CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-2749 Path traversal in Centreon Open Tickets 27.02.2026 9.9
CVE-2026-2750 Command Injection via CLAPI generatetraps 27.02.2026 9.1
CVE-2025-15498 SQL Injection in Pro3W CMS 27.02.2026 9.3
CVE-2025-11252 SQLi in Signum Technologies' windesk.fm 27.02.2026 9.8
CVE-2025-11251 SQLi in Dayneks Software's E-Commerce Platform 27.02.2026 9.8
CVE-2026-2251 Path Traversal leading to Remote Code Execution (RCE) 27.02.2026 9.8
CVE-2025-12981 Listee <= 1.1.6 - Unauthenticated Privilege Escalation 27.02.2026 9.8
CVE-2026-3301 Totolink N300RH Web Management cstecgi.cgi setWebWlanIdx os command injection 27.02.2026 9.3
CVE-2026-28370 27.02.2026 9.1
CVE-2026-28363 27.02.2026 9.9
CVE-2026-21718 Copeland XWEB and XWEB Pro Use of a Broken or Risky Cryptographic Algorithm 27.02.2026 10
CVE-2026-24663 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 9
CVE-2026-27028 Mobility46 mobility46.se Missing Authentication for Critical Function 27.02.2026 9.4
CVE-2026-27767 SWITCH EV swtchenergy.com Missing Authentication for Critical Function 27.02.2026 9.4
CVE-2026-27772 EV Energy ev.energy Missing Authentication for Critical Function 27.02.2026 9.4
CVE-2026-24731 EV2GO ev2go.io Missing Authentication for Critical Function 26.02.2026 9.4
CVE-2026-20781 CloudCharge cloudcharge.se Missing Authentication for Critical Function 26.02.2026 9.4
CVE-2026-25851 Chargemap chargemap.com Missing Authentication for Critical Function 26.02.2026 9.4
CVE-2026-28213 EverShop Vulnerable to Arbitrary Customer Account Takeover via Exposure of Password Reset Token in API Response 26.02.2026 9.8
CVE-2026-28215 hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover 26.02.2026 9.1
CVE-2026-22207 OpenViking Missing root_api_key Allows Anonymous ROOT Access 26.02.2026 9.3
CVE-2026-27966 Langflow has Remote Code Execution in CSV Agent 27.02.2026 9.8
CVE-2026-27969 Vitess users with backup storage access can write to arbitrary file paths on restore 26.02.2026 9.3
CVE-2026-27941 OpenLIT Vulnerable to Remote Code Execution and Secret Exposure via Misuse of `pull_request_target` in GitHub Actions Workflows 26.02.2026 10
CVE-2026-27804 Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter 26.02.2026 9.3
CVE-2026-27613 CGI Parameter Injection (Bypass of STRICT_CGI_PARAMS and EscapeShellParam) 26.02.2026 10
CVE-2026-27498 n8n has Arbitrary Command Execution via File Write and Git Operations 26.02.2026 9
CVE-2026-27497 n8n has Potential Remote Code Execution via Merge Node 26.02.2026 9.4
CVE-2026-27577 n8n: Expression Sandbox Escape Leads to RCE 26.02.2026 9.4
CVE-2026-27493 n8n has Unauthenticated Expression Evaluation via Form Node 26.02.2026 9.5
CVE-2026-27495 n8n has a Sandbox Escape in its JavaScript Task Runner 26.02.2026 9.4
CVE-2026-27575 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change 26.02.2026 9.1
CVE-2026-0542 Remote Code Execution in ServiceNow AI Platform 26.02.2026 9.2
CVE-2026-24908 OpenEMR has SQL Injection in Patient API Sort Parameter 26.02.2026 10
CVE-2026-21902 Junos OS Evolved: PTX Series: A vulnerability allows a unauthenticated, network-based attacker to execute code as root 26.02.2026 9.3
CVE-2026-27739 Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline 25.02.2026 9.2
CVE-2026-20127 Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability 26.02.2026 10
CVE-2026-20129 Cisco Catayst SD-WAN Authentication Bypass Vulnerability 26.02.2026 9.8
CVE-2026-27728 OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec() 25.02.2026 10
CVE-2025-1242 Administrative Credentials Can Be Extracted Through Gardyn API Responses 25.02.2026 9.3
