CVE Vulnerabilities - 18 February 2026

### Summary `tar.extract()` in Node `tar` allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outside the extraction root, using default op...

Malicious sessions in OpenClaw can trick other sessions into performing actions by sending fake user instructions that look like they came from a real user. This can lead to unintended behavior in wor...

A vulnerability in OpenClaw and Clawdbot allows malicious websites to control a user's browser, potentially opening tabs, stopping the browser, or changing settings. This can happen if the browser con...

StorageGRID versions prior to 11.9.0.12 and 12.0.0.4 with Single Sign-on enabled and Azure AD configured as an identity provider are at risk. An attacker can delete important setup data or lock out ac...

The Delinea Cloud Suite and Privileged Access Service have a security issue that allows hackers to manipulate HTTP requests, potentially leading to unauthorized access or actions. This issue is fixed ...

A security vulnerability in LibreDesk's Webhooks module allows an authenticated administrator to access internal corporate networks or cloud infrastructure. This can happen by exploiting internal port...

A bug in OpenClaw allowed a malicious skill to write files to any location on the system instead of a safe, designated area. This could lead to data corruption or unauthorized access. To fix this, the...

A security issue in OpenClaw's browser download feature allows an attacker with authenticated access to write files outside the intended download directory. This could lead to data loss or system comp...

A security flaw in the LangGraph Redis package allows attackers to bypass access controls and see all data, not just what they're supposed to. This is because the package doesn't properly protect agai...

The Rongzhitong Visual Integrated Command and Dispatch Platform has a security weakness that allows unauthorized access to user information. This means that a hacker could potentially access sensitive...

An authenticated user with certain permissions can access internal services, potentially disrupting job processing or gaining access to sensitive data. This issue affects all versions of GitHub Enterp...

A security flaw in older versions of GitHub Enterprise Server allows an attacker with a valid login to upload files to another user's repository, potentially replacing their data with malicious files....

A bug in QEMU's Xen support for virtual machines can cause a guest operating system to intentionally make QEMU's memory access incorrectly, potentially leading to a crash or data corruption. This issu...

The 'Medical History' module in PHPGurukul Hospital Management System v4.0 allows unauthorized access to other patients' medical records. This is a concern because it means that users can see sensitiv...

A security flaw in the 'Add Doctor' module of PHPGurukul Hospital Management System allows hackers to trick authorized users into creating fake doctor accounts. This could lead to unauthorized access ...

A user with limited access to a Splunk Enterprise system can access sensitive information by exploiting a permission error in the Monitoring Console App. This could let them see confidential data. To ...

Versions 1.2.0 and earlier of Mayswind Ezbookkeeping are vulnerable to crashing if a maliciously crafted file is uploaded, which can cause the service to run slowly, stop working, or become completely...

An authenticated user can access other users' profiles in Graylog 2.2.3, potentially revealing sensitive information like names, email addresses, and activity history. This happens because the API doe...

A security issue in the WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress allows attackers with subscriber-level access or higher to access sensitive data. This can happen when ...

An attacker can delete Brevo plugin settings, disconnect the Brevo integration, and delete subscription forms on a WordPress site without being authorized. This can happen if the Brevo plugin is not u...

The WP-DownloadManager plugin for WordPress allows attackers to delete any file on your server, including sensitive files like your WordPress configuration file. This can lead to a complete server tak...

The Blog2Social plugin for WordPress allows unauthorized users to change post titles and contents. This is because the plugin doesn't correctly check if a user has permission to edit posts. We recomme...

A security issue has been found in PHP on Red Hat systems. If an attacker can inject malicious code, they may be able to access sensitive data. Update your systems to the latest version of PHP to prev...

The Taskbuilder plugin for WordPress contains a security flaw that allows an attacker with a subscriber-level account to access sensitive information in the database. This is a serious issue because i...

The OpenClaw extension for Urbit can be tricked into sending HTTP requests to any host, including internal ones, if an attacker can control the Urbit URL configuration. This affects deployments that u...