Overview
- OpenClaw
- OpenClaw
05 Mar 2026
Published
09 Mar 2026
Updated
CVSS v4.0
HIGH (8.2)
EPSS
0.03%
KEV
Description
OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.
Statistics
- 1 Post
Last activity: 10 hours ago
Overview
- code-projects
- Simple Flight Ticket Booking System
08 Mar 2026
Published
08 Mar 2026
Updated
CVSS v4.0
MEDIUM (6.9)
EPSS
0.03%
KEV
Description
A security flaw has been discovered in code-projects Simple Flight Ticket Booking System 1.0. This affects an unknown function of the file /Admindelete.php. The manipulation of the argument flightno results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
Statistics
- 1 Post
Last activity: 6 hours ago
Overview
Description
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
Statistics
- 1 Post
Last activity: 21 hours ago
Overview
- Everon
- api.everon.io
06 Mar 2026
Published
10 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.4)
EPSS
0.07%
KEV
Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Statistics
- 1 Post
Last activity: 11 hours ago
Overview
- SourceCodester
- Simple Responsive Tourism Website
08 Mar 2026
Published
08 Mar 2026
Updated
CVSS v4.0
MEDIUM (6.9)
EPSS
0.05%
KEV
Description
A vulnerability was determined in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /tourism/classes/Login.php?f=login of the component Login. This manipulation of the argument Username causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Statistics
- 1 Post
Last activity: 8 hours ago
Overview
- stellarwp
- The Events Calendar
10 Mar 2026
Published
10 Mar 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.06%
KEV
Description
The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Statistics
- 1 Post
Last activity: 13 hours ago
Fediverse
🚨 CVE-2026-3585 (HIGH): Path traversal in stellarwp The Events Calendar plugin lets Author+ users read any files on WordPress servers up to v6.15.17. Restrict access, monitor logs, and patch ASAP. Details: https://radar.offseq.com/threat/cve-2026-3585-cwe-22-improper-limitation-of-a-path-57fec669 #OffSeq #WordPress #Vuln #Cybersecurity
Overview
Description
A vulnerability was identified in Tenda FH451 1.0.0.9. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex. Such manipulation of the argument mit_linktype/PPPOEPassword leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Statistics
- 1 Post
Last activity: 19 hours ago
Overview
- Zsoft
- OOP CMS BLOG
06 Mar 2026
Published
09 Mar 2026
Updated
CVSS v4.0
HIGH (8.8)
EPSS
0.06%
KEV
Description
OOP CMS BLOG 1.0 contains SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through multiple parameters. Attackers can inject SQL commands via the search parameter in search.php, pageid parameter in page.php, and id parameter in posts.php to extract database information including table names, schema names, and database credentials.
Statistics
- 1 Post
Last activity: 15 hours ago
Overview
Description
Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
Statistics
- 1 Post
Last activity: 10 hours ago
Overview
Description
PHPads 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bannerID parameter in click.php3. Attackers can submit crafted bannerID values using SQL comment syntax and functions like extractvalue to extract sensitive database information such as the current database name.
Statistics
- 1 Post
Last activity: 4 hours ago