| CVE-2026-2844 |
TimePictra Authentication Bypass Vulnerability |
28.02.2026 |
9.3 |
| CVE-2026-3010 |
TimePictra Stored Cross-Site Scripting |
28.02.2026 |
9.3 |
| CVE-2026-28515 |
openDCIM <= 23.04 Missing Authorization in install.php |
27.02.2026 |
9.3 |
| CVE-2026-28516 |
openDCIM <= 23.04 SQL Injection in Config::UpdateParameter |
27.02.2026 |
9.3 |
| CVE-2026-28517 |
openDCIM <= 23.04 OS Command Injection via dot Configuration Parameter |
27.02.2026 |
9.3 |
| CVE-2026-28408 |
WeGIA lacks authentication verification in adicionar_tipo_docs_atendido.php |
27.02.2026 |
9.8 |
| CVE-2026-28409 |
WeGIA Vulnerable to Remote Code Execution (RCE) via OS Command Injection |
27.02.2026 |
10 |
| CVE-2026-28411 |
WeGIA Vulnerable to Authentication Bypass via `extract($_REQUEST)` |
27.02.2026 |
9.8 |
| CVE-2026-28268 |
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse |
27.02.2026 |
9.8 |
| CVE-2026-27947 |
Group-Office Vulnerable to Remote Code Execution (RCE) |
27.02.2026 |
9.4 |
| CVE-2026-27755 |
SODOLA SL902-SWTGW124AS <= 200.1.20 Predictable Session ID |
27.02.2026 |
9.3 |
| CVE-2026-27751 |
SODOLA SL902-SWTGW124AS <= 200.1.20 Use of Default Credentials |
27.02.2026 |
9.3 |
| CVE-2026-2749 |
Path traversal in Centreon Open Tickets |
27.02.2026 |
9.9 |
| CVE-2026-2750 |
Command Injection via CLAPI generatetraps |
27.02.2026 |
9.1 |
| CVE-2025-15498 |
SQL Injection in Pro3W CMS |
27.02.2026 |
9.3 |
| CVE-2025-11252 |
SQLi in Signum Technologies' windesk.fm |
27.02.2026 |
9.8 |
| CVE-2025-11251 |
SQLi in Dayneks Software's E-Commerce Platform |
27.02.2026 |
9.8 |
| CVE-2026-2251 |
Path Traversal leading to Remote Code Execution (RCE) |
28.02.2026 |
9.8 |
| CVE-2025-12981 |
Listee <= 1.1.6 - Unauthenticated Privilege Escalation |
27.02.2026 |
9.8 |
| CVE-2026-3301 |
Totolink N300RH Web Management cstecgi.cgi setWebWlanIdx os command injection |
27.02.2026 |
9.3 |
| CVE-2026-28370 |
|
27.02.2026 |
9.1 |
| CVE-2026-28363 |
|
27.02.2026 |
9.9 |
| CVE-2026-21718 |
Copeland XWEB and XWEB Pro Use of a Broken or Risky Cryptographic Algorithm |
27.02.2026 |
10 |
| CVE-2026-24663 |
Copeland XWEB and XWEB Pro OS Command Injection |
27.02.2026 |
9 |
| CVE-2026-27028 |
Mobility46 mobility46.se Missing Authentication for Critical Function |
27.02.2026 |
9.4 |
| CVE-2026-27767 |
SWITCH EV swtchenergy.com Missing Authentication for Critical Function |
27.02.2026 |
9.4 |
| CVE-2026-27772 |
EV Energy ev.energy Missing Authentication for Critical Function |
27.02.2026 |
9.4 |
| CVE-2026-24731 |
EV2GO ev2go.io Missing Authentication for Critical Function |
26.02.2026 |
9.4 |
| CVE-2026-20781 |
CloudCharge cloudcharge.se Missing Authentication for Critical Function |
26.02.2026 |
9.4 |
| CVE-2026-25851 |
Chargemap chargemap.com Missing Authentication for Critical Function |
26.02.2026 |
9.4 |
| CVE-2026-28213 |
EverShop Vulnerable to Arbitrary Customer Account Takeover via Exposure of Password Reset Token in API Response |
27.02.2026 |
9.8 |
| CVE-2026-28215 |
hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover |
26.02.2026 |
9.1 |
| CVE-2026-22207 |
OpenViking Missing root_api_key Allows Anonymous ROOT Access |
27.02.2026 |
9.3 |
| CVE-2026-27966 |
Langflow has Remote Code Execution in CSV Agent |
28.02.2026 |
9.8 |
| CVE-2026-27969 |
Vitess users with backup storage access can write to arbitrary file paths on restore |
26.02.2026 |
9.3 |
| CVE-2026-27941 |
OpenLIT Vulnerable to Remote Code Execution and Secret Exposure via Misuse of `pull_request_target` in GitHub Actions Workflows |
26.02.2026 |
10 |
| CVE-2026-27804 |
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter |
26.02.2026 |
9.3 |
| CVE-2026-27613 |
CGI Parameter Injection (Bypass of STRICT_CGI_PARAMS and EscapeShellParam) |
26.02.2026 |
10 |
| CVE-2026-27498 |
n8n has Arbitrary Command Execution via File Write and Git Operations |
26.02.2026 |
9 |
| CVE-2026-27497 |
n8n has Potential Remote Code Execution via Merge Node |
26.02.2026 |
9.4 |
| CVE-2026-27577 |
n8n: Expression Sandbox Escape Leads to RCE |
26.02.2026 |
9.4 |
| CVE-2026-27493 |
n8n has Unauthenticated Expression Evaluation via Form Node |
26.02.2026 |
9.5 |
| CVE-2026-27495 |
n8n has a Sandbox Escape in its JavaScript Task Runner |
26.02.2026 |
9.4 |
| CVE-2026-27575 |
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change |
26.02.2026 |
9.1 |
| CVE-2026-0542 |
Remote Code Execution in ServiceNow AI Platform |
