Ingress-nginx injection, seven Unisoc modem crashes, Budibase RCE lead March 10 CVEs

Eighty-five new CVEs landed on March 10, 2026, with 26 rated relevant. The highest score in the batch is 8.8, earned by yet another annotation injection flaw in the Kubernetes ingress-nginx controller. Seven Unisoc NR modem vulnerabilities can crash Android phones remotely without authentication. A command injection in Budibase's PostgreSQL integration rounds out the day at CVSS 8.6.

Ingress-nginx annotation injection keeps coming back

CVE-2026-3288 allows configuration injection through the rewrite-target annotation. An attacker with permission to create or modify Ingress resources can inject arbitrary nginx directives into the generated configuration, leading to remote code execution in the controller pod. In the default installation, the controller can access all Kubernetes Secrets cluster-wide.

The flaw carries a CVSS 3.1 score of 8.8 (CWE-20, improper input validation). It requires low privileges and no user interaction. Security researcher Kai Aizen reported it to the Kubernetes Security Response Committee, which published the advisory on March 9, 2026. Patches shipped in ingress-nginx versions 1.13.8, 1.14.4, and 1.15.0.

Ingress-nginx annotation injection is now a recurring pattern. In March 2025, Wiz Research disclosed IngressNightmare, a chain of four vulnerabilities (including the CVSS 9.8 CVE-2025-1974) that allowed unauthenticated RCE through the admission webhook. Wiz estimated that 43% of cloud environments were vulnerable, with over 6,500 clusters exposing the admission controller to the public internet.

Pentera Labs found three more injection points in April 2025. One targeted the same rewrite-target annotation that CVE-2026-3288 now exploits. Two more annotation injection CVEs appeared in February 2026 (CVE-2026-24512 for paths.path, CVE-2026-1580 for auth-method). Each fix sanitizes one annotation. Researchers find the next unsanitized field within months.

According to the Kubernetes advisory, suspicious data in rules.http.paths.path fields could indicate exploitation attempts. The committee recommends upgrading to ingress-nginx 1.15.0 and restricting Ingress resource creation through RBAC policies.

Seven Unisoc NR modem flaws crash Android phones remotely

Seven CVEs hit Unisoc's NR (New Radio) modem firmware. The affected chipsets are the T8100, T8200, T8300, and T9100, with two of the seven (CVE-2025-69278 and CVE-2025-61612) extending to the T7300. All seven share the same profile. CWE-20, CVSS 7.5, remotely exploitable, no authentication, no user interaction.

Exploitation crashes the modem subsystem. Users lose cellular connectivity, drop calls, and cannot reach mobile data. No confidentiality or integrity breach occurs. Android versions 13 through 16 are affected.

Unisoc chipsets power a large share of budget smartphones in Asia, Africa, and Latin America. According to Counterpoint Research data from 2024, Unisoc held roughly 10% of the global smartphone SoC market, concentrated in emerging markets where these chips appear in devices from Samsung, Motorola, Nokia, and dozens of regional OEMs.

OffSeq Threat Radar flagged all seven CVEs as high-risk. Exploitation requires no privileges and no user interaction, and the attack complexity is low. OffSeq noted that organizations relying on devices with these chipsets should prepare for rapid patch deployment once firmware updates arrive.

Unisoc published its advisory on March 9, 2026, but linked no device-specific patches. Google typically bundles Unisoc fixes into the monthly Android Security Bulletin. Users of phones with T-series chipsets should watch for OEM firmware updates in the coming weeks.

Budibase command injection via PostgreSQL integration

Budibase, the open-source low-code platform, has an OS command injection flaw. CVE-2026-25041 (CWE-78) scored 8.6 on the CVSS 4.0 scale. In version 3.23.22 and earlier, the PostgreSQL integration constructs shell commands by directly interpolating user-controlled configuration values (database name, host, password) into the command string without sanitization. The vulnerable code is in packages/server/src/integrations/postgres.ts.

Exploitation requires admin-level access to the Budibase instance, which limits the attack surface. But in shared-hosting environments or organizations where multiple users hold Budibase admin privileges, an insider or a compromised admin account could run arbitrary commands on the underlying server. According to the Budibase GitHub advisory, the fix was committed to the main branch and self-hosted instances should update immediately.

Eventobot SQL injection

CVE-2025-40639 is a SQL injection (CWE-89) in Eventobot, a PHP-based event management application. INCIBE (Spain's national cybersecurity institute) assigned the CVE on March 9, 2026, with a CVSS score of 8.7. The flaw sits in /assets/php/calculate_discount.php via the promo_send parameter and allows an attacker to retrieve, modify, or delete the entire database remotely.

Eventobot has limited deployment, and real-world impact is low. No patch was available at the time of publication.

Kubernetes teams running ingress-nginx should upgrade to version 1.15.0, 1.14.4, or 1.13.8 and tighten RBAC to limit who can create Ingress resources. Android users on Unisoc T7300, T8100, T8200, T8300, or T9100 chipsets should install OEM firmware updates as soon as they appear. Budibase administrators need to update past version 3.23.22 and audit who holds admin access to the platform.