CVE-2026-27702 Budibase Vulnerable to Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud) 25.02.2026 9.9
CVE-2026-27699 Basic FTP has Path Traversal Vulnerability in its downloadToDir() method 25.02.2026 9.1
CVE-2026-2624 Authentication Bypass in ePati's Antikor NGFW 25.02.2026 9.8
CVE-2025-62878 Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern 26.02.2026 9.9
CVE-2026-25785 25.02.2026 9.3
CVE-2026-3179 A path traversal vulnerability was found in the FTP Backup on the ADM. 25.02.2026 9.2
CVE-2026-27597 @enclave-vm/core is vulnerable to Sandbox Escape 25.02.2026 10
CVE-2026-27637 FreeScout's Predictable Authentication Token Enables Account Takeover 25.02.2026 9.8
CVE-2026-27641 Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection 25.02.2026 9.8
CVE-2026-27743 SPIP referer_spam <= 1.2.1 Unauthenticated SQL Injection 26.02.2026 9.3
CVE-2026-27744 SPIP tickets < 4.3.3 Unauthenticated RCE 26.02.2026 9.3
CVE-2026-27595 Parse Dashboard has incomplete authentication on AI Agent endpoint 25.02.2026 9.9
CVE-2026-27608 Parse Dashboard Missing Authorization on Agent Endpoint 25.02.2026 9.3
CVE-2026-27614 Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering 25.02.2026 9.3
CVE-2026-27626 OliveTin vulnerable to OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks 25.02.2026 10
CVE-2026-27822 Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover 25.02.2026 9.1
CVE-2026-24849 OpenEMR Arbitrary File Read Vulnerability 25.02.2026 10
CVE-2026-27593 Statamic is vulnerable to account takeover via password reset link injection 24.02.2026 9.3
CVE-2026-21410 InSAT MasterSCADA BUK-TS SQL Injection 26.02.2026 9.3
CVE-2026-22553 InSAT MasterSCADA BUK-TS OS Command Injection 26.02.2026 9.3
CVE-2026-26341 Tattile Smart+ / Vega / Basic <= 1.181.5 Default Credentials 24.02.2026 9.3
CVE-2026-26222 DocLink .NET Remoting Unauthenticated Arbitrary File Read/Write RCE 24.02.2026 10
CVE-2026-27507 Binardat 10G08-0800GSM Network Switch Hard-coded Credentials 24.02.2026 9.3
CVE-2026-27515 Binardat 10G08-0800GSM Network Switch Predictable Session Identifiers 24.02.2026 9.3
CVE-2026-27584 ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints 24.02.2026 9.2
CVE-2026-27208 api-gateway-deploy Affected by Exploitable Command Injection via Unprivileged Root Execution 24.02.2026 9.2
CVE-2025-14577 PHP Function Injection in Slican NPC/IPL/IPM/IPU 24.02.2026 9.3
CVE-2025-11165 24.02.2026 9.4
CVE-2025-40541 SolarWinds Serv-U Insecure Direct Object Reference (IDOR) Remote Code Execution Vulnerability 26.02.2026 9.1
CVE-2025-40538 SolarWinds Serv-U Broken Access Control Remote Code Execution Vulnerability 26.02.2026 9.1
CVE-2025-40539 SolarWinds Serv-U Type Confusion Remote Code Execution Vulnerability 26.02.2026 9.1
CVE-2025-40540 SolarWinds Serv-U Type Confusion Remote Code Execution Vulnerability 26.02.2026 9.1
CVE-2025-13942 26.02.2026 9.8
CVE-2026-26198 ormar is vulnerable to SQL Injection through aggregate functions min() and max() 24.02.2026 9.8
CVE-2026-23693 ElementsKit Elementor Addons < 3.7.9 Unauthenticated Mailchimp REST Endpoint 25.02.2026 9.3
CVE-2025-41002 SQL injection in Infoticketing 24.02.2026 9.3
CVE-2026-24494 SQL injection vulnerability in Order Up Online Ordering System 23.02.2026 9.8
CVE-2026-27574 OneUptime: node:vm sandbox escape in probe allows any project member to achieve RCE 24.02.2026 10
CVE-2026-27452 ASN.1 TypeScript Library: Decoding an INTEGER could leak the underlying ArrayBuffer 24.02.2026 9.2
CVE-2026-27471 ERP: Document access through endpoints due to missing validation 24.02.2026 9.3
