CVE Vulnerabilities - 24 February 2026

Airflow Log Viewing Can Execute Malicious Code on the Server

CVE-2024-56373 GHSA-r837-hpv7-pc2f

DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server ...

8.5

Mastodon: Unapproved FASP Actions Allow DOS Attacks

CVE-2026-27468

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In version...

4.8

ImageMagick crashes or writes data outside allocated space when handling large UHDR images

CVE-2026-25794 GHSA-vhqj-f5cj-9x8h

`WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. When image dimensions are large, the multiplication overfl...

8.2

ImageMagick: Large image processing can crash or corrupt data

DEBIAN-CVE-2026-25794

ImageMagick is free and open-source software used for editing and manipulating digital images. `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmet...

8.2

REB500: Unauthorized Directory Access and Modification

CVE-2026-2460

A vulnerability exists in REB500 for an authenticated user with low-level privileges to access and alter the content of directories by using the DAC p...

7.6

REB500: Unauthorized Access to Sensitive Files

CVE-2026-2459

A vulnerability exists in REB500 for an authenticated user with Installer role to access and alter the contents of directories that the role is not au...

7.4

Remote Desktop Service in Red Hat Software at Risk of Unauthorized Access

RHSA-2026:3068

8.1

Federated Identity User Data Replacement with Silent JIT Provisioning

CVE-2024-1524

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's...

8.1

Genetec Update Service: Privilege Escalation Risk on Windows Systems

CVE-2025-1789

Local privilege escalation in Genetec Update Service. An authenticated, low-privileged, Windows user could exploit this vulnerability to gain elevated...

5.8

Windows HX Agent driver file fekern.sys gives attackers extra system powers

CVE-2025-14963

A vulnerability identified in the HX Agent driver file fekern.sys allowed a threat actor with local user access the ability to gain elevated system pr...

6.2

Bleon API Gateway Deployment Tool Allows Root Access

CVE-2026-27208

bleon-ethical/api-gateway-deploy provides API gateway deployment. Version 1.0.0 is vulnerable to an attack chain involving OS Command Injection and Pr...

7.8

Docker Desktop for Windows, Linux, macOS: Local attacker can read sensitive data

CVE-2026-2664

An out of bounds read vulnerability in the grpcfuse kernel module present in the Linux VM in Docker Desktop for Windows, Linux and macOS up to version...

6.8

ImageMagick allows attackers to bypass security controls when reading/writing from standard streams

DEBIAN-CVE-2026-25966

ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule in...

7.8

DataLinkDC Dinky Flink Proxy Controller Allows Remote Attack

CVE-2026-3052

A vulnerability was found in DataLinkDC dinky up to 1.2.5. The impacted element is the function proxyUba of the file dinky-admin/src/main/java/org/din...

5.3

DataLinkDC dinky: Unsecured Path Traversal in Project Handler

CVE-2026-3051

A vulnerability has been found in DataLinkDC dinky up to 1.2.5. The affected element is the function getProjectDir of the file dinky-admin/src/main/ja...

5.3

bit7z: Unsecured Archive Extraction Allows File Overwriting

CVE-2026-27117

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.11, a path traversal vulner...

7.5

Wasmtime Can Crash When Handling Too Many HTTP Request Headers

CVE-2026-27572 GHSA-243v-98vx-264h

### Impact Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of h...

6.9

Fiber has a Denial of Service Vulnerability via Route Parameter Overflow

CVE-2026-25882 GHSA-mrq8-rjmw-wpq3

A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with m...

6.9

Fiber Can Run Out of Memory Due to Large Cookie Attack

CVE-2026-25899 GHSA-2mr3-m5q5-wgp6

### Summary The use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attem...

7.5

Fiber on Windows allows attackers to read arbitrary files

CVE-2026-25891 GHSA-m3c2-496v-cw3v

### Summary **Description** A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and r...

8.7

Wasmtime may crash when calling async functions

CVE-2026-27195 GHSA-xjhv-v822-pf94

The affected versions of Wasmtime can panic if the host embedder drops the future returned by `wasmtime::component::[Typed]Func::call_async` before it...

6.9

Tattile Surveillance Devices Allow Unauthenticated Access to Live Video Streams

CVE-2026-26340

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior expose RTSP streams without requiring authentication. A remote att...

8.7

NVIDIA Delegated Licensing Service: Authentication Bypass Allows Access

CVE-2026-24241

NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an attacker could exploit an improper authentication iss...

7.5

ActualBudget Exposes Bank Account Info Without Login

CVE-2026-27584 GHSA-m2cq-xjgm-f668

### Summary Missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy....

9.2

Piwigo Web Photo Gallery: Secret Key Easily Guessable

CVE-2024-48928

Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration paramete...

2.7