Eighty-eight new vulnerabilities were published on March 31, 2026, with 42 meeting relevance criteria. The headline is CVE-2026-34156 (CVSS 10.0), a sandbox escape in NocoBase's Workflow JavaScript node. It chains prototype traversal to root-level remote code execution in three lines of code. The day is heavily weighted toward web application platforms.
| CVE | CVSS | Product | Type |
|---|---|---|---|
| CVE-2026-34156 | 10.0 | NocoBase | Sandbox escape → root RCE |
| CVE-2026-3300 | 9.8 | WordPress Everest Forms Pro | RCE |
| CVE-2026-32714 | 9.8 | SciTokens | SQL injection |
| CVE-2026-4317 | 9.3 | Umami Analytics | SQL injection |
| CVE-2026-3107 | 9.3 | Teampass | Stored XSS |
| CVE-2026-3106 | 9.3 | Teampass | Blind XSS |
| CVE-2026-32917 | 9.2 | OpenClaw | Command injection |
| CVE-2026-32916 | 9.2 | OpenClaw | Authorization bypass |
| CVE-2026-30880 | 9.2 | baserCMS | Command injection |
| CVE-2026-30877 | 9.1 | baserCMS | Command injection |
| CVE-2026-21861 | 9.1 | baserCMS | Command injection |
| CVE-2025-32957 | 8.7 | baserCMS | RCE (restoration function) |
| CVE-2026-32982 | 8.7 | OpenClaw | Information disclosure |
| CVE-2026-34042 | 8.2 | act (GitHub Actions) | RCE |
| CVE-2026-34054 | 7.8 | vcpkg (Microsoft) | OpenSSL-related |
| CVE-2026-34041 | 7.7 | act (GitHub Actions) | Unconditional trust |
| CVE-2026-4020 | 7.5 | WordPress Gravity SMTP | Information disclosure |
| CVE-2026-30940 | 7.2 | baserCMS | RCE (theme file API) |
| CVE-2026-34155 | 7.2 | RAUC | Update integrity |
| CVE-2026-4267 | 7.2 | WordPress Query Monitor | Reflected XSS |
CVE-2026-34156 lets an authenticated attacker reach the host-realm Function constructor through console._stdout.constructor.constructor inside a Node.js vm sandbox. From there, the attacker obtains the process object, loads child_process, and runs arbitrary commands as root. The require allowlist is bypassed entirely. In the default Docker deployment, NocoBase runs as uid=0.
Researcher 2013xile discovered the flaw. NocoBase patched it in version 2.0.28 (PR #8967, merged March 27, 2026). Classification is CWE-913 with Scope Changed and all three impact metrics at High.
A full technical breakdown of CVE-2026-34156 is published separately.
Node.js vm sandbox escapes are a recurring pattern. The n8n vulnerabilities (CVE-2026-33660, CVE-2026-33696) covered earlier this month exploited the same class. The vm module documentation explicitly warns against using it as a security sandbox.
CVE-2026-3300 (CVSS 9.8) is an RCE in the Everest Forms Pro plugin for WordPress. The specific attack vector has not been disclosed, but WordPress administrators should check for updates immediately.
Umami, the open-source analytics platform, has a SQL injection. CVE-2026-4317 (CVSS 9.3) involves an improperly sanitised parameter that exposes visitor data. The CVE report references ClickHouse as the affected database backend.
SciTokens has a CVSS 9.8 SQL injection. CVE-2026-32714 affects the authorization token library used in high-energy physics and research computing. Versions prior to 1.9.6 are vulnerable.
OpenClaw disclosed three vulnerabilities in a single window. CVE-2026-32917 (CVSS 9.2) is a remote command injection in the attachment processing middleware, affecting versions prior to 2026.3.13. CVE-2026-32916 (CVSS 9.2) is an authorization bypass where routes are accessible without proper checks, affecting versions 2026.3.7 through 2026.3.11. CVE-2026-32982 (CVSS 8.7) is information disclosure in the fetchRemoteMedia function via a Telegram-related integration.
The Japanese CMS platform baserCMS patched five vulnerabilities in version 5.2.3. Three are command injection at CVSS 9.0 or higher. CVE-2026-30880 (CVSS 9.2), CVE-2026-30877 (CVSS 9.1) in the update function, and CVE-2026-21861 (CVSS 9.1).
CVE-2026-30940 (CVSS 7.2) is an RCE in the theme file management API. CVE-2025-32957 (CVSS 8.7) affects the application restoration function.
The baserCMS batch (five CVEs, three command injection) and OpenClaw cluster (three CVEs including auth bypass and command injection) suggest coordinated disclosure by researchers who audited entire codebases rather than individual functions. This pattern produces higher-quality results but creates urgent patching pressure for maintainers.
Two vulnerabilities affect act, the tool for running GitHub Actions locally. CVE-2026-34042 (CVSS 8.2) is an RCE in versions prior to 0.2.86 through a built-in function flaw. CVE-2026-34041 (CVSS 7.7) is an unconditional trust issue in the same version range.
Developers using act for local CI/CD testing should update. The tool runs with local filesystem access.
Teampass password manager has two XSS flaws. CVE-2026-3107 and CVE-2026-3106 (CVSS 9.3 each) are stored XSS and blind XSS in versions prior to 3.1.5.16. XSS in a password manager is particularly dangerous because the entire application stores credentials.
CVE-2026-34054 (CVSS 7.8) is an OpenSSL-related vulnerability in vcpkg, Microsoft's C/C++ package manager, prior to version 3.6.1#3. CVE-2026-34155 (CVSS 7.2) affects RAUC, the OTA update controller for embedded Linux systems, prior to version 1.15.2. A flaw in RAUC could compromise firmware update integrity for IoT devices.
Two more WordPress plugin flaws round out the batch. CVE-2026-4020 (CVSS 7.5) is sensitive information disclosure in Gravity SMTP, and CVE-2026-4267 (CVSS 7.2) is reflected XSS in Query Monitor.
March 31 produced 88 new CVEs, 42 relevant, 11 at CVSS 9.0 or above, and one perfect 10.0. Thevmsandbox escape class continues to claim victims in production platforms. NocoBase joins n8n, vm2, and others that learned the hard way thatvmis not a security boundary.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
