CVSS: 5.1EPSS: %CPEs: -EXPL: 1CVE-2026-3946 – PHPEMS index.php cross site scripting
https://notcve.org/view.php?id=CVE-2026-3946
11 Mar 2026 — A vulnerability was detected in PHPEMS 11.0. The affected element is an unknown function of the file /index.php?ask=app-ask. Performing a manipulation of the argument askcontent results in cross site scripting. The attack is possible to be carried out remotely. • https://github.com/shufenshui/CVE/issues/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-1992 – ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation
https://notcve.org/view.php?id=CVE-2026-1992
11 Mar 2026 — This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. • https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/class-exactmetrics-onboarding.php#L273 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2026-3826 – WellChoose|IFTOP - Local File Inclusion
https://notcve.org/view.php?id=CVE-2026-3826
11 Mar 2026 — IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server. • https://www.twcert.org.tw/en/cp-139-10756-73f66-2.html • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31844 – Authenticated SQL Injection in Koha displayby parameter of suggestion.pl
https://notcve.org/view.php?id=CVE-2026-31844
11 Mar 2026 — An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL queries via crafted requests to this parameter, allowing execution of unintended SQL statements and exposure of sensitive database information. • https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.6EPSS: 0%CPEs: -EXPL: 0CVE-2026-20892
https://notcve.org/view.php?id=CVE-2026-20892
11 Mar 2026 — Code injection vulnerability exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker with administrative privileges to execute arbitrary commands. • https://jvn.jp/en/vu/JVNVU98103854 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13067 – Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass
https://notcve.org/view.php?id=CVE-2025-13067
11 Mar 2026 — The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. ... This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/changeset/3475656/royal-elementor-addons • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2026-30741
https://notcve.org/view.php?id=CVE-2026-30741
11 Mar 2026 — A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack. • https://github.com/Named1ess/CVE-2026-30741 •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-70082
https://notcve.org/view.php?id=CVE-2025-70082
11 Mar 2026 — An issue in Lantronix EDS3000PS v.3.1.0.0R2 allows an attacker to execute arbitrary code and obtain sensitive information via the ltrx_evo component • http://eds3000ps.com • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-620: Unverified Password Change •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-27271 – Illustrator | Heap-based Buffer Overflow (CWE-122)
https://notcve.org/view.php?id=CVE-2026-27271
10 Mar 2026 — Illustrator versions 29.8.4, 30.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. • https://helpx.adobe.com/security/products/illustrator/apsb26-18.html • CWE-122: Heap-based Buffer Overflow •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2026-21333 – Illustrator | Untrusted Search Path (CWE-426)
https://notcve.org/view.php?id=CVE-2026-21333
10 Mar 2026 — Illustrator versions 29.8.4, 30.1 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. • https://helpx.adobe.com/security/products/illustrator/apsb26-18.html • CWE-426: Untrusted Search Path •