CVE Vulnerabilities - 11 March 2026

Umbraco allows hackers to inject malicious code in property type descriptions

CVE-2026-31833 GHSA-vrqc-59mw-qqg7

### Description An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly p...

6.7

Video Station: Unauthorized code can be executed on local network

CVE-2024-14025

An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administra...

0.1

Video Station: Administrator Access via Local Network Attack

CVE-2024-14024

An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also ga...

0.1

OpenEMR 7.x and prior: Sensitive patient info accessible to unauthorized users

CVE-2026-32123

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for grou...

6.5

Copyparty File Server Allows Unwanted Access to Shared Files

CVE-2026-32108 GHSA-67rw-2x62-mqqm

Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulner...

2.3

OpenBMB XAgent allows attackers to access sensitive files

CVE-2026-3954

A weakness has been identified in OpenBMB XAgent 1.0.0. Affected by this vulnerability is the function workspace of the file XAgentServer/application/...

6.9

OpenProject: Malicious Links Can Crash Project Management Software

CVE-2026-30235

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenPro...

6.5

Splunk Enterprise: Unauthorized access to stored passwords

CVE-2026-20164

In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.1...

6.5

OpenProject: Malicious File Upload Allows Access to Local Files

CVE-2026-30234

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authenticated project member with BCF import permissions can...

6.5

Open Forms: Attackers can guess or modify cosign links

CVE-2026-28803

Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instruct...

6.5

GitLab Webhook Denial of Service on Older Versions

CVE-2025-13690 BIT-gitlab-2025-13690

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could ...

6.5

libcurl Reuses Wrong Connection for Negotiate-Authenticated Requests

CVE-2026-1965 CURL-CVE-2026-1965

libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a po...

6.5

Incorrect Proxy Credentials Used for New Connections

CVE-2026-3784 CURL-CVE-2026-3784

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP ...

6.5

AOS-CX Switches Allow Remote URL Redirects Without Authentication

CVE-2026-23817

A vulnerability in the web-based management interface of AOS-CX Switches could allow an unauthenticated remote attacker to redirect users to an arbitr...

6.5

Mailchimp for WordPress Plugin Allows Unauthenticated Unsubscribes

CVE-2026-1781

The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.11.1. This is d...

6.5

Parse Server allows unauthorized access to sensitive data

CVE-2026-30962 GHSA-72hp-qff8-4pvv

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validat...

7.8

Sylius: Unauthorized access to cart and order data

CVE-2026-31820 GHSA-2xc6-348p-c2x6

### Impact An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource I...

7.8

Hackers can inject malicious code into WordPress forms

CVE-2026-3492

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a c...

6.4

Happy Addons for Elementor plugin allows unauthorized access and script injection

CVE-2026-2918

The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via...

6.4

Astra theme for WordPress: Injected scripts in pages via certain post meta fields

CVE-2026-3534

The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post m...

6.4

weForms plugin for WordPress: Malicious scripts can run in admin form view

CVE-2026-2707

The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API entry submission endpoint in all versions up to, and in...

6.4

WP ULike plugin for WordPress allows attackers to inject malicious scripts

CVE-2026-2358

The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all v...

6.4

Dear Flipbook Plugin for WordPress Allows Attackers to Inject Harmful Code

CVE-2026-2569

The Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via PDF page la...

6.4

Manga-Image-Translator Beta 0.3 Can Be Tricked into Doing Wrong Actions

CVE-2026-3961

A vulnerability was determined in zyddnys manga-image-translator up to beta-0.3. The affected element is the function to_pil_image of the file manga-i...

5.3

Woahai321 ListSync allows attackers to forge requests to servers

CVE-2026-3958

A vulnerability has been found in Woahai321 ListSync up to 0.6.6. This issue affects the function requests.post of the file list-sync-main/api_server....

5.3