Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 12 March 2026
RSS830 vulnerabilities published on 12 March 2026
Severity:
Honeywell IQ4x building management system exposes web interface without password in default config
CVE-2026-3611
The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no...
10.0
Winter CMS allows attackers to gain higher user access
CVE-2026-27591
GHSA-pgpf-m8m4-6cg6
## Impact
Affected versions of Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying th...
10.0
PostgreSQL Backup Viewer allows unauthorized code execution as admin
CVE-2026-21708
A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user....
9.9
Microsoft Exchange Backup Server allows authenticated users to execute code remotely
CVE-2026-21669
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server....
9.9
Vulnerable Backup Server Allows Unintended Code Execution
CVE-2026-21667
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server....
9.9
Microsoft Windows Backup Server Remote Code Execution Risk
CVE-2026-21666
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server....
9.9
GL-iNet GL-AR300M16: Hackers can execute unauthorized system commands
CVE-2026-26793
GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the set_config function. This vulnerability allows attacke...
9.8
D-Link DIR-513: Unsecured Input Can Cause Device Crash
CVE-2025-70245
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWizardSelectMode....
9.8
GL-iNet GL-AR300M16: Uncontrolled Code Execution via Log Function
CVE-2026-26795
GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. Thi...
9.8
GL-iNet GL-AR300M16 Firmware Upgrade Vulnerability Allows Command Execution
CVE-2026-26792
GL-iNet GL-AR300M16 v4.3.11 was discovered to contain multiple command injection vulnerabilities in the set_upgrade function via the modem_url, target...
9.8
GL-iNet GL-AR300M16 Wi-Fi Router Allows Malicious Commands
CVE-2026-26791
GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the string port parameter in the enable_echo_server functi...
9.8
Parse Server: Hackers can take over any user account
GHSA-5fw2-8jcv-xh87
CVE-2026-32248
### Impact
An unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the for...
9.3
SGLang Multimodal Module Allows Remote Code Execution
CVE-2026-3059
GHSA-rgq9-fqf5-fv58
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data...
9.8
SGLang: Untrusted Data Can Execute Malicious Code Remotely
CVE-2026-3060
GHSA-jx93-g359-86wm
SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deseri...
9.8
Cafe Reservation System 1.0: Malicious Usernames Can Steal Data
CVE-2026-4014
A security flaw has been discovered in itsourcecode Cafe Reservation System 1.0. This impacts an unknown function of the file /curvus2/signup.php of t...
6.9
TinaCMS CLI Dev Server Allows Hackers to Steal Files
CVE-2026-28792
GHSA-8pw3-9m7f-q734
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-All...
9.6
LXD API allows authenticated users to run arbitrary commands on the server
CVE-2026-28384
An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the...
9.4
Tolgee Open-Source Localization Platform Exposes Sensitive Files Internally
CVE-2026-32251
Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don'...
9.3
Trane Tracer SC and Tracer SC+ allow attackers to bypass authentication and gain root access
CVE-2026-28252
A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypas...
9.2
Veeam Backup & Replication: Authenticated RCE in HA Deployments
CVE-2026-21671
A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) dep...
9.1
Dataease: Malicious Configuration File Can Execute Remote Code
CVE-2026-32140
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, By controlling the IniFile parameter, an attacker can force the JDBC dr...
9.3
Dataease SQL Injection Vulnerability: Table Name Manipulation
CVE-2026-32137
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly conc...
9.3
GL-iNet GL-AR300M16: SQL injection allows unauthorized access
CVE-2026-26794
GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a SQL injection vulnerability via the add_group() function. This vulnerability allows attackers ...
8.8
Veeam Backup & Replication: Local Privilege Escalation on Windows Servers
CVE-2026-21672
A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers....
8.8
ZeptoClaw: External files can be accessed through symlinks and hardlinks
GHSA-2m67-cxxq-c3h8
CVE-2026-32232
### Summary
Workspace boundary enforcement currently has three related bypass risks. This issue tracks fixing all three in one pull request.
### Deta...
8.8