| CVE-2025-12474 |
libjxl: Uninitialized memory read in decoder due to incorrect optimization in patch handling |
11.02.2026 |
|
| CVE-2026-1837 |
libjxl: Out-of-bounds write in grayscale color transformation when using LCMS2 |
11.02.2026 |
|
| CVE-2026-25868 |
MiniGal Nano <= 0.3.5 Reflected XSS via dir Parameter |
11.02.2026 |
|
| CVE-2018-25157 |
Phraseanet 4.0.3 Stored XSS via Document Upload |
11.02.2026 |
|
| CVE-2019-25306 |
BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path |
11.02.2026 |
|
| CVE-2019-25307 |
WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Service Path |
11.02.2026 |
|
| CVE-2019-25308 |
Mikogo 5.2.2.150317 - 'Mikogo-Service' Unquoted Service Path |
11.02.2026 |
|
| CVE-2019-25309 |
Zilab Remote Console Server 3.2.9 - 'Zilab Remote Console Server' Unquoted Service Path |
11.02.2026 |
|
| CVE-2019-25310 |
ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path |
11.02.2026 |
|
| CVE-2019-25311 |
thesystem Persistent XSS |
11.02.2026 |
|
| CVE-2019-25312 |
InoERP 0.7.2 - Persistent Cross-Site Scripting |
11.02.2026 |
|
| CVE-2019-25314 |
Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting |
11.02.2026 |
|
| CVE-2019-25315 |
WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting |
11.02.2026 |
|
| CVE-2019-25316 |
GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting |
11.02.2026 |
|
| CVE-2019-25317 |
Kimai 2- persistent cross-site scripting (XSS) |
11.02.2026 |
|
| CVE-2026-2344 |
Stored XSS on Plunet BusinessManager |
11.02.2026 |
|
| CVE-2026-2345 |
Insufficient Origin Validation in Proctorio Chrome Extension postMessage Handlers |
11.02.2026 |
3.6 |
| CVE-2023-20514 |
|
11.02.2026 |
|
| CVE-2023-20548 |
|
11.02.2026 |
|
| CVE-2023-31324 |
|
11.02.2026 |
|
| CVE-2024-36316 |
|
11.02.2026 |
5.5 |
| CVE-2024-36320 |
|
11.02.2026 |
|
| CVE-2024-36324 |
|
11.02.2026 |
8.8 |
| CVE-2025-48508 |
|
11.02.2026 |
6 |
| CVE-2025-48518 |
|
11.02.2026 |
|
| CVE-2025-52541 |
|
11.02.2026 |
7.3 |
| CVE-2025-61969 |
|
11.02.2026 |
|
| CVE-2025-12059 |
Improper Access Control in Logo Software's Logo j-Platform |
11.02.2026 |
9.8 |
| CVE-2025-48503 |
|
11.02.2026 |
7.8 |
| CVE-2026-2248 |
Unauthenticated Remote Root Shell Access via Web Console in METIS WIC |
11.02.2026 |
9.8 |
| CVE-2026-2249 |
Unauthenticated Remote Command Execution via Web Console in METIS DFS |
11.02.2026 |
9.8 |
| CVE-2026-2250 |
Unauthenticated Data Export and Source Code Disclosure via /dbviewer/ in METIS WIC |
11.02.2026 |
7.5 |
| CVE-2025-8668 |
Reflected XSS in E-Kalite Software Hardware Engineering's Turboard |
11.02.2026 |
9.4 |
| CVE-2026-1226 |
|
11.02.2026 |
|
| CVE-2026-1227 |
|
11.02.2026 |
|
| CVE-2026-2337 |
Refleccted XSS on Plunet BusinessManager |
11.02.2026 |
|
| CVE-2026-0910 |
wpForo Forum <= 2.4.13 - Authenticated (Subscriber+) PHP Object Injection |
11.02.2026 |
8.8 |
| CVE-2024-56807 |
Media Streaming add-on |
11.02.2026 |
|
| CVE-2024-56808 |
Media Streaming add-on |
11.02.2026 |
|
| CVE-2025-30266 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-30269 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-30276 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-47205 |
QTS, QuTS hero |
11.02.2026 |
|
| CVE-2025-47209 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-48722 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-48723 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-48724 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-48725 |
QuTS hero |
11.02.2026 |
|
| CVE-2025-52868 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-52869 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-52870 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-53598 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-54146 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-54147 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-54148 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-54149 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-54150 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-54151 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-54152 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-54155 |
