2026-03-23
2026-03-23 00:00Z
CRIT

Oracle vulnerability (CVE-2026-21992) impacts core products

Sophos X-Ops·news.sophos.comCVE-2026-21992

Oracle disclosed CVE-2026-21992, a critical vulnerability (CVSS 9.8) affecting Oracle Identity Manager and Oracle Web Services Manager in Fusion Middleware. Unauthenticated attackers can achieve remote code execution via HTTP due to missing network-level authentication. No active exploitation reported as of publication.

SRFApplicationTACTA0001TACTA0002VNDOracleTYPVulnerabilityTYPAdvisorySTGExecutionSTGInitial Access
72
Edit Score
2026-03-22
2026-03-22 18:16Z
HIGH

CVE-2026-4558 — Linksys Mr9600_firmware: Executing a manipulation of the argument configApSsid/configApPassphrase/srpLogin/srpPassword can lead to os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4558

A flaw has been found in Linksys MR9600 2.0.6.206937. Affected is the function smartConnectConfigure of the file SmartConnect.lua. Executing a manipulation of the argument configApSsid/configApPassphrase/srpLogin/srpPassword can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH) · EPSS 49th percentile

CWECWE 77CWECWE 78VNDLinksysTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-22
2026-03-22 04:16Z
HIGH

CVE-2026-4314 — Ultimate: The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4314

The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrProfileRequest()` method in the Menu Editor module using an insecure `strpos()` check against `$_SERVER['REQUEST_URI']` to determine if a request targets the dashboard or profile page. The `grantVirtualCaps()` method, which is hooked into the `user_has_cap` filter, grants elevated capabiliti CVSSv3.1 8.8 (HIGH) · EPSS 14th percentile

CWECWE 269VNDUltimateTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-21
2026-03-21 23:16Z
HIGH

CVE-2026-4529 — Dlink Dhp-1320_firmware: Such manipulation leads to stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4529

A vulnerability was identified in D-Link DHP-1320 1.00WWB04. This affects the function redirect_count_down_page of the component SOAP Handler. Such manipulation leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. CVSSv3.1 8.8 (HIGH) · EPSS 18th percentile

CWECWE 121CWECWE 119VNDDlinkTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-21
2026-03-21 23:16Z
HIGH

CVE-2026-3629 — Import: The Import and export users and customers plugin for WordPress is vulnerable to privilege

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-3629

The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via profile fields. The 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This makes it possible for unauthenticated attackers to escalate their privileges to Adminis CVSSv3.1 8.1 (HIGH) · EPSS 24th percentile

CWECWE 269VNDImportTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-21
2026-03-21 04:17Z
HIGH

CVE-2026-4261 — Expire: The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4261

The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on_expire_default_to_role' meta through the 'save_extra_user_profile_fields' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. CVSSv3.1 8.8 (HIGH) · EPSS 16th percentile

CWECWE 862VNDExpireTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-21
2026-03-21 04:17Z
HIGH

CVE-2026-3334 — CMS: The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname'

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-3334

The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries in the restore workflow. This makes it possible for authenticated attackers, with CMS Commander API key access, to append additional SQL queries into alread CVSSv3.1 8.8 (HIGH) · EPSS 11th percentile

CWECWE 89VNDCmsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-03-21
2026-03-21 04:17Z
HIGH

CVE-2026-2941 — Linksy: The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-2941

The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy_search_and_replace_item_details' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to update any database table, any value, including the wp_capabilities database field, which allows attackers to change their own role to administrato CVSSv3.1 8.8 (HIGH) · EPSS 16th percentile

CWECWE 862VNDLinksyTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-20
2026-03-20 23:16Z
HIGH

CVE-2026-33236 — Nltk Nltk: Attackers can control a remote XML index server to provide malicious values containing path

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33236

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the `subdir` and `id` attributes when processing remote XML index files. Attackers can control a remote XML index server to provide malicious values containing path traversal sequences (such as `../`), which can lead to arbitrary directory creati CVSSv3.1 8.1 (HIGH)

CWECWE 22VNDNltkTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-20
2026-03-20 23:16Z
CRIT

CVE-2026-33228 — Webreflection Flatted: is a circular JSON parser.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33228

flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effecti CVSSv3.1 9.8 (CRITICAL) · EPSS 45th percentile

CWECWE 1321CWECWE 915VNDWebreflectionTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-20
2026-03-20 23:16Z
CRIT

CVE-2026-33210 — Ruby-lang Json: From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2. CVSSv3.1 9.1 (CRITICAL)

CWECWE 134VNDRuby LangTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-03-20
2026-03-20 23:16Z
CRIT

CVE-2026-33186 — Grpc Grpc: Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33186

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (includin CVSSv3.1 9.1 (CRITICAL)

CWECWE 285VNDGrpcTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-03-20
2026-03-20 23:16Z
CRIT

CVE-2026-29796 — Igl Eparking.fi: WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-29796