26.02.2026 |
9.2 |
| CVE-2026-24908 |
OpenEMR has SQL Injection in Patient API Sort Parameter |
26.02.2026 |
10 |
| CVE-2026-21902 |
Junos OS Evolved: PTX Series: A vulnerability allows a unauthenticated, network-based attacker to execute code as root |
26.02.2026 |
9.3 |
| CVE-2026-27739 |
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline |
27.02.2026 |
9.2 |
| CVE-2026-20127 |
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability |
26.02.2026 |
10 |
| CVE-2026-20129 |
Cisco Catayst SD-WAN Authentication Bypass Vulnerability |
26.02.2026 |
9.8 |
| CVE-2026-27728 |
OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec() |
25.02.2026 |
10 |
| CVE-2025-1242 |
Administrative Credentials Can Be Extracted Through Gardyn API Responses |
25.02.2026 |
9.3 |
| CVE-2026-27702 |
Budibase Vulnerable to Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud) |
25.02.2026 |
9.9 |
| CVE-2026-27699 |
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method |
27.02.2026 |
9.1 |
| CVE-2026-2624 |
Authentication Bypass in ePati's Antikor NGFW |
25.02.2026 |
9.8 |
| CVE-2025-62878 |
Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern |
26.02.2026 |
9.9 |
| CVE-2026-25785 |
|
25.02.2026 |
9.3 |
| CVE-2026-3179 |
A path traversal vulnerability was found in the FTP Backup on the ADM. |
25.02.2026 |
9.2 |
| CVE-2026-27597 |
@enclave-vm/core is vulnerable to Sandbox Escape |
25.02.2026 |
10 |
| CVE-2026-27637 |
FreeScout's Predictable Authentication Token Enables Account Takeover |
25.02.2026 |
9.8 |
| CVE-2026-27641 |
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection |
25.02.2026 |
9.8 |
| CVE-2026-27743 |
SPIP referer_spam <= 1.2.1 Unauthenticated SQL Injection |
26.02.2026 |
9.3 |
| CVE-2026-27744 |
SPIP tickets < 4.3.3 Unauthenticated RCE |
26.02.2026 |
9.3 |
| CVE-2026-27595 |
Parse Dashboard has incomplete authentication on AI Agent endpoint |
27.02.2026 |
9.9 |
| CVE-2026-27608 |
Parse Dashboard Missing Authorization on Agent Endpoint |
25.02.2026 |
9.3 |
| CVE-2026-27614 |
Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering |
25.02.2026 |
9.3 |
| CVE-2026-27626 |
OliveTin vulnerable to OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks |
27.02.2026 |
10 |
| CVE-2026-27822 |
Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover |
25.02.2026 |
9.1 |
| CVE-2026-24849 |
OpenEMR Arbitrary File Read Vulnerability |
25.02.2026 |
10 |
| CVE-2026-27593 |
Statamic is vulnerable to account takeover via password reset link injection |
27.02.2026 |
9.3 |
| CVE-2026-21410 |
InSAT MasterSCADA BUK-TS SQL Injection |
26.02.2026 |
9.3 |
| CVE-2026-22553 |
InSAT MasterSCADA BUK-TS OS Command Injection |
26.02.2026 |
9.3 |
| CVE-2026-26341 |
Tattile Smart+ / Vega / Basic <= 1.181.5 Default Credentials |
24.02.2026 |
9.3 |
| CVE-2026-26222 |
DocLink .NET Remoting Unauthenticated Arbitrary File Read/Write RCE |
27.02.2026 |
10 |
| CVE-2026-27507 |
Binardat 10G08-0800GSM Network Switch Hard-coded Credentials |
27.02.2026 |
9.3 |
| CVE-2026-27515 |
Binardat 10G08-0800GSM Network Switch Predictable Session Identifiers |
27.02.2026 |
9.3 |
| CVE-2026-27584 |
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints |
27.02.2026 |
9.2 |
| CVE-2026-27208 |
api-gateway-deploy Affected by Exploitable Command Injection via Unprivileged Root Execution |
27.02.2026 |
9.2 |
| CVE-2025-14577 |
PHP Function Injection in Slican NPC/IPL/IPM/IPU |
24.02.2026 |
9.3 |
| CVE-2025-11165 |
|
24.02.2026 |
9.4 |
| CVE-2025-40541 |
SolarWinds Serv-U Insecure Direct Object Reference (IDOR) Remote Code Execution Vulnerability |
26.02.2026 |
9.1 |
| CVE-2025-40538 |
SolarWinds Serv-U Broken Access Control Remote Code Execution Vulnerability |
26.02.2026 |
9.1 |
| CVE-2025-40539 |
SolarWinds Serv-U Type Confusion Remote Code Execution Vulnerability |
26.02.2026 |
9.1 |
| CVE-2025-40540 |
SolarWinds Serv-U Type Confusion Remote Code Execution Vulnerability |
26.02.2026 |
9.1 |
| CVE-2025-13942 |
|
26.02.2026 |
9.8 |
| CVE-2026-26198 |
ormar is vulnerable to SQL Injection through aggregate functions min() and max() |
24.02.2026 |
9.8 |
| CVE-2026-23693 |
ElementsKit Elementor Addons < 3.7.9 Unauthenticated Mailchimp REST Endpoint |
25.02.2026 |
9.3 |
| CVE-2025-41002 |
SQL injection in Infoticketing |
24.02.2026 |
9.3 |
| CVE-2026-24494 |
SQL injection vulnerability in Order Up Online Ordering System |
23.02.2026 |
9.8 |