Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 25 February 2026
RSS235 vulnerabilities published on 25 February 2026
Severity:
OpenEMR Immunization Module Allows Unauthorized Database Access
CVE-2026-23627
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vuln...
7.4
Advanced Woo Labels plugin for WordPress allows hackers to run server commands
CVE-2026-1929
The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use...
8.8
Tenda F453 Software Has a Buffer Overflow Flaw That Allows Remote Attacks
CVE-2026-3169
A security vulnerability has been detected in Tenda F453 1.0.0.3. This impacts the function fromSafeEmailFilter of the file /goform/SafeEmailFilter of...
7.4
Tenda F453 router allows remote code execution via malicious input
CVE-2026-3168
A weakness has been identified in Tenda F453 1.0.0.3. This affects the function fromNatStaticSetting of the file /goform/NatStaticSetting of the compo...
7.4
Tenda F453 Software Allows Remote Attackers to Crash the Device
CVE-2026-3167
A security flaw has been discovered in Tenda F453 1.0.0.3. The impacted element is the function formWebTypeLibrary of the file /goform/webtypelibrary ...
7.4
Tenda F453 Software Allows Remote Attackers to Overwrite Memory
CVE-2026-3166
A vulnerability was identified in Tenda F453 1.0.0.3. The affected element is the function fromRouteStatic of the file /goform/RouteStatic of the comp...
7.4
Tenda F453 Routers: Remote Code Execution from Unauthenticated Users
CVE-2026-3165
A vulnerability was determined in Tenda F453 1.0.0.3. Impacted is the function fromSetWifiGusetBasic of the file /goform/AdvSetWrlsafeset of the compo...
7.4
itsourcecode College Management System SQL Injection Risk
CVE-2026-3150
A security vulnerability has been detected in itsourcecode College Management System 1.0. This affects an unknown part of the file /admin/display-teac...
5.3
itsourcecode College Management System SQL Injection Risk
CVE-2026-3149
A weakness has been identified in itsourcecode College Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/...
5.3
SPIP interface_traduction_objets plugin SQL injection risk
CVE-2026-27747
The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated SQL injection vulnerability in interface_traduction_objet...
7.1
SPIP interface_traduction_objets Plugin Allows Remote Code Execution
CVE-2026-27745
The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated remote code execution vulnerability in the translation in...
8.7
InvenTree Server Can Leak Sensitive Data to Clients
CVE-2026-27629
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure infor...
8.8
OpenEMR: Low-privilege users can modify order types without permission
CVE-2026-25131
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Contr...
8.8
n8n allows attackers to run commands on the server
CVE-2026-27498
GHSA-x2mw-7j39-93xq
## Impact
An authenticated user with permission to create or modify workflows could chain the Read/Write Files from Disk node with git operations to a...
9.0
changedetection.io can be tricked into accessing internal network URLs
GHSA-3c45-4pj5-ch7m
CVE-2026-27696
## Summary
Changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not ...
8.6
esm.sh CDN Can Fetch Sensitive Local Services
CVE-2026-27730
GHSA-p2v6-84h2-5x4r
esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm....
8.6
AWS Lambda ALB Conninfo Vulnerable to IP Spoofing Attacks
CVE-2026-27700
GHSA-xh87-mx6m-69f3
## Summary
When using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly ...
8.2
RustFS: Unsecured File Uploads Put Data at Risk
CVE-2026-27607
GHSA-w5fh-f8xh-5x3p
### Summary
RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, star...
8.1
pgvector database server crashes or leaks sensitive data
CVE-2026-3172
Buffer overflow in parallel HNSW index build in pgvector 0.6.0 through 0.8.1 allows a database user to leak sensitive data from other relations or cra...
8.1
FreeRDP Remote Desktop Protocol Client Memory Leak
CVE-2026-25941
FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 h...
8.1
Parse Dashboard Agent Endpoint Lacks Authorization
CVE-2026-27608
GHSA-cvwj-6c9h-jg6v
### Impact
The AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can acce...
9.3
AVideo can be tricked into accessing unauthorized internal servers
CVE-2026-27732
GHSA-h39h-7cvg-q7j6
### Vulnerability Type
Authenticated Server-Side Request Forgery (SSRF)
### Affected Product/Versions
AVideo versions prior to 22 (tested on AVideo 2...
8.6
Rucio WebUI: Attackers can steal user login sessions
CVE-2026-25136
GHSA-h79m-5jjm-jm4q
### Summary
A reflected Cross-site Scripting vulnerability was located in the rendering of the ExceptionMessage of the WebUI 500 error which could all...
8.1
Chia Blockchain 2.1.0 Allows Remote Attackers to Authenticate Improperly
CVE-2026-3192
A security vulnerability has been detected in Chia Blockchain 2.1.0. This issue affects the function _authenticate of the file rpc_server_base.py of t...
6.3
Malicious Files Can Be Written Outside Intended Backup Directory
CVE-2026-3179
The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MIT...
9.2