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructu CVSSv3.1 9.4 (CRITICAL) · EPSS 16th percentile

CWECWE 306VNDWebsocketVNDIglTYPVulnerability
9.4
CVSS v3.1
97
Edit Score
2026-03-20
2026-03-20 23:16Z
CRIT

CVE-2026-25192 — Ctek Charge_portal: WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-25192

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructu CVSSv3.1 9.4 (CRITICAL) · EPSS 45th percentile

CWECWE 306VNDWebsocketVNDCtekTYPVulnerability
9.4
CVSS v3.1
97
Edit Score
2026-03-20
2026-03-20 23:03Z
INFO

v3.4.0.49

Mythic releases·github.com

Mythic v3.4.0.49 released with a Dockerfile tag bump to match the release version. No detailed changelog or feature information is provided in the GitHub release page.

VNDMythicTYPTool
15
Edit Score
2026-03-20
2026-03-20 22:16Z
HIGH

CVE-2026-33166 — Qameta Allure_report: The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33166

Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive fi CVSSv3.1 8.6 (HIGH)

CWECWE 22VNDQametaVNDAllureTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-03-20
2026-03-20 19:54Z
INFO

v2.11.0

AzureHound releases·github.com

AzureHound v2.11.0 released with maintenance updates including CLA workflow fixes, Windows resource generation tooling via winres, tenant info corrections for application fixture naming, and removal of Trivy from CI/CD actions. This is a routine point release with no security fixes or feature additions.

SRFIdentitySRFCloudVNDSpecteropsVNDMicrosoft AzureTYPToolSTGDiscoverySTGRecon
28
Edit Score
2026-03-20
2026-03-20 19:16Z
HIGH

CVE-2026-33010 — Doobidoo Mcp-memory-service: The wildcard Access-Control-Allow-Origin: * header permits any website to read API responses cross-origin.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33010

mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled (MCP_HTTP_ENABLED=true), the application configures FastAPI's CORSMiddleware with allow_origins=['*'], allow_credentials=True, allow_methods=["*"], and allow_headers=["*"]. The wildcard Access-Control-Allow-Origin: * header permits any website to read API responses cross-origin. When combined with anonymous access (MCP_ALLOW_ANONYMOUS_ACCESS=t CVSSv3.1 8.1 (HIGH)

CWECWE 942VNDDoobidooTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-20
2026-03-20 17:16Z
CRIT

CVE-2026-22898 — Qnap Qvr_pro: A missing authentication for critical function vulnerability has been reported to affect QVR Pro.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22898

A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system. We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later CVSSv3.1 9.8 (CRITICAL)

CWECWE 306VNDQnapTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-20
2026-03-20 17:16Z
CRIT

CVE-2025-59383 — Qnap Media_streaming_add-on: A buffer overflow vulnerability has been reported to affect Media Streaming Add-On.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-59383

A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Media Streaming Add-on 500.1.1 and later CVSSv3.1 9.1 (CRITICAL)

CWECWE 121VNDQnapTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-03-20
2026-03-20 16:16Z
HIGH

CVE-2025-67260 — Aster-te Terrapack_tkservercgi: The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-67260

The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and versions has a file upload vulnerability that may allow attackers to execute arbitrary code. Vulnerable components include Terrapack TkWebCoreNG:: 1.0.20200914, Terrapack TKServerCGI 2.5.4.150, and Terrapack TpkWebGIS Client 1.0.0. CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDAster TeVNDTerrapackTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-03-20
2026-03-20 14:16Z
CRIT

CVE-2024-44722 — Anolis Sysak: v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-44722

SysAK v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd. CVSSv3.1 9.8 (CRITICAL)

CWECWE 94VNDAnolisVNDSysakTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-03-20
2026-03-20 13:15Z
INFO

linux-exploit-suggester — Linux privilege escalation auditing tool

GitHub · LPE exploits·github.comGITHUB POCCVE-2017-16995CVE-2017-1000112CVE-2016-8655

Linux Exploit Suggester (LES) is a shell-based auditing tool that identifies Linux kernel privilege escalation vulnerabilities on a target system by matching kernel version, distro, and configuration against a curated database of public exploits. The tool also performs kernel hardening assessment via checksec-style analysis of compile-time and runtime security configurations.

SRFOsTACTA0004TYPResearchTYPToolSTGDiscoverySTGPrivescTECT1068EXPLpe
62
Edit Score
2026-03-20
2026-03-20 10:16Z
HIGH

CVE-2026-22324 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22324

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through <= 2.5.0. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-03-20
2026-03-20 07:16Z
HIGH

CVE-2026-4475 — Such manipulation leads to hard-coded credentials.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4475

A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The affected element is an unknown function of the file home/web/ipc. Such manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH) · EPSS 11th percentile

CWECWE 798CWECWE 259TYPVulnerability
8.8
CVSS v3.1
94
Edit Score