CVE-2026-27211 Cloud Hypervisor: Host File Exfiltration via QCOW Backing File Abuse 25.02.2026 9.1
CVE-2026-27212 Swiper has a Prototype Pollution Vulnerability 24.02.2026 9.4
CVE-2026-27197 Sentry: Improper Authentication on SAML SSO process allows user identity linking 24.02.2026 9.1
CVE-2019-25441 thesystem 1.0 Command Injection via run_command endpoint 24.02.2026 9.3
CVE-2026-2635 MLflow Use of Default Password Authentication Bypass Vulnerability 27.02.2026 9.8
CVE-2026-27112 Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints 24.02.2026 9.4

Latest Updates

CVE Title Updated Score
CVE-2026-2359 Multer vulnerable to Denial of Service via resource exhaustion 27.02.2026
CVE-2026-3304 Multer vulnerable to Denial of Service via incomplete cleanup 27.02.2026
CVE-2026-2749 Path traversal in Centreon Open Tickets 27.02.2026 9.9
CVE-2026-2750 Command Injection via CLAPI generatetraps 27.02.2026 9.1
CVE-2026-3277 27.02.2026
CVE-2026-3327 Authenticated DatoCMS Web Previews Plugin Iframe Injection 27.02.2026
CVE-2025-15498 SQL Injection in Pro3W CMS 27.02.2026
CVE-2025-10990 Rexml: rexml: denial of service via inefficient regex parsing 27.02.2026
CVE-2026-2751 Blind SQL Injection 27.02.2026 8.3
CVE-2026-3223 Zip Slip leading to Arbitrary File Write and Privilege Escalation in Google Web Designer 27.02.2026
CVE-2025-11950 Reflected XSS in Knowhy's EduAsist 27.02.2026 6.3
CVE-2025-11252 SQLi in Signum Technologies' windesk.fm 27.02.2026 9.8
CVE-2025-11251 SQLi in Dayneks Software's E-Commerce Platform 27.02.2026 9.8
CVE-2026-24350 Stored XSS in PluXml CMS 27.02.2026
CVE-2026-24351 Stored XSS in PluXml CMS 27.02.2026
CVE-2026-24352 Session Fixation in PluXml CMS 27.02.2026
CVE-2026-2831 MailArchiver <= 4.5.0 - Authenticated (Admininistrator+) SQL Injection via 'logid' Parameter 27.02.2026 4.9
CVE-2026-1434 Reflected XSS in Omega-PSIR 27.02.2026
CVE-2024-10938 OVRI Payment 1.7.0 - Malicious .htaccess directive 27.02.2026 6.5
CVE-2025-14142 Electric Enquiries <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button' Shortcode Attribute 27.02.2026 6.4
CVE-2026-1305 Japanized for WooCommerce <= 2.8.4 - Missing Authorization to Unauthenticated Paidy Order Manipulation 27.02.2026 5.3
CVE-2026-21659 Johnson Controls -Frick Quantum HD-Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion 27.02.2026
CVE-2026-21660 Johnson Controls-Frick Quantum HD-Hardcoded Email Credentials Saved as Plaintext in Firmware 27.02.2026
CVE-2026-1626 27.02.2026 6.5
CVE-2026-1627 27.02.2026 6.5
CVE-2026-21656 Johnson Controls -Frick Quantum HD- Unauthenticated Remote Code Execution 27.02.2026
CVE-2026-21657 Johnson Controls -Frick Quantum HD- Unauthenticated Remote Code Execution 27.02.2026
CVE-2026-21658 Johnson Controls -Frick Quantum HD- Unauthenticated Remote Code Execution 27.02.2026
CVE-2026-21654 Johnson Controls -Frick Quantum HD- Unauthenticated Remote Code Execution 27.02.2026
CVE-2026-2362 WP Accessibility <= 2.3.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via 'alt' Attribute 27.02.2026 6.4
CVE-2026-2383 Simple Download Monitor <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field 27.02.2026 6.4
CVE-2025-12150 Org.keycloak/keycloak-services: webauthn attestation statement verification bypass 27.02.2026
CVE-2026-2251 Path Traversal leading to Remote Code Execution (RCE) 27.02.2026 9.8
CVE-2026-2252 XML External Entity (XXE) vulnerability resulting in Server-Side Request Forgery (SSRF) 27.02.2026 7.5
CVE-2026-27776 27.02.2026
CVE-2025-13327 Uv: uv: specially crafted zip archives lead to arbitrary code execution due to parsing differentials 27.02.2026
