March 14-15 vulnerability digest: WordPress RCE, OneUptime SQL injection, D-Link zero-days

The NVD published 215 new vulnerabilities between March 14 and 15, 2026. Of those, 52 target enterprise and developer environments. Five carry CVSS scores above 9.0. A CVSS 9.9 SQL injection in OneUptime and a CVSS 9.8 unauthenticated file upload in a WordPress payment plugin both enable remote code execution.

Critical tier

Pix for WooCommerce contains an unauthenticated arbitrary file write defect. CVE-2026-3891 (CVSS 9.8) affects all versions up to and including 1.5.0. The lkn_pix_for_woocommerce_c6_save_settings function lacks both a capability check and file type validation, according to Wordfence. An unauthenticated attacker can push a PHP web shell directly to the server, gaining full site control. Version 1.6.0 patches the flaw.

WordPress arbitrary file submission bugs in WooCommerce plugins are a recurring pattern. In February 2026, Wordfence reported CVE-2026-2115 in WooCommerce Designer Pro (CVSS 9.8), the same class of defect. Plugin authors consistently skip the current_user_can() check and omit MIME-type validation on upload handlers.

OneUptime allowed SQL injection into ClickHouse via its telemetry API. CVE-2026-32306 (CVSS 9.9) let an authenticated user with low-privilege project access read telemetry from all tenants and modify records. Attackers could potentially execute code via ClickHouse table functions. The aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters were interpolated directly into queries with no allowlist and no parameterized binding. Fixed in 10.0.23.

CVE-2026-32306 is OneUptime's fourth critical vulnerability in six weeks. CVE-2026-27574 (sandbox escape, February 21), CVE-2026-30921 (Playwright RCE, March 9), and CVE-2026-30957 (synthetic monitor RCE, March 10) all scored CVSS 9.9 or 10.0. Each grants cluster-level compromise.

Four CVSS 9.9 vulnerabilities in OneUptime in six weeks is not a string of isolated bugs. Organizations running self-hosted OneUptime should treat the platform as high-risk until its codebase demonstrates consistent security improvement.

— Artem Safonov, Threat Analyst at AnonHaven

Three stack-based buffer overflows affect the D-Link DIR-816 router. CVE-2026-4181, CVE-2026-4182, and CVE-2026-4183 (each CVSS 9.3) target different handlers in the /goform/ web interface of firmware version 1.10CNB05. All three are network-exploitable without authentication. D-Link will not release patches because the DIR-816 has reached end of life.

Owners should replace the hardware immediately.

Dagu, a lightweight Go-based workflow engine, accepted the dagRunId parameter without path validation. CVE-2026-31886 (CVSS 9.1) allowed an attacker to set dagRunId to .., causing the cleanup function to run os.RemoveAll("/tmp"). On root or Docker deployments, that wipes the system temporary directory. Fixed in 2.2.4.

Dagu has disclosed five security advisories in the past month. CVE-2026-27598 (path traversal leading to arbitrary YAML write and RCE) appeared alongside CVE-2026-31882 (authentication bypass on SSE endpoints). The pattern indicates Dagu's API layer was designed without security boundaries.

High tier

Adobe Commerce stores still running without the September 2025 hotfix should act now. CVE-2025-54236 (CVSS 9.1) reappeared in the March 14-15 feed as an NVD update. The underlying flaw, a nested deserialization bug in Magento's REST API, enables unauthenticated account takeover and remote code execution. Adobe patched it on September 9, 2025, and confirmed active exploitation on October 22.

Sansec reported that 62% of Magento stores remained unpatched six weeks after the fix. The firm called SessionReaper one of the most severe Magento vulnerabilities in history, alongside Shoplift (2015), TrojanOrder (2022), and CosmicSting (2024).

Two AI prompt injection issues target Microsoft 365 Copilot. CVE-2025-32711 (EchoLeak, CVSS 7.5), discovered by Aim Security, enabled zero-click data theft from M365 Copilot via crafted image URLs in emails. Microsoft patched it in May 2025 after a five-month remediation cycle. CVE-2026-26133 (CVSS 7.1), found by Permiso Security's Andi Ahmeti, injected phishing content into Copilot's email summaries in Outlook and Teams. Microsoft completed that patch on March 11, 2026.

EchoLeak and CVE-2026-26133 represent a new vulnerability class where traditional prompt injection weaponizes AI assistants embedded in productivity software. Every organization deploying Copilot should model AI assistants as part of its attack surface.

— Artem Safonov, Threat Analyst at AnonHaven

Erlang OTP's inets httpd module failed to reject duplicate Content-Length headers. CVE-2026-23941 (CVSS 7.0) enabled HTTP request smuggling. The server parsed the body using the earliest Content-Length value, while common reverse proxies (nginx, Apache httpd, Envoy) honor the last value. That desynchronization violates RFC 9112 Section 6.3. Fixed in OTP 28.4.1, released March 12, 2026.

Erlang OTP has a recent history of critical networking flaws. In April 2025, CVE-2025-32433 (CVSS 10.0) exposed an unauthenticated RCE in the Erlang SSH daemon. Palo Alto's Unit 42 confirmed active exploitation in OT and 5G infrastructure. The same OTP 28.4.1 release fixes CVE-2026-23942 (TSIG validation bypass in the DNS module) and CVE-2026-23943 (SSH decompression bomb).

Response summary

The remaining 42 items in the March 14-15 batch span lower CVSS ranges and concern niche products with smaller deployment footprints. The full list with links to individual advisories is maintained in the AnonHaven vulnerability tracker. Organizations should prioritize the WordPress plugin, OneUptime, and D-Link items in this cycle. The Adobe Commerce hotfix should have been applied months ago.