7.2 allows local attackers to execute malicious code.
CVE-2019-25466
Easy File Sharing Web Server 7.2 contains a local structured exception handling buffer overflow vulnerability that allows local attackers to execute a...
8.6
SiYuan's forwardProxy endpoint allows unauthorized access to internal networks
CVE-2026-32110
GHSA-56cv-c5p2-j2wg
SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary ...
8.3
Wisp Allows Access to Sensitive Files via Malicious URLs
CVE-2026-28807
EEF-CVE-2026-28807
GHSA-h7cj-j2vv-qw8r
### Summary
`wisp.serve_static` is vulnerable to arbitrary file read via percent-encoded path traversal (`%2e%2e`). The directory traversal sanitizat...
8.3
Varient 1.6.1: Unauthenticated Attackers Can Access Sensitive Data
CVE-2019-25486
Varient 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code throu...
8.8
Striae Digital Confirmation Workflow Allows Tampered Packages
GHSA-mmf8-487q-p45m
CVE-2026-31839
## Summary
A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation tru...
8.2
Sylius Promotion and Coupon Limits Can Be Exceeded
CVE-2026-31824
GHSA-7mp4-25j8-hp5q
### Impact
A Time-of-Check To Time-of-Use (TOCTOU) race condition was discovered in the promotion usage limit enforcement. The same class of vulnerabi...
8.2
OpenEMR: Unprivileged users can delete or modify critical health records
CVE-2026-32126
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inverted boolean conditi...
8.1
ClasroomIO allows attackers to gain higher-level access
CVE-2025-67298
An issue in ClasroomIO before v.0.2.6 allows a remote attacker to escalate privileges via the endpoints /api/verify and /rest/v1/profile...
8.1
Craft CMS control panel allows unauthorized code execution
GHSA-fp5j-j7j4-mcxc
CVE-2026-31857
A Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system.
The `BaseElementSelectConditionRule::getElementIds()` method passe...
8.1
Divi-Booster WordPress plugin allows unauthorized edits by anyone
CVE-2026-2626
The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated use...
8.1