CVE-2025-9572 Foreman: satellite: graphql api permission bypass leads to information disclosure 27.02.2026
CVE-2025-9907 Event-driven-ansible: event stream test mode exposes sensitive headers in aap eda 27.02.2026
CVE-2025-9908 Event-driven-ansible: sensitive internal headers disclosure in aap eda event streams 27.02.2026
CVE-2025-9909 Aap-gateway: improper path validation in gateway allows credential exfiltration 27.02.2026
CVE-2026-0871 Org.keycloak/keycloak-services: keycloak: unauthorized modification of unmanaged user attributes by administrators 27.02.2026
CVE-2026-0980 Rubyipmi: red hat satellite: remote code execution in rubyipmi via malicious bmc username 27.02.2026
CVE-2025-12981 Listee <= 1.1.6 - Unauthenticated Privilege Escalation 27.02.2026 9.8
CVE-2025-14040 Automotive Car Dealership Business WordPress Theme <= 13.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call to Action Fields 27.02.2026 6.4
CVE-2025-14149 Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Scroller Widget box link 27.02.2026 6.4
CVE-2025-15509 27.02.2026
CVE-2025-15567 27.02.2026
CVE-2026-3302 SourceCodester Doctor Appointment System Sign Up register.php cross site scripting 27.02.2026
CVE-2026-27653 27.02.2026
CVE-2026-28372 27.02.2026 7.4
CVE-2026-3293 snowflakedb snowflake-jdbc JDBC URL SdkProxyRoutePlanner.java SdkProxyRoutePlanner redos 27.02.2026
CVE-2026-3301 Totolink N300RH Web Management cstecgi.cgi setWebWlanIdx os command injection 27.02.2026
CVE-2026-28370 27.02.2026 9.1
CVE-2026-3292 jizhiCMS Batch Model.php findAll sql injection 27.02.2026
CVE-2026-1442 Unitree UPK files Hard-Coded Key 27.02.2026 7.8
CVE-2026-1558 WP Recipe Maker <= 10.3.2 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via 'recipeId' Parameter 27.02.2026 5.3
CVE-2026-3287 youlaitech youlai-mall App-side Product Pagination Endpoint SpuController.java listPagedSpuForApp sql injection 27.02.2026
CVE-2026-3289 Sanluan PublicCMS Template Cache Generation TemplateCacheComponent.java saveMetadata path traversal 27.02.2026
CVE-2026-28363 27.02.2026 9.9
CVE-2026-28364 27.02.2026 7.9
CVE-2026-2428 Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification 27.02.2026 7.5
CVE-2026-3286 itwanger paicoding Image Save Endpoint ImageRestController.java save server-side request forgery 27.02.2026
CVE-2026-3282 libvips unpremultiply.c vips_unpremultiply_build out-of-bounds 27.02.2026
CVE-2026-3283 libvips extract.c vips_extract_band_build out-of-bounds 27.02.2026
CVE-2026-3284 libvips extract.c vips_extract_area_build integer overflow 27.02.2026
CVE-2026-3285 berry-lang berry be_lexer.c scan_string out-of-bounds 27.02.2026
CVE-2026-24497 27.02.2026
CVE-2026-24498 27.02.2026
CVE-2026-3275 Tenda F453 httpd addressNat fromAddressNat buffer overflow 27.02.2026
CVE-2026-3281 libvips bandrank.c vips_bandrank_build heap-based overflow 27.02.2026
CVE-2026-20764 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-20797 Copeland XWEB and XWEB Pro Stack-based Buffer Overflow 27.02.2026 4.3
CVE-2026-22877 Copeland XWEB and XWEB Pro Path Traversal 27.02.2026 3.7
CVE-2026-23702 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-24452 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-25037 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-25105 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-25196 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-25721 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-3037 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-3274 Tenda F453 httpd L7Prot frmL7ProtForm buffer overflow 27.02.2026
CVE-2021-4456 Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact 27.02.2026
