One hundred seventeen new CVEs appeared on March 9, 2026. Fifty earned relevance scores in our filter, and none reached critical severity. The highest-rated entry is a CVSS 8.7 SQL injection in Eventobot, an obscure PHP event management application. The two entries that matter for real-world defenders target UltraVNC and Tiandy's surveillance platform.
UltraVNC DLL hijack with a proof-of-concept and a silent vendor
CVE-2026-3787 affects UltraVNC 1.6.4.0 on Windows. The open-source remote desktop tool's Windows Service component loads cryptbase.dll through an uncontrolled search path (CWE-427). A local attacker who can write a malicious DLL to a directory in the service's search path gains code execution in the context of the UltraVNC service process.
UltraVNC has been in development since 2002. Its 1.5.x branch alone accumulated over two million downloads, according to the project's Wikipedia entry. The tool is popular with IT support teams, MSPs (managed service providers), and small businesses that need free remote desktop access across Windows 7 through Server 2025. A compromised UltraVNC service running with elevated privileges becomes a direct path to local privilege escalation.
The CVSS 4.0 score is 7.3 (HIGH). Attack complexity is rated high and exploitation requires local access, which limits the blast radius compared to network-reachable flaws. But a proof-of-concept exploit already exists. The researcher "haehanse" submitted the vulnerability to VulDB on March 8, 2026, and VulDB noted that the vendor "was contacted early about this disclosure but did not respond in any way."
No patch exists as of March 9. RedPacket Security recommends restricting write access to the UltraVNC service and DLL directories, enabling AppLocker or WDAC (Windows Defender Application Control) to block unsigned DLLs, and enabling SafeDllSearchMode. Organizations running UltraVNC as a Windows service should audit permissions on the installation directory immediately.
Tiandy surveillance platform. SQL injection plus unrestricted file upload
Two flaws hit Tiandy's Easy7 integrated management platform in the same disclosure cycle. CVE-2026-3818 is a SQL injection in /Easy7/apps/WebService/GetDBData.jsp via the strTBName parameter (CVSS 6.9, MEDIUM). CVE-2026-3797 is an unrestricted file upload in CLS_REST_File.java via the fileName parameter (CVSS 5.3, MEDIUM).
Both flaws are remotely exploitable with published proof-of-concept code. The vendor did not respond to either disclosure.
The Tianjin-based company is not a fringe vendor. It ranks seventh among global surveillance manufacturers, operates in over 80 countries, and employs more than 3,000 people. IPVM (a security industry research group) documented Tiandy selling surveillance equipment to Iran's Revolutionary Guards.
Geopolitical scrutiny has followed the company for years. The Foundation for Defense of Democracies published a 2022 investigation detailing Tiandy's role in Uyghur tracking infrastructure in Xinjiang. In February 2025, the U.S. Department of Homeland Security warned that Chinese-made internet cameras deployed across U.S. critical infrastructure "could be exploited for espionage," noting that Chinese state-sponsored actors had "extensively targeted" vulnerabilities in such devices since at least 2020.
Tiandy's pattern of ignoring vulnerability disclosures stretches back years. In August 2017, Beyond Security's SecuriTeam attempted to report an information disclosure flaw in Tiandy IP cameras (CVE-2017-15236). Repeated contact attempts went unanswered. Eight years later, the same company still does not respond.
Eventobot. Highest CVSS, lowest real-world impact
CVE-2025-40639 earned the batch's top CVSS score at 8.7 (HIGH). The SQL injection in Eventobot's /assets/php/calculate_discount.php endpoint allows an authenticated attacker to read, create, update, and delete database records via the promo_send parameter. INCIBE (Spain's national CERT) assigned the CVE on March 9, 2026.
Related: CVE roundup March 7–8: WooCommerce, Parse Server, Netmaker, and a CVSS 9.9 in an LLM platform
Eventobot is a niche PHP event management tool with no visible install base data. The high CVSS reflects the technical severity (network-reachable, low complexity, full database access), but the practical risk to most readers is negligible. If you run Eventobot, disable public access to the affected endpoint until a patch is available.
The PHP flood. Eight SQL injection CVEs in educational projects
Eight of the top ten entries share the same profile. They are SQL injection bugs in open-source PHP projects built for classroom use, including SourceCodester's Simple Responsive Tourism Website, Projectworlds' Online Art Gallery Shop, and code-projects' Student Web Portal, University Management System, and Simple Flight Ticket Booking System. All carry CVSS 6.9 scores, all are remotely exploitable, and all have published proof-of-concept code.
These projects are not production software. They are learning tools and code samples. Their CVE assignments inflate the daily count without reflecting real enterprise risk.
But they deserve one warning. If a developer copied one of these codebases into a production application (it happens), the SQL injection is live. The pattern is identical across all eight entries. User input passes directly into SQL queries without sanitization or parameterized statements.
March 9 was a quiet day for vulnerability disclosures. No critical-severity entries, no zero-days, no mass-market products. The two entries worth tracking are UltraVNC (because it is widely deployed and unpatched) and Tiandy (because the vendor never patches and the cameras sit on sensitive networks). Everything else is noise.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
