CVE Vulnerabilities - 11 March 2026

ProfilePress Plugin for WordPress Allows Subscription Cancellation by Malicious Users

CVE-2026-3453

The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to ...

8.1

Adobe Commerce: Stored XSS in Form Fields

CVE-2026-21361

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (X...

8.1

Adobe Commerce: Malicious scripts can be injected into user forms

CVE-2026-21284

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (X...

8.1

GLPI Software Allows Malicious File Upload and Execution

CVE-2026-22248

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. Fro...

8.0

Adobe Commerce versions 2.4.9-alpha3 and earlier: Malicious scripts can be injected into form fields

CVE-2026-21311

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (X...

8.0

Microsoft .NET Software on Linux Allows Attackers to Gain Elevated Privileges

CVE-2026-26131 GHSA-crjq-wm6x-6qx7

# Microsoft Security Advisory CVE-2026-26131 – .NET Elevation of Privilege Vulnerability ## Executive summary Microsoft is releasing this security a...

7.8

Zoom for Windows may let malicious users gain more control

CVE-2026-30902

Improper Privilege Management in certain Zoom Clients for Windows may allow an authenticated user to conduct an escalation of privilege via local acce...

7.8

Zoom for Windows: Unauthorized Access through Outdated Client

CVE-2026-30900

Improper Check of minimum version in update functionality of certain Zoom Clients for Windows may allow an authenticated user to conduct an escalation...

7.8

QNAP Operating System: Unsecured Access Can Allow Remote Command Execution

CVE-2024-14026

A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who ha...

2.0

ZITADEL: Unauthorized Access to Sensitive Data in Management API

CVE-2026-32131

ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, whic...

7.7

Runtipi homeserver orchestrator: Unauthenticated password reset

CVE-2026-31881

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-res...

7.7

Grafana Cubism Panel Allows Malicious Code Execution

CVE-2026-32117

The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-suppl...

7.6

Google Chrome: Compromised Browser Session Escalation Risk

CVE-2026-3924

use after free in WindowDialog in Google Chrome prior to 146.0.7680.71 allowed a remote attacker who had compromised the renderer process to potential...

7.5

Zitadel SCIM API allows unauthorized access to user data

CVE-2026-32130

ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Ma...

7.5

.NET Can Be Crashed by Malformed Data

CVE-2026-26127 GHSA-73j8-2gch-69rq

# Microsoft Security Advisory CVE-2026-26127 – .NET Denial of Service Vulnerability ## Executive summary Microsoft is releasing this security adviso...

7.5

.NET SignalR Servers Can Be Made to Crash

CVE-2026-26130 GHSA-4vgm-c2wm-63mw

# Microsoft Security Advisory CVE-2026-26130 – .NET Denial of Service Vulnerability ## Executive summary Microsoft is releasing this security adviso...

7.5

Parse Server: Protected Fields Can Be Inferred by Attackers

CVE-2026-32098 GHSA-j7mm-f4rv-6q6q

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker...

6.9

WeGIA Web Manager: Unvalidated Archive Extraction

CVE-2026-31894

WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's...

6.9

RIOT OS: Unvalidated Buffer Writes Data into Stack

CVE-2026-27703

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded dev...

7.5

ARMBot: Unauthenticated File Upload Allows Remote Code Execution

CVE-2019-25480

ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulatin...

8.7

GetGo Download Manager Crashes with Malicious Web Response

CVE-2019-25478

GetGo Download Manager 6.2.2.3300 contains a buffer overflow vulnerability that allows remote attackers to cause denial of service by sending HTTP res...

8.7

IntelBras Telefone IP TIP200 Devices Allow Unauthorized Access to Sensitive Files

CVE-2019-25472

IntelBras Telefone IP TIP200 and 200 LITE contain an unauthenticated arbitrary file read vulnerability in the dumpConfigFile function accessible via t...

8.7

eWON Firmware 12.2 to 13.0: Attackers can steal sensitive user data

CVE-2019-25470

eWON Firmware versions 12.2 to 13.0 contain an authentication bypass vulnerability that allows attackers with minimal privileges to retrieve sensitive...

8.7

Hisilicon HiIpcam V100R003: Unauthenticated Access to Sensitive Configuration Files

CVE-2019-25465

Hisilicon HiIpcam V100R003 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files ...

8.7

cpp-httplib: Unchecked HTTP Header Can Crash Client Application

CVE-2026-31870

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (h...

7.5