CVE-2026-20742 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-20902 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-20910 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-21389 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-21718 Copeland XWEB and XWEB Pro Use of a Broken or Risky Cryptographic Algorithm 27.02.2026 10
CVE-2026-22878 Mobility46 mobility46.se Insufficiently Protected Credentials 27.02.2026 6.5
CVE-2026-24445 EV Energy ev.energy Improper Restriction of Excessive Authentication Attempts 27.02.2026 7.5
CVE-2026-24517 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-24663 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 9
CVE-2026-24689 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-24695 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-25085 Copeland XWEB and XWEB Pro Unexpected Status Code or Return Value 27.02.2026 8.6
CVE-2026-25109 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-25111 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-25195 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 8
CVE-2026-25774 EV Energy ev.energy Insufficiently Protected Credentials 27.02.2026 6.5
CVE-2026-26290 EV Energy ev.energy Insufficient Session Expiration 27.02.2026 7.3
CVE-2026-26305 Mobility46 mobility46.se Improper Restriction of Excessive Authentication Attempts 27.02.2026 7.5
CVE-2026-27028 Mobility46 mobility46.se Missing Authentication for Critical Function 27.02.2026 9.4
CVE-2026-27647 Mobility46 mobility46.se Insufficient Session Expiration 27.02.2026 7.3
CVE-2026-3273 Tenda F453 httpd AdvSetWrlsafeset formWrlsafeset buffer overflow 27.02.2026
CVE-2026-25113 SWITCH EV swtchenergy.com Improper Restriction of Excessive Authentication Attempts 26.02.2026 7.5
CVE-2026-25778 SWITCH EV swtchenergy.com Insufficient Session Expiration 27.02.2026 7.3
CVE-2026-27767 SWITCH EV swtchenergy.com Missing Authentication for Critical Function 27.02.2026 9.4
CVE-2026-27772 EV Energy ev.energy Missing Authentication for Critical Function 27.02.2026 9.4
CVE-2026-27773 SWITCH EV swtchenergy.com Insufficiently Protected Credentials 27.02.2026 6.5
CVE-2026-3271 Tenda F453 httpd P2pListFilterof fromP2pListFilter buffer overflow 27.02.2026
CVE-2026-3272 Tenda F453 httpd DhcpListClient fromDhcpListClient buffer overflow 27.02.2026
CVE-2026-20895 EV2GO ev2go.io Insufficient Session Expiration 26.02.2026 7.3
CVE-2026-22890 EV2GO ev2go.io Insufficiently Protected Credentials 26.02.2026 6.5
CVE-2026-25945 EV2GO ev2go.io Improper Restriction of Excessive Authentication Attempts 26.02.2026 7.5
CVE-2025-40932 Apache::SessionX versions through 2.01 for Perl create insecure session id 26.02.2026
CVE-2026-1585 26.02.2026
CVE-2026-20733 CloudCharge cloudcharge.se Insufficiently Protected Credentials 26.02.2026 6.5
CVE-2026-24731 EV2GO ev2go.io Missing Authentication for Critical Function 26.02.2026 9.4
CVE-2026-27652 CloudCharge cloudcharge.se Insufficient Session Expiration 26.02.2026 7.3
CVE-2026-3269 psi-probe PSI Probe Session ExpireSessionsController.java handleRequestInternal denial of service 26.02.2026
CVE-2026-3270 psi-probe PSI Probe Whois Whois.java lookup server-side request forgery 26.02.2026
CVE-2026-20781 CloudCharge cloudcharge.se Missing Authentication for Critical Function 26.02.2026 9.4
CVE-2026-25114 CloudCharge cloudcharge.se Improper Restriction of Excessive Authentication Attempts 26.02.2026 7.5
CVE-2026-2597 Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes() 26.02.2026
CVE-2026-20791 Chargemap chargemap.com Insufficiently Protected Credentials 26.02.2026 6.5
