Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 11 March 2026

RSS

362 vulnerabilities published on 11 March 2026

Severity:
NanoMQ MQTT Broker May Crash Due to Out-of-Bounds Integer Parsing
CVE-2026-21888
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer() accepts 5...
7.5
GitLab CE/EE: Unauthenticated users can cause denial of service
CVE-2026-1069 BIT-gitlab-2026-1069
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause...
7.5
GitLab: Denial of Service via Malformed JSON Input in API
CVE-2025-14513 BIT-gitlab-2025-14513
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could ...
7.5
GitLab: Unauthenticated Users Can Crash Your Repository
CVE-2025-13929 BIT-gitlab-2025-13929
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could h...
7.5
Sunbird-Ed SunbirdEd-portal v1.13.4: Unauthorized Access to Sensitive Data
CVE-2025-70027
An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. This allows attackers to obtain sen...
7.5
JetBooking plugin for WordPress allows attackers to access sensitive data
CVE-2026-3496
The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter in all versions up to, and including, 4.0.3. This...
7.5
OpenClaw and @openclaw/voice-call allow unauthorized access to resources
CVE-2026-32062
OpenClaw versions2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades ...
8.7
Appointment Booking Calendar Plugin Allows Attackers to Steal Sensitive Data
CVE-2026-1708
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versio...
7.5
Curl SMB Connection Reuse Vulnerability: Data Leak
CVE-2026-3805 CURL-CVE-2026-3805
When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory....
7.5
WP Maps plugin for WordPress: Unauthenticated data theft via SQL Injection
CVE-2026-3222
The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including,...
7.5
Ally Plugin for WordPress: Unauthorized Database Access
CVE-2026-2413
The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4....
7.5
Adobe Commerce Allows Unauthorized Users to Access Data
CVE-2026-21309
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulne...
7.5
Adobe Commerce: Unauthorized Access to Sensitive Data
CVE-2026-21289
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulne...
7.5
flagd Allows Malicious Requests to Crash the Server
GHSA-rmrf-g9r3-73pm CVE-2026-31866
## Details flagd exposes OFREP (`/ofrep/v1/evaluate/...`) and gRPC (`evaluation.v1`, `evaluation.v2`) endpoints for feature flag evaluation. These en...
7.5
Sigstore Ruby Verifier Fails to Check Artifact Integrity
CVE-2026-31830 GHSA-mhg6-2q2v-9h2c
### Summary `Sigstore::Verifier#verify` does not propagate the `VerificationFailure` returned by `verify_in_toto` when the artifact digest does not m...
7.5
Parse Server allows attackers to bypass rate limits
CVE-2026-30972 GHSA-775h-3xrc-c228
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Serve...
7.5
Sequelize 6 Has SQL Injection Flaw
CVE-2026-30951 GHSA-6457-6jrx-69cr
### Summary SQL injection via unescaped cast type in JSON/JSONB `where` clause processing. The `_traverseJSON()` function splits JSON path keys on `:...
7.5
Parse Server: Unauthorized Access to Restricted Data via LiveQuery
CVE-2026-30947 GHSA-7ch5-98q2-7289
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level...
8.3
Parse Server Denial-of-Service via Unbounded Queries
CVE-2026-30946 GHSA-cmj3-wx7h-ffvg
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthentic...
8.3
Parse Server: Unauthenticated access to password reset and email verification tokens
GHSA-vgjh-hmwf-c588 CVE-2026-30941
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injec...
8.3
Zitadel Passkey Registration: Unauthorized Account Access Possible
CVE-2026-32132
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel's passkey registration ...
7.4
Cisco IOS XR Software: Unauthenticated Adjacent Attack Allows Denial of Service
CVE-2026-20074
A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) multi-instance routing feature of Cisco IOS XR Software could allow an unaut...
7.4
Forcepoint NGFW Engine Allows Local Privilege Escalation
CVE-2025-12690
Execution with unnecessary privileges in Forcepoint NGFW Engine allows local privilege escalation.This issue affects NGFW Engine through 6.10.19, thro...
7.3
H3C ACG1000-AK230: Remote code execution from website input
CVE-2026-3943
A vulnerability was found in H3C ACG1000-AK230 up to 20260227. This affects an unknown part of the file /webui/?aaa_portal_auth_local_submit. The mani...
6.9
PyPDF: Malicious PDFs Can Cause Memory Exhaustion
CVE-2026-31826 GHSA-hqmh-ppp3-xvm7
### Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a r...
7.3
10 Mar 2026 All days 12 Mar 2026