Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 25 February 2026

RSS

235 vulnerabilities published on 25 February 2026

Severity:
Lanscope Endpoint Manager: Malicious File Access and Code Execution
CVE-2026-25785
Path traversal vulnerability exists in Lanscope Endpoint Manager (On-Premises) Sub-Manager Server Ver.9.4.7.3 and earlier, which may allow an attacker...
9.3
SourceCodester Shopping Cart Script: Remote SQL Injection Risk
CVE-2026-3148
A vulnerability was determined in SourceCodester Simple and Nice Shopping Cart Script 1.0. This impacts an unknown function of the file /signup.php. T...
6.9
SPIP Tickets Plugin: Unauthenticated Code Execution on Public Ticket Pages
CVE-2026-27744
The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for publi...
9.3
SPIP referer_spam plugin allows unauthorized access to sensitive data
CVE-2026-27743
The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_sp...
9.3
itsourcecode News Portal Project 1.0 SQL Injection via Admin Panel
CVE-2026-3135
A weakness has been identified in itsourcecode News Portal Project 1.0. The impacted element is an unknown function of the file /admin/add-category.ph...
6.9
itsourcecode News Portal Project 1.0 Category Editor SQL Injection Risk
CVE-2026-3134
A security flaw has been discovered in itsourcecode News Portal Project 1.0. The affected element is an unknown function of the file /newsportal/admin...
6.9
itsourcecode Document Management System: SQL Injection in Login File
CVE-2026-3133
A vulnerability has been found in itsourcecode Document Management System 1.0. This issue affects some unknown processing of the file /loging.php of t...
6.9
Storybook Dev Server WebSocket Hijacking Risk
CVE-2026-27148 GHSA-mjf5-7g4m-gx5w
Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10,...
8.9
asbplayer v1.13.0: Malicious Subtitle Upload Can Execute Code
CVE-2025-69771
An arbitrary file upload vulnerability in the subtitle loading function of asbplayer v1.13.0 allows attackers to execute arbitrary code via uploading ...
9.6
Bugsink allows attackers to inject malicious code via stacktrace
CVE-2026-27614 GHSA-vp6q-7m36-pq3w
### Summary An unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes o...
9.3
Angular SSR allows hackers to control where your site's requests go
CVE-2026-27739 GHSA-x288-3778-4hhx
A [Server-Side Request Forgery (SSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) vulnerability has been identified in the An...
9.2
ServiceNow AI Platform: Unauthenticated Code Execution Risk
CVE-2026-0542
ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability could enable an ...
9.2
Parse Server: Hackers can take control of any user account linked to Google
CVE-2026-27804 GHSA-4q3h-vp4r-prv2
### Impact An unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user linked to a Google account, w...
9.3
Rust Console: Hackers Can Steal Admin Credentials via PDF Preview
CVE-2026-27822 GHSA-v9fg-3cr2-277j
### Summary A Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context ...
9.1
Basic FTP Library Allows Malicious FTP Server to Access Sensitive Files
CVE-2026-27699 GHSA-5rq4-664w-9x2c
The `basic-ftp` library contains a path traversal vulnerability in the `downloadToDir()` method. A malicious FTP server can send directory listings wi...
9.1
Vikunja Task Management Software Allows Weak Passwords and Post-Password Attack Access
CVE-2026-27575 GHSA-3ccg-x393-96v8
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234...
9.1
n8n: Unauthenticated Input Can Execute Code on Server
CVE-2026-27493 GHSA-75g8-rv7v-32f7
## Impact A second-order expression injection vulnerability existed in n8n's Form nodes that could allow an unauthenticated attacker to inject and eva...
9.5
Gardyn IoT Hub: Admin Credentials Exposed Through API and Device Access
CVE-2025-1242
The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse...
9.3
Octopus Deploy: Unvalidated API Endpoint Allows File Deletion
CVE-2026-0704
In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked val...
5.9
VMware Aria Operations allows attackers to inject malicious scripts
CVE-2026-22720
VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able...
9.0
Apache Commons C3P0 allows attackers to run code remotely
CVE-2026-27830 GHSA-5476-xc4j-rqcv
### Impact c3p0 is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `Connect...
8.9
LORIS allows unauthorized file upload, potentially leading to code execution
CVE-2026-26984
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging r...
8.8
FreeRDP Remote Desktop Protocol Implementation - Data Corruption Risk
CVE-2026-26965
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle(...
8.8
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline...
CVE-2026-26955
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in...
8.8
OpenEMR: Malicious Code Can Access Patient Data
CVE-2026-25746
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injecti...
8.8
24 Feb 2026 All days 26 Feb 2026