Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 25 February 2026

RSS

235 vulnerabilities published on 25 February 2026

Severity:
n8n: Untrusted Users Can Execute System Commands
CVE-2026-27577 GHSA-vpcf-gvg4-6qwr
## Impact Additional exploits in the expression evaluation of n8n have been identified and patched following [CVE-2025-68613](https://github.com/n8n-i...
9.4
n8n: Untrusted Users Can Run Harmful Code on Server
CVE-2026-27497 GHSA-wxx7-mcgf-j869
## Impact An authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code...
9.4
n8n: Untrusted Users Can Read Sensitive Files
CVE-2026-27494 GHSA-mmgg-m5j7-f83h
## Impact An authenticated user with permission to create or modify workflows could use the Python Code node to escape the sandbox. The sandbox did no...
7.1
OneUptime: Hackers can run arbitrary system commands on your server
CVE-2026-27728 GHSA-jmhp-5558-qxh5
## Summary An OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitra...
10.0
Enclave-VM Core Sandbox Escape Can Allow Remote Code Execution
CVE-2026-27597 GHSA-f229-3862-4942
## Summary It is possible to escape the security boundraries set by `@enclave-vm/core`, which can be used to achieve remote code execution (RCE). Th...
10.0
OliveTin: Untrusted Users Can Execute Arbitrary OS Commands
GHSA-49gm-hh7w-wfvf CVE-2026-27626
### Summary OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supply...
10.0
Cisco SD-WAN Software Allows Attackers to Gain Administrator Access
CVE-2026-20127
Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass...
10.0 KEV
n8n Task Runner Sandbox Escape Allows Code Execution
CVE-2026-27495 GHSA-jjpj-p2wh-qf23
## Impact An authenticated user with permission to create or modify workflows could exploit a vulnerability in the JavaScript Task Runner sandbox to e...
9.4
Budibase Cloud: Authenticated Users Can Access Sensitive Server Data
CVE-2026-27702 GHSA-rvhr-26g4-p2r8
## Summary A critical unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier ac...
9.9
TinyWeb Web Server: Remote Attackers Can Steal or Execute Code
CVE-2026-27613
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers t...
10.0
Rollup 4 Allows Attackers to Write to Any File on Your Computer
CVE-2026-27606 GHSA-mw96-cpmx-2vgc
### Summary The Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. I...
8.8
Incorrect math in CIRCL's secp384r1 calculation
CVE-2026-1229 GHSA-q9hv-hpm4-hj6x
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using...
7.9
Flask-Reuploaded: Remote Code Execution via User Input
CVE-2026-27641 GHSA-65mp-fq8v-56jr
### Impact A critical path traversal and extension bypass vulnerability in Flask-Reuploaded allows remote attackers to achieve arbitrary file write an...
9.8
Junos OS Evolved on PTX Series: Unauthorized Access to Critical System
CVE-2026-21902
An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved ...
9.3
OpenWRT Devices Can Be Hijacked by Malicious Updates
CVE-2026-27849
Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally...
9.8
mchange-commons-java Library Allows Malicious Code Execution
CVE-2026-27727 GHSA-m2cm-222f-qw44
mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including suppor...
8.9
Cisco Catalyst SD-WAN Manager: Unauthorized Access to System via API
CVE-2026-20129
A vulnerability in the API user authentication of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain access to an a...
9.8
TLS-SRP handshake in MR9600 and MX4200 allows root access
CVE-2026-27848
Due to missing neutralization of special elements, OS commands can be injected via the handshake of a TLS-SRP connection, which are ultimately run as ...
9.8
Credentials can be injected into database via TLS-SRP handshake
CVE-2026-27847
Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inje...
9.8
Feiyuchuixue sz-boot-parent: Unrestricted File Upload in API Endpoint
CVE-2026-3187
A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/...
5.3
ePati NGFW: Critical Function Bypass Without Authentication
CVE-2026-2624
Missing Authentication for Critical Function vulnerability in ePati Cyber ​​Security Technologies Inc. Antikor Next Generation Firewall (NGFW) allows ...
9.8
itsourcecode News Portal Project 1.0 - Unsecured Contact Form Can Be Hacked
CVE-2026-3164
A vulnerability was found in itsourcecode News Portal Project 1.0. This issue affects some unknown processing of the file /admin/contactus.php. The ma...
6.9
itsourcecode Document Management System SQL Injection Risk
CVE-2026-3153
A vulnerability has been found in itsourcecode Document Management System 1.0. Impacted is an unknown function of the file /register.php. Such manipul...
6.9
itsourcecode College Management System: Unauthorized Data Access Through Teacher ID
CVE-2026-3152
A flaw has been found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/teacher-salary.php....
6.9
itsourcecode College Management System 1.0: Email SQL Injection Risk
CVE-2026-3151
A vulnerability was detected in itsourcecode College Management System 1.0. This vulnerability affects unknown code of the file /login/login.php. The ...
6.9
24 Feb 2026 All days 26 Feb 2026