Top CRITICAL CVEs [9th March to 15th March, 2026]

CVSS: 9.8 Critical

Affected Versions

• Software Affected: simple-git (Node.js Git wrapper library)

• Vulnerable Versions: simple-git 3.15.0 – 3.32.2

• Fixed Versions: simple-git 3.32.3 or later

  
  

Environments Impacted:

• Node.js applications using the simple-git library

• Backend services performing Git operations programmatically

• CI/CD automation tools using simple-git

• Cloud applications handling repository operations with user-supplied input

• Any web application that allows user input to interact with Git commands via simple-git is at significant risk.

  
  

Description

CVE-2026-28292 is a critical Remote Code Execution (RCE) vulnerability affecting the widely used simple-git Node.js library, which allows applications to execute Git commands programmatically.

The vulnerability exists due to a flaw in how the library validates and processes user-supplied arguments when constructing Git commands. A case-sensitivity issue in the security validation logic allows attackers to bypass protections implemented in previous patches.

Specifically, the vulnerability bypasses protections added for earlier vulnerabilities CVE-2022-25860 and CVE-2022-25912. Because the input validation mechanism does not properly handle case variations, attackers can manipulate Git configuration parameters such as protocol.allow to enable unsafe Git operations.

If a Node.js application passes user-controlled input into methods like clone(), fetch(), pull(), or push() using the customArgs parameter, attackers can inject malicious commands that are executed on the underlying host system.

This ultimately allows remote attackers to execute arbitrary OS commands on the server running the application without authentication or user interaction. 

Impact

Successful exploitation of CVE-2026-28292 can result in severe compromise of affected systems.

• Remote Code Execution: Attackers can execute arbitrary system commands on the server.

• Full System Compromise: Attackers gain read, write, and execution access on the host machine.

• Data Theft: Sensitive files, credentials, and secrets stored on the server may be accessed or exfiltrated.

• Service Disruption: Malicious commands can crash or disrupt application services.

• Malware Deployment: Attackers may install backdoors, cryptominers, or persistent malware.

• Infrastructure Pivoting: Compromised servers may be used as a foothold to attack internal infrastructure.

Because the vulnerability is network exploitable, requires no authentication, and needs no user interaction, it carries a CVSS score of 9.8 (Critical).

Mitigation

Organizations using Node.js applications with simple-git should immediately apply the following mitigations:

• Upgrade simple-git to version 3.32.3 or later.

• Avoid passing user-controlled input directly to Git command arguments.

• Implement strict input validation and sanitization for all Git parameters.

• Disable or restrict the Git configuration setting protocol.allow=always.

• Review application logs for suspicious Git operations or unexpected command executions.

• Perform security scans on Node.js dependencies to detect vulnerable versions of simple-git. 

Affected Versions

• Vendor: Hewlett Packard Enterprise (HPE)

• Affected Product: HPE AOS-CX Network Operating System used in enterprise switches.

• Known Affected Versions: • AOS-CX 10.10.x • AOS-CX 10.13.x • AOS-CX 10.16.x • AOS-CX 10.17.x

• Deployment Types Impacted: • Enterprise campus networks using HPE switches

• Data center networks with AOS-CX infrastructure

• Cloud-connected switching environments

• Any network where the web management interface is exposed

Any device with the AOS-CX web management interface accessible over the network may be vulnerable.

Description

CVE-2026-23813 is a critical authentication bypass vulnerability affecting the web-based management interface of HPE AOS-CX switches.

The issue occurs because the web interface does not properly enforce authentication controls when processing certain requests. Due to this flaw, an attacker can bypass the authentication mechanism entirely.

A remote attacker can send specially crafted requests to the management interface and circumvent login protections. In some cases, this allows the attacker to reset the administrator password without authentication, effectively granting full administrative control over the device.

Because the vulnerability is remotely exploitable over the network and requires no privileges or user interaction, it is classified as critical severity with a CVSS score of 9.8.