File Station 5 |
11.02.2026 |
|
| CVE-2025-54161 |
File Station 5 |
11.02.2026 |
|
| CVE-2025-54162 |
File Station 5 |
11.02.2026 |
|
| CVE-2025-54163 |
File Station 5 |
11.02.2026 |
|
| CVE-2025-54169 |
File Station 5 |
11.02.2026 |
|
| CVE-2025-54170 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-57707 |
File Station 5 |
11.02.2026 |
|
| CVE-2025-57708 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-57709 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-57710 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-57711 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-57713 |
File Station 5 |
11.02.2026 |
|
| CVE-2025-58466 |
QTS, QuTS hero |
11.02.2026 |
|
| CVE-2025-58467 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-58470 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-58471 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-58472 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-59386 |
QuTS hero |
11.02.2026 |
|
| CVE-2025-62853 |
File Station 5 |
11.02.2026 |
|
| CVE-2025-62854 |
File Station 5 |
11.02.2026 |
|
| CVE-2025-62855 |
File Station 5 |
11.02.2026 |
|
| CVE-2025-62856 |
File Station 5 |
11.02.2026 |
|
| CVE-2025-66274 |
QuTS hero |
11.02.2026 |
|
| CVE-2025-66277 |
QTS, QuTS hero |
11.02.2026 |
|
| CVE-2025-66278 |
File Station 5 |
11.02.2026 |
|
| CVE-2025-68406 |
Qsync Central |
11.02.2026 |
|
| CVE-2025-8025 |
Improper Access Control in Dinosoft Business Solutions' Dinosoft ERP |
11.02.2026 |
9.8 |
| CVE-2026-22894 |
File Station 5 |
11.02.2026 |
|
| CVE-2025-10174 |
Improper Access Control in Pan Software's PanCafe Pro |
11.02.2026 |
8.3 |
| CVE-2025-7659 |
Origin Validation Error in GitLab |
11.02.2026 |
8 |
| CVE-2025-12073 |
Server-Side Request Forgery (SSRF) in GitLab |
11.02.2026 |
4.3 |
| CVE-2025-12575 |
Server-Side Request Forgery (SSRF) in GitLab |
11.02.2026 |
5.4 |
| CVE-2025-14560 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab |
11.02.2026 |
7.3 |
| CVE-2025-14592 |
Missing Authorization in GitLab |
11.02.2026 |
3.7 |
| CVE-2025-14594 |
Authorization Bypass Through User-Controlled Key in GitLab |
11.02.2026 |
3.5 |
| CVE-2025-8099 |
Allocation of Resources Without Limits or Throttling in GitLab |
11.02.2026 |
7.5 |
| CVE-2026-0595 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab |
11.02.2026 |
7.3 |
| CVE-2026-0958 |
Interpretation Conflict in GitLab |
11.02.2026 |
7.5 |
| CVE-2026-1080 |
Authorization Bypass Through User-Controlled Key in GitLab |
11.02.2026 |
4.3 |
| CVE-2026-1094 |
Improper Validation of Unsafe Equivalence in Input in GitLab |
11.02.2026 |
4.6 |
| CVE-2026-1282 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab |
11.02.2026 |
3.5 |
| CVE-2026-1387 |
Allocation of Resources Without Limits or Throttling in GitLab |
11.02.2026 |
6.5 |
| CVE-2026-1456 |
Allocation of Resources Without Limits or Throttling in GitLab |
11.02.2026 |
6.5 |
| CVE-2026-1458 |
Allocation of Resources Without Limits or Throttling in GitLab |
11.02.2026 |
6.5 |
| CVE-2025-15096 |
Videospirecore Theme Plugin <= 1.0.6 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover |
11.02.2026 |
8.8 |
| CVE-2026-2295 |
WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.2 - Unauthenticated Protected Post Exposure via ajax_post_grid_load_more |
11.02.2026 |
5.3 |
| CVE-2025-13648 |
STORED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB |
11.02.2026 |
|
| CVE-2025-13649 |
REFLECTED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB |
11.02.2026 |
|
| CVE-2025-13650 |
REFLECTED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB |
11.02.2026 |
|
| CVE-2025-13651 |
LEAK OF SENSITIVE INFORMATION ON MICROCOM'S ZEUSWEB |
11.02.2026 |
|
| CVE-2025-9986 |
Improper Access Control in Vadi Corporate Information System's DIGIKENT |
