Security databases published 197 new vulnerability identifiers on March 14, 2026, with 41 flagged as operationally relevant. The day's critical entries target WordPress e-commerce sites, the OneUptime monitoring platform, and the Dagu workflow engine. Two Chrome zero-days from the previous day's emergency patch also entered the feed.
The lead vulnerability affects WordPress sites running the Pix for WooCommerce payment plugin. CVE-2026-3891 (CVSS 9.8) allows unauthenticated attackers to upload arbitrary files, including PHP web shells, to the server. The lkn_pix_for_woocommerce_c6_save_settings function lacks both a capability check and file type validation, making exploitation trivial. All versions up to and including 1.5.0 are affected, and Wordfence disclosed the flaw on March 13.
Wordfence confirmed that no capability check or file type validation exists in the function. The advisory described the flaw as allowing unauthenticated attackers to upload arbitrary files to the affected server, making remote code execution possible. For WordPress administrators, this is the worst-case file upload scenario because the attacker needs no account, no token, and no user interaction to deliver a web shell.
A successful exploit gives an attacker full control of the WordPress installation. Attackers can install persistent backdoors in theme or plugin files, create new administrator accounts via direct database inserts, inject SEO spam, deploy cryptocurrency miners, or steal wp-config.php credentials to pivot to payment gateways and hosted services. Version 1.6.0 patches the flaw. The WP-Firewall security team published a detailed post-exploitation analysis on the same day.
OneUptime collected its fourth critical vulnerability in two weeks. CVE-2026-32306 (CVSS 9.9) is a SQL injection in the telemetry aggregation API where aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters are interpolated directly into ClickHouse queries with no allowlist, no parameterized binding, and no input validation. An authenticated user can read all tenant data, modify records, or achieve remote code execution through ClickHouse table functions. Version 10.0.23 patches this flaw.
Four CVSS 9.9 vulnerabilities have hit OneUptime in two weeks. The monitoring platform disclosed CVE-2026-30957 and CVE-2026-30921 (both March 10), which allowed RCE through Synthetic Monitor code execution via exposed Playwright browser objects. CVE-2026-27574 (February 25) enabled full cluster compromise in 30 seconds through a Node.js vm sandbox escape that exposed database passwords, Redis credentials, and ClickHouse keys through environment variables.
The OneUptime advisory confirmed the API uses no input validation whatsoever. An authenticated user can inject arbitrary SQL into ClickHouse and read telemetry data from all tenants, not just their own. The cross-tenant data exposure makes this vulnerability especially dangerous for organizations using OneUptime's hosted service.
Dagu, a Go-based workflow engine, picked up CVE-2026-31886 (CVSS 9.1). The dagRunId field in the inline DAG execution endpoint passes unsanitized input directly into filepath.Join, and setting the value to .. resolves to the system temporary directory. On root or Docker deployments, the subsequent os.RemoveAll call deletes the entire contents of /tmp, causing system-wide denial of service. No patch is available.
A separate path traversal flaw in Dagu (CVE-2026-27598) surfaced in February. That bug enabled arbitrary YAML file writes leading to RCE. Two filesystem-related vulnerabilities in under a month point to a pattern of unsanitized path handling throughout the project.
| Vulnerability | CVSS | Product / Component | Fix |
|---|---|---|---|
| CVE-2026-32306 | 9.9 | OneUptime (ClickHouse SQL injection) | 10.0.23 |
| CVE-2026-3891 | 9.8 | WP Pix for WooCommerce (unauth file upload) | 1.6.0 |
| CVE-2026-31886 | 9.1 | Dagu workflow engine (path traversal DoS) | No patch |
| CVE-2026-3910 | 8.8 | Chrome V8 (exploited in the wild) | 146.0.7680.75 |
| CVE-2026-3909 | 8.8 | Chrome Skia (exploited in the wild) | 146.0.7680.75 |
| CVE-2026-31944 | 7.6 | LibreChat (ChatGPT clone, data exposure) | 0.8.2-rc3 |
| CVE-2026-3045 | 7.5 | WP Simply Schedule Appointments (unauth access) | Pending |
| CVE-2026-2890 | 7.5 | WP Formidable Forms (payment bypass) | 6.28+ |
| CVE-2025-13777 | 7.2 | ABB AWIN GW100 (auth replay bypass) | Pending |
| CVE-2026-23941 | 7.0 | Erlang OTP (HTTP request smuggling) | Pending |
The two Chrome zero-days (CVE-2026-3909 and CVE-2026-3910, both CVSS 8.8) entered the March 14 feed after Google shipped an emergency update on March 13. Both are confirmed exploited in the wild. The Skia out-of-bounds write and V8 implementation flaw are the second and third Chrome zero-days of 2026. Update Chrome to 146.0.7680.75 for Windows and Linux, or 146.0.7680.76 for macOS.
Editorial assessment. The March 14 digest splits into two distinct risk profiles. The WordPress Pix for WooCommerce flaw is the most urgent for a wide audience because it requires no authentication and targets e-commerce sites that process real payments. Any WooCommerce store running the Pix plugin at version 1.5.0 or below is a web shell upload away from full compromise.
OneUptime's fourth CVSS 9.9 in two weeks suggests systemic code quality issues in the monitoring platform's input handling, from Synthetic Monitor sandboxing to ClickHouse query construction. Organizations using OneUptime should audit their deployment version immediately, not just patch this one flaw. Dagu users should restrict access to DAG execution endpoints until a fix for CVE-2026-31886 ships.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
