CVE roundup March 7–8: WooCommerce, Parse Server, Netmaker, and a CVSS 9.9 in an LLM platform

Two hundred twenty-one new CVEs landed over March 7–8, 2026 — 143 on the first day, 78 on the second. Two earned critical scores above 9.0, four Netmaker flaws arrived as a cluster, and a WooCommerce CSRF (cross-site request forgery) bug put millions of online stores at risk of hostile admin account creation. We ranked the batch by severity and real-world exposure.

WooCommerce CSRF: 4.5 million stores, one batch-request flaw

CVE-2026-3589 carries a CVSS score of 7.5, but the blast radius dwarfs higher-rated entries on this list. WooCommerce versions 5.4.0 through 10.5.2 mishandle batch API requests: an attacker can craft a link that, when clicked by a logged-in administrator, hijacks the admin session to call arbitrary REST endpoints — including user creation. The result is a rogue admin account on the target store.

WooCommerce powers over 4.5 million active stores globally, according to StoreLeads tracking data as of mid-2025. Automattic developed patches for all 52 affected versions and coordinated with the WordPress.org Plugins Team to push auto-updates starting March 2, 2026, at 14:00 UTC. Stores hosted on WordPress.com, WordPress VIP, Pressable, and WP Cloud were patched automatically.

According to Automattic's developer advisory, published March 2, 2026, exploitation could have exposed full admin access, including customer order data: names, email addresses, phone numbers, shipping and billing addresses, payment method types, items purchased, and associated metadata. No passwords or credit card numbers were at risk. The company said it found no evidence of exploitation outside its own security testing program.

The flaw was reported through Automattic's bug bounty. WPScan assigned it and published a technical description the same day. Store owners running non-Chrome browsers or older Chrome versions with a specific flag enabled were most exposed. If your WooCommerce version is 10.5.3 or later, you are patched.

Parse Server authentication bypass: CVSS 9.3

CVE-2026-30863 scored 9.3 on the CVSS 4.0 scale — the second-highest entry this weekend. Parse Server, the open-source backend used by mobile and web applications, failed to verify the audience claim in JWT (JSON Web Token) identity tokens when the adapter configuration option was left unset. The Google, Apple, and Facebook authentication adapters were all affected.

An attacker holding a validly signed JWT issued for any other application could authenticate as any user on a vulnerable Parse Server instance. No privileges required, no user interaction needed, low complexity — the three factors that push scores toward the ceiling. The fix landed in versions 8.6.10 and 9.5.0-alpha.11. Any Parse Server deployment using social login without explicitly setting clientId (Google/Apple) or appIds (Facebook) should update immediately and audit recent login activity.

WeKnora RCE: CVSS 9.9, the weekend's highest score

Tencent's WeKnora — a framework powered by large language models (LLMs) for document understanding and semantic retrieval — contained a remote code execution flaw in its database query layer. CVE-2026-30860 earned a CVSS 9.9, the highest score in the entire two-day batch.

The vulnerability sits in the input validation logic. WeKnora's SQL injection protections fail to recursively inspect child nodes inside PostgreSQL array expressions and row expressions. An attacker can smuggle dangerous PostgreSQL functions inside these constructs, chain them with large-object operations and library-loading capabilities, and execute arbitrary code on the database server — without authentication. The patch shipped in version 0.2.12.

WeKnora is a niche framework, not a mass-market product. But the attack is unauthenticated and network-reachable, and any organization running it in production with an exposed endpoint faces full system compromise. The same class of bug is likely lurking in other AI/ML frameworks built on top of PostgreSQL: custom input validation rarely accounts for the database's deep expression nesting and its full library of dangerous built-in functions.

Four Netmaker vulnerabilities hit WireGuard networking

Netmaker, the open-source tool for building WireGuard-based networks, received four CVEs in a single disclosure. The most severe, CVE-2026-29196 and CVE-2026-29771, both scored 8.7.

CVE-2026-29196 allows any user with the platform-user role to retrieve WireGuard private keys for every configuration in a network via GET /api/extclients/{network} or GET /api/nodes/{network}. The UI hides the keys; the API does not. CVE-2026-29771 exposes an unauthenticated shutdown endpoint at /api/server/shutdown in versions before 1.2.0. The third flaw, CVE-2026-29194 (CVSS 8.6), is an authentication middleware bypass in versions before 1.5.0. The fourth, CVE-2026-29195 (CVSS 6.9), lets users escalate privileges through the PUT user-update handler.

All four are patched in Netmaker 1.5.0. A fifth WireGuard-adjacent CVE, CVE-2026-29781 (CVSS 5.3), affects Sliver, the open-source command-and-control framework that uses WireGuard's network stack. Netmaker operators should upgrade and rotate any WireGuard private keys that may have been exposed.

TimescaleDB: code execution during extension upgrade

TimescaleDB, the PostgreSQL extension for time-series analytics, patched CVE-2026-29089 (CVSS 8.8) in version 2.25.2. Versions 2.23.0 through 2.25.1 were vulnerable. The flaw exploits PostgreSQL's search_path mechanism: if a user-writable schema is in the path, an attacker can plant functions that shadow built-in PostgreSQL functions and execute arbitrary code during an extension upgrade.

The attack requires low privileges and no user interaction, but it is local — the attacker needs database access. Organizations running TimescaleDB should upgrade to 2.25.2 and audit which schemas appear in their search_path configuration.

Zarf: path traversal in Kubernetes packaging

Zarf, the airgap package manager for Kubernetes, patched CVE-2026-29064 (CVSS 8.2) in version 0.73.1. Versions 0.54.0 through 0.73.0 allowed a crafted Zarf package to create symlinks pointing outside the extraction directory, enabling arbitrary file reads or writes on the processing system. The attack requires user interaction — someone has to process the malicious package — but needs no authentication. Teams using Zarf in air-gapped environments should upgrade before importing any untrusted packages.

WordPress plugin pile: six more CVEs

WordPress plugins accounted for six additional CVEs beyond WooCommerce. The most severe, CVE-2025-8899 (CVSS 8.8), is a privilege escalation in the HTML5 PPV Live Webcams plugin. CVE-2026-3352 (CVSS 7.2) enables PHP code injection in Easy PHP Settings through version 1.0.4. CVE-2025-14353 (CVSS 7.5) is a SQL injection in a zip-code-based content protection plugin. CVE-2026-2020 (CVSS 7.5) allows PHP object injection in JS Archive List through version 6.1.7. CVE-2026-1074 (CVSS 7.2) is stored XSS in WP App Bar, and CVE-2026-2429 (CVSS 4.9) is SQL injection in the Community Events plugin — the only one requiring admin-level access.

None of these plugins approach WooCommerce's install base, but site administrators running any of them should check for updates in the WordPress plugin dashboard.

Plane project management tool

CVE-2026-30244 (CVSS 7.5) affects Plane, an open-source project management platform built on Django, in all versions before 1.2.2. Details in the advisory are sparse, but the score and network-reachable vector suggest a flaw worth patching for any team running a self-hosted Plane instance.

WooCommerce store owners should verify they are running version 10.5.3 or later — most auto-updating sites are already patched, but manually managed installations may be behind. Parse Server operators using social login must set the clientId or appIds configuration explicitly and update to 8.6.10 or 9.5.0-alpha.11. Netmaker users should upgrade to 1.5.0, rotate WireGuard keys, and review API access logs. TimescaleDB deployments need version 2.25.2, and Zarf users should move to 0.73.1 before processing any external packages. For the six remaining WordPress plugin flaws, check the Updates tab in the dashboard and disable any plugin you are not actively using.