11.02.2026 |
8.2 |
| CVE-2025-15440 |
iONE360 configurator <= 2.0.57 - Unauthenticated Stored Cross-Site Scripting via Contact Form Parameters |
11.02.2026 |
7.2 |
| CVE-2026-0724 |
WPlyr Media Block <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via '_wplyr_accent_color' Parameter |
11.02.2026 |
4.4 |
| CVE-2026-0815 |
Category Image <= 2.0 - Authenticated (Editor+) Stored Cross-Site Scripting via 'tag-image' Parameter |
11.02.2026 |
4.4 |
| CVE-2026-1215 |
MMA Call Tracking <= 2.3.15 - Cross-Site Request Forgery to Plugin Settings Update |
11.02.2026 |
4.3 |
| CVE-2026-1560 |
Custom Block Builder – Lazy Blocks <= 4.2.0 - Authenticated (Contributor+) Remote Code Execution |
11.02.2026 |
8.8 |
| CVE-2026-1748 |
Invoct – PDF Invoices & Billing for WooCommerce <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Information Exposure |
11.02.2026 |
4.3 |
| CVE-2026-1786 |
Twitter posts to Blog <= 1.11.25 - Missing Authorization to Unauthenticated Plugin Settings Update |
11.02.2026 |
6.5 |
| CVE-2026-1804 |
WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'attr' Shortcode Attribute |
11.02.2026 |
6.4 |
| CVE-2026-1809 |
HTML Shortcodes <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
11.02.2026 |
6.4 |
| CVE-2026-1821 |
Microtango <= 0.9.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
11.02.2026 |
6.4 |
| CVE-2026-1826 |
OpenPOS Lite <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
11.02.2026 |
6.4 |
| CVE-2026-1827 |
IDE Micro code-editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute |
11.02.2026 |
6.4 |
| CVE-2026-1833 |
WaMate Confirm <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Phone Number Blocking/Unblocking |
11.02.2026 |
5.3 |
| CVE-2026-1853 |
BuddyHolis ListSearch <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'placeholder' Shortcode Attribute |
11.02.2026 |
6.4 |
| CVE-2026-1885 |
Slideshow Wp <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sswp-slide' Shortcode 'sswpid' Attribute |
11.02.2026 |
6.4 |
| CVE-2025-10913 |
XSS in saastech.io's TemizlikYolda |
11.02.2026 |
8.3 |
| CVE-2025-10912 |
IDOR in saastech.io's TemizlikYolda |
11.02.2026 |
5.4 |
| CVE-2025-15400 |
OpenPix <= 2.13.3 - Subscriber+ Payment Gateway Settings Reset |
11.02.2026 |
|
| CVE-2026-1235 |
WP eCommerce <= 3.15.1 - Unauthenticated PHP Object Injection |
11.02.2026 |
|
| CVE-2026-1357 |
Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload |
11.02.2026 |
9.8 |
| CVE-2026-1893 |
Orbisius Random Name Generator <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute |
11.02.2026 |
6.4 |
| CVE-2026-26079 |
|
11.02.2026 |
4.7 |
| CVE-2026-26036 |
|
11.02.2026 |
|
| CVE-2026-26037 |
|
11.02.2026 |
|
| CVE-2026-26038 |
|
11.02.2026 |
|
| CVE-2026-26039 |
|
11.02.2026 |
|
| CVE-2026-26040 |
|
11.02.2026 |
|
| CVE-2026-26041 |
|
11.02.2026 |
|
| CVE-2026-26042 |
|
11.02.2026 |
|
| CVE-2026-26043 |
|
11.02.2026 |
|
| CVE-2026-26044 |
|
11.02.2026 |
|
| CVE-2025-13431 |
SlimStat Analytics <= 5.3.1 - Authenticated (Subscriber+) SQL Injection via `args` Parameter |
11.02.2026 |
6.5 |
| CVE-2025-14541 |
Lucky Wheel Giveaway <= 1.0.22 - Authenticated (Administrator+) Remote Code Execution via 'conditional_tags' Parameter |
11.02.2026 |
7.2 |
| CVE-2025-15524 |
Gallery by FooGallery <= 3.1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Gallery Metadata Exposure |
11.02.2026 |
4.3 |
| CVE-2026-1231 |
Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings |
11.02.2026 |
6.4 |
| CVE-2026-1571 |
Reflected XSS Vulnerability on TP-Link Archer C60 |
11.02.2026 |
|
| CVE-2026-25251 |
|
10.02.2026 |
|
| CVE-2026-25872 |
JUNG Smart Panel 5.1 KNX Unauthenticated Path Traversal |
10.02.2026 |
|
| CVE-2026-25870 |
DoraCMS <= 3.1 UEditor Remote Image Fetch SSRF |
10.02.2026 |
|
| CVE-2026-26013 |
LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages |
10.02.2026 |
3.7 |
| CVE-2026-26007 |
cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves |
10.02.2026 |
|