Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 12 March 2026
RSS830 vulnerabilities published on 12 March 2026
Severity:
ProjectSend r1945: Unauthorized Access via Remote Exploit
CVE-2026-3977
A security vulnerability has been detected in projectsend up to r1945. The affected element is an unknown function of the component AJAX Endpoints. Th...
6.3
ProjectSend Up to r1945 Lacks Authorization Check
CVE-2026-3977
A security vulnerability has been detected in projectsend up to r1945. The affected element is an unknown function of the component AJAX Endpoints. Th...
5.3
AutohomeCorp frostmourne Can Execute Malicious Code Remotely
CVE-2026-3968
A vulnerability has been found in AutohomeCorp frostmourne up to 1.0. This affects the function scriptEngine.eval of the file ExpressionRule.java of t...
5.3
Qinglong API Interface vulnerable to remote command manipulation
CVE-2026-3965
GHSA-xj37-qjg2-xwv2
A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the...
2.1
Alfresco Activiti: Malicious Data Can Be Injected Through Process Variables
CVE-2026-3967
A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file ac...
5.3
GB28181-pro IP Address Handler Exposes Server to Remote Attacks
CVE-2026-3966
A vulnerability was detected in 648540858 wvp-GB28181-pro up to 2.7.4-20260107. Affected by this vulnerability is the function getDownloadFilePath of ...
5.3
TinaCMS CLI Allows Unauthenticated File Access on Local Host
CVE-2026-29066
GHSA-m48g-4wr2-j2h6
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables ...
6.2
ImageMagick: Stack Overflow When Processing MSL Scripts
CVE-2026-25971
GHSA-8mpr-6xr2-chhc
### Summary
Magick fails to check for circular references between two MSLs, leading to a stack overflow.
### Details
After reading a.msl using magick...
6.2
Simple Ajax Chat plugin for WordPress allows malicious scripts to be injected
CVE-2026-2987
The Simple Ajax Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'c' parameter in versions up to, and including, 2026021...
6.1
Backstage Plugin Auth Backend OAuth Redirect Bypass Exploit
GHSA-wqvh-63mv-9w92
CVE-2026-32235
### Impact
The experimental OIDC provider in `@backstage/plugin-auth-backend` is vulnerable to a redirect URI allowlist bypass. Instances that have e...
5.9
Libsoup Digest Authentication Allows Repeated Login Attempts
CVE-2026-3099
A flaw was found in Libsoup. The server-side digest authentication implementation in the SoupAuthDomainDigest class does not properly track issued non...
5.8
ImageMagick: Malicious SVG can crash server, generate trash files
GHSA-j96m-mjp6-99xr
CVE-2023-1289
### Summary
Specially crafted SVG file make segmentation fault and generate trash files in "/tmp", possible to leverage DoS.
### Operating system, ve...
5.5
ImageMagick can be tricked into writing data outside its memory area
CVE-2026-30936
GHSA-5ggv-92r5-cp4p
A crafted image could cause an out of bounds heap write inside the WaveletDenoiseImage method. When processing a crafted image with the -wavelet-denoi...
5.5
Dataease 2.10.19 and earlier allows malicious SVG uploads
CVE-2026-32139
Dataease is an open source data visualization analysis tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads....
5.3
StudioCMS: Any Authenticated User Can Modify Any User's Notification Settings
CVE-2026-32104
GHSA-9v82-xrm4-mp52
## Summary
The `updateUserNotifications` endpoint accepts a user ID from the request payload and uses it to update that user's notification preferenc...
5.4
Slack Events from Unauthorized Senders Possible in OpenClaw
GHSA-v8cg-4474-49v8
### Summary
Slack `member_*` and `message` subtype system events (`message_changed`, `message_deleted`, `thread_broadcast`) were not consistently enfo...
5.4
ASUS ROG Driver Installation Can Give Attackers System-Level Access
CVE-2026-1878
An Insufficient Integrity Verification vulnerability in the ASUS ROG peripheral driver installation process allows privilege escalation to SYSTEM. The...
5.4
Vim Text Editor Crashes When Editing Certain Regular Expressions
CVE-2026-32249
Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing...
5.3
Shopware API Discloses Sensitive License Information to Attackers
CVE-2026-32142
Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15....
5.3
Shopware Exposes Sensitive Security Fix Information
CVE-2026-32100
Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16,...
5.3
Nuxt: User-generated content can inject malicious HTML into page head
GHSA-g5xx-pwrp-g3fv
CVE-2026-31860
Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event ha...
5.3
Uptime Kuma Leaks Private Ping Times via Unsecured API Endpoint
GHSA-c7hf-c5p5-5g6h
CVE-2026-32230
## Summary
The `GET /api/badge/:id/ping/:duration?` endpoint in `server/routers/api-router.js` does not verify that the requested monitor belongs to ...
5.3
Home Assistant OAuth Service Allows Unauthorized Network Scans
CVE-2026-32111
GHSA-fmfg-9g7c-3vq7
### Summary
The ha-mcp OAuth consent form (beta feature) accepts a user-supplied `ha_url` and makes a server-side HTTP request to `{ha_url}/api/confi...
5.3
ImageMagick Crashes When Handling Malformed MSL Files
CVE-2026-28687
GHSA-fpvf-frm6-625q
A heap use-after-free vulnerability in ImageMagick's MSL decoder allows an attacker to trigger access to freed memory by crafting an MSL file.
```
==...
5.3
ImageMagick's YUV decoder can crash or leak memory
CVE-2026-25986
GHSA-mqfc-82jx-3mr2
A heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. The pixel...
5.3