CVE-2026-20792 Chargemap chargemap.com Improper Restriction of Excessive Authentication Attempts 26.02.2026 7.5
CVE-2026-25711 Chargemap chargemap.com Insufficient Session Expiration 26.02.2026 7.3
CVE-2026-25851 Chargemap chargemap.com Missing Authentication for Critical Function 26.02.2026 9.4
CVE-2026-28230 In SteVe, any authenticated charger can terminate any other charger's active transaction (missing ownership verification on StopTransaction) 26.02.2026
CVE-2026-28269 Kiteworks Core has an OS Command Injection 26.02.2026 5.9
CVE-2026-28274 Initiative Vulnerable to Token Theft via Stored XSS in Document Uploads 26.02.2026 8.7
CVE-2026-28275 Initiative Vulnerable to Improper Session Invalidation (JWT Remains Valid) 26.02.2026 8.1
CVE-2026-28276 Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpoint 26.02.2026 7.5
CVE-2026-28279 `osctrl-admin` Vulnerable to OS Command Injection via Environment Configuration 26.02.2026 7.4
CVE-2026-28280 `osctrl-admin` has Stored Cross-Site Scripting (XSS) in On-Demand Query List 26.02.2026 6.1
CVE-2026-3268 psi-probe PSI Probe Session Attribute RemoveSessAttributeController.java access control 26.02.2026
CVE-2026-28213 EverShop Vulnerable to Arbitrary Customer Account Takeover via Exposure of Password Reset Token in API Response 26.02.2026 9.8
CVE-2026-28215 hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover 26.02.2026 9.1
CVE-2026-28216 hoppscotch has IDOR in updateUserEnvironment / deleteUserEnvironment 26.02.2026 8.3
CVE-2026-28217 IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections 26.02.2026 6.5
CVE-2026-28225 Manyfold has IDOR in ModelFilesController 26.02.2026 5.3
CVE-2026-28226 Phishing Club has Authenticated Blind SQL Injection in GetOrphaned Recipient Listing 26.02.2026 6.5
CVE-2026-3265 go2ismail Free-CRM Security API improper authorization 26.02.2026
CVE-2026-28207 Zen-C Vulnerable to Command Injection via Malicious Output Filename 26.02.2026 6.6
CVE-2026-28208 Junrar has arbitrary file write due to backslash path traversal bypass in LocalFolderExtractor on Linux/Unix 26.02.2026 5.9
CVE-2026-28211 Arbitrary code execution in log reader via untrusted log file 26.02.2026 7.8
CVE-2026-27638 ActualBudget missing authorization in sync endpoints allows cross-user budget file access in multi-user mode 26.02.2026
CVE-2026-27838 wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data 26.02.2026 3.1
CVE-2026-27839 wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup 26.02.2026 4.3
CVE-2026-3264 go2ismail Free-CRM Administrative redirect 26.02.2026
CVE-2026-27449 Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints 26.02.2026 7.5
CVE-2026-27457 Weblate: Missing access control for the AddonViewSet API exposes all addon configurations 26.02.2026 4.3
CVE-2026-27835 wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data 26.02.2026 4.3
CVE-2026-25741 Zulip Vulnerable to Modification of Payment Method (Stripe Default Card) by Non-Billing Users 26.02.2026 7.1
CVE-2026-28219 Privilege Escalation via Mass Assignment Allows Regular Users to Set Topics as Global Banners 26.02.2026
CVE-2026-28227 Discourse Vulnerable to Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category 26.02.2026
CVE-2026-3263 go2ismail Asp.Net-Core-Inventory-Order-Management-System Security API improper authorization 26.02.2026
CVE-2026-27153 Discourse doesn't prevent moderators from exporting user Chat DMs 26.02.2026
CVE-2026-27154 Discourse has XSS when editing a malicious post 26.02.2026
CVE-2026-28218 Discourse's Fail-Open Access Control in Data Explorer Plugin Allows Unauthorized SQL Query Execution 26.02.2026