Impact

Successful exploitation of CVE-2026-23813 could lead to severe compromise of enterprise network infrastructure.

• Authentication Bypass: Attackers can access the management interface without valid credentials.

• Admin Password Reset: Unauthorized users can reset the administrator password.

• Full Administrative Access: Attackers gain control over switch configurations.

• Network Traffic Manipulation: Routing, VLANs, and network policies may be modified.

• Service Disruption: Attackers may disable interfaces or disrupt network connectivity.

• Infrastructure Compromise: Network switches are critical infrastructure components, increasing the blast radius of compromise. 

  
  

Mitigation

Organizations using HPE AOS-CX switches should immediately implement the following measures:

• Apply the latest HPE security patches for AOS-CX switches.

• Restrict access to the web management interface to trusted internal networks.

• Disable internet exposure of switch management interfaces.

• Monitor authentication logs for suspicious login attempts or password resets.

• Implement network segmentation to isolate critical switching infrastructure.

• Use secure management access methods such as VPN or restricted administrative networks. 

Affected Versions

• Software Affected: Pix for WooCommerce (WordPress plugin by linknacional)

• Vulnerable Versions: 1.5.0 and earlier

• Fixed Versions: Refer to vendor updates (deactivate and remove if unpatched)

Environments Impacted:

• WordPress websites utilizing the Pix for WooCommerce plugin

• E-commerce platforms running WooCommerce with this plugin enabled

• Web servers hosting affected WordPress installations

Any WordPress application that has the vulnerable Pix for WooCommerce plugin installed is at significant risk of remote compromise.

Description

CVE-2026-3891 is a critical arbitrary file upload vulnerability affecting the Pix for WooCommerce WordPress plugin, which allows unauthenticated attackers to upload files directly to the server.

The vulnerability exists due to a critical flaw in how the plugin handles settings and file uploads. Specifically, there is a missing capability check and a complete lack of file type validation within the lkn_pix_for_woocommerce_c6_save_settings function.

Because the security validation logic is absent, the endpoint fails to verify whether the user has the appropriate administrative privileges to modify settings or upload files, and it does not restrict the extension or MIME type of the files being uploaded.

If an attacker sends a specially crafted request to this function, they can bypass standard authentication mechanisms and upload malicious files, such as PHP webshells, directly into the site's directories.

This ultimately allows remote attackers to execute arbitrary server-side code on the underlying host system without requiring any authentication or user interaction.

Impact

Successful exploitation of CVE-2026-3891 can result in severe compromise of affected systems.

• Remote Code Execution: Attackers can upload executable files (like PHP scripts) to run arbitrary system commands on the server.

• Full Website Compromise: Attackers can gain complete administrative control over the WordPress installation.

• Data Theft: Sensitive WooCommerce customer data, order records, and site database credentials may be accessed or exfiltrated.

• Malware Deployment: Attackers may use the compromised server to host phishing pages, distribute malware, or inject malicious scripts into the site frontend.

• Infrastructure Pivoting: Compromised web servers may be used as a foothold to attack other sites on the same shared hosting environment or internal network.

Because the vulnerability is network exploitable, requires no privileges, requires no user interaction, and allows for unrestricted file uploads leading to RCE, it carries a CVSS score of 9.8 (Critical).

Mitigation

Organizations using WordPress with the Pix for WooCommerce plugin should immediately apply the following mitigations:

• Upgrade the Pix for WooCommerce plugin to a patched version immediately, if one is available from the vendor.

• Deactivate and completely remove the plugin if no official patch has been released.

• Implement Web Application Firewall (WAF) rules to inspect and block malicious or unauthenticated requests targeting the lkn_pix_for_woocommerce_c6_save_settings function.

• Restrict file execution permissions in the WordPress wp-content/uploads directory (e.g., via .htaccess or server configuration) to prevent the execution of uploaded PHP scripts.

• Review web server logs for suspicious file upload attempts and scan the server for potential webshells or malware.