CVE-2026-3227 Authenticated Command Injection on TP-Link TL-WR802N, TL-WR841N and TL-WR840N

A command injection vulnerability was identified in TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 due to improper neutralization of special elements used in an OS command. In the router configuration import function allows an authenticated attacker to upload a crafted configuration file...

CVE-2026-3227

A command injection vulnerability was identified in TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 due to improper neutralization of special elements used in an OS command. In the router configuration import function allows an authenticated attacker to upload a crafted configuration file...

CVE-2026-3227

Technical details beyond the brief description are not provided in the supplied documents. Monitor for updates on affected devices and firmware.

GHSA-5CXW-W2XG-2M8H

creationtimestamp| type| source ---|---|--- 2026-03-13 21:10:06+00:00| seen| https://gist.github.com/alon710/25afc6b7c80d9d4a2082df7705bf284f...

OneUptime: Password Reset Token Logged at INFO Level

Summary The password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs log aggregation, Docker logs, Kubernetes pod logs can intercept reset tokens and perfo...

CVE-2026-30961 Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an...

CVE-2026-30961

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an...

CVE-2026-30961 Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an...

Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload

Summary The chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an oversized file into chunks each under MaxSize and upload them sequentially, bypassing the size...

GHSA-45VH-RPC8-HXPP Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload

Summary The chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an oversized file into chunks each under MaxSize and upload them sequentially, bypassing the size...

CVE-2026-32933

creationtimestamp| type| source ---|---|--- 2026-03-13 15:35:18+00:00| published-proof-of-concept| https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x 2026-03-22 00:01:02+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mhmaikzdtv2v...

GHSA-4CM8-XPFV-JV6F

creationtimestamp| type| source ---|---|--- 2026-03-13 11:40:06+00:00| seen| https://gist.github.com/alon710/c2c8edafba318da203fe42ab46df2df5...

GHSA-XG2Q-62G2-CVCM

creationtimestamp| type| source ---|---|--- 2026-03-13 10:40:05+00:00| seen| https://gist.github.com/alon710/be322fbd1c6dbc2c5db3537c606b3df9...

GHSA-GG5M-55JJ-8M5G

creationtimestamp| type| source ---|---|--- 2026-03-13 09:40:05+00:00| seen| https://gist.github.com/alon710/c7a26a3aa4c5be8cf9da1316183bceec...

CVE-2026-2890 Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse

The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler handleonetimestripelinkreturnurl marking payment records as complete based solely on the Stripe PaymentIntent status...

CVE-2026-2890 Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse

The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler handleonetimestripelinkreturnurl marking payment records as complete based solely on the Stripe PaymentIntent status...

GHSA-2F24-MG4X-534Q

creationtimestamp| type| source ---|---|--- 2026-03-13 06:40:06+00:00| seen| https://gist.github.com/alon710/741d463a436134d071dd4a30bdde2bd7...

Improper File Handling

zx is vulnerable to Improper File Handling. The vulnerability is due to a logic error in the linkNodeModules and cleanup routines when using the --prefer-local option, which allows unintended deletion of an external /nodemodules directory outside the current working directory...

CVE-2024-3838

creationtimestamp| type| source ---|---|--- 2026-03-13 02:18:43+00:00| seen| https://bsky.app/profile/undercode.bsky.social/post/3mgvtyi6ljj2z...

model.weights.h5: h5py.ExternalLink at Group level silently followed during load_model(), bypassing CVE-2025-9905 fix — information disclosure from arbitrary HDF5 files

Keras 3.x introduced a fix for CVE-2025-9905 by checking dataset.external in H5IOStore.verifydataset. This check blocks datasets whose raw bytes are stored in external files via the HDF5 "External Data Storage" mechanism. However, HDF5 supports a second, unrelated external-reference mechanism:...