CVE Vulnerabilities - 25 February 2026

Red Hat Backstage Orchestrator Plugin Crashes with Malicious Input

CVE-2026-3118

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation ...

6.5

FTP Backup on ADM Fails to Verify Server Certificates

CVE-2026-3100

The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS. An impro...

8.3

Unauthorized Access to Medical Records in OpenEMR

CVE-2026-25127

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the server does not p...

7.0

OpenEMR Prior to 8.0.0 Allows Unauthorized Access to Patient Data

CVE-2026-25124

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the OpenEMR applicati...

6.5

OpenEMR: Unauthorized access to sensitive medical log files

CVE-2026-24896

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Contr...

6.5

OpenEMR: Malicious users can read sensitive files on the server

CVE-2026-24849

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, the `disposeDocument(...

6.5

WordPress Secure Copy plugin allows attackers to inject malicious scripts

CVE-2026-2367

The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ays_block' ...

6.4

Rise Blocks plugin allows attackers to inject malicious scripts on WordPress sites

CVE-2026-1614

The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘logoTag’ Site Identity ...

6.4

Pangolin Role Handler Allows Unauthorized Access

CVE-2026-3209

A vulnerability has been found in fosrl Pangolin up to 1.15.4-s.3. This affects the function verifyRoleAccess/verifyApiKeyRoleAccess of the component ...

5.3

Physical Access to Device Allows Unauthorized Network Access

CVE-2026-27846

Due to missing authentication, a user with physical access to the device can misuse the mesh functionality for adding a new mesh device to the network...

6.2

Vikunja Task Management Platform: Phishing and Redirect Risk in Projects Module

CVE-2026-27116 GHSA-4qgr-4h56-8895

## Summary [Vikunja](https://github.com/go-vikunja/vikunja) is an open-source self-hosted task management platform with 3,300+ GitHub stars. A reflec...

6.1

GitLab: Unauthenticated User Can Inject Malicious Scripts in Mermaid UI

CVE-2026-0752

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under c...

6.1

Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute

GHSA-fq4f-4738-rqxm CVE-2026-25736

### Summary A stored Cross-site Scripting (XSS) vulnerability was identified in the Custom RSE Attribute of the WebUI where attacker-controlled input ...

6.1

Rucio WebUI allows attackers to steal session cookies

GHSA-8wpv-6x3f-3rm5 CVE-2026-25735

### Summary A stored Cross-site Scripting (XSS) vulnerability was identified in the Identity Name of the WebUI where attacker-controlled input is pers...

6.1

Rucio WebUI allows hackers to run malicious code in user's browser

GHSA-h9fp-p2p9-873q CVE-2026-25734

### Summary A stored Cross-site Scripting (XSS) vulnerability was identified in the RSE metadata of the WebUI where attacker-controlled input is persi...

6.1

changedetection.io Allows Malicious Code to Run in Browser

GHSA-mw8m-398g-h89w CVE-2026-27645

### Summary Three security vulnerabilities were identified in [changedetection.io](http://changedetection.io/) through source code review and live val...

6.1

BigBlueButton 3.x versions prior to 3.0.20 can redirect users to malicious sites

CVE-2026-27736

BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks vali...

6.1

repostat: Malicious Code Can Be Injected Via Repository Name

CVE-2026-27612 GHSA-fm8c-6m29-rp6j

### Impact The `RepoCard` component is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability occurs because the component uses React's...

6.1

TeamCity Allows Redirect to Malicious Sites During Project Creation

CVE-2026-28194

In JetBrains TeamCity before 2025.11.3 open redirect was possible in the React project creation flow...

6.1

SPIP Jeux Plugin: Unsecure Code Injects Malicious Content

CVE-2026-27746

The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incor...

5.1

SPIP Jeux Plugin: Untrusted Input Injects Harmful Code into Pages

CVE-2026-27746

The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incor...

6.1

Karakeep app allows malicious HTML to execute in browser

CVE-2026-27627

Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML pars...

6.1

OpenEMR: Unrestricted Redirect to External Websites

CVE-2026-24847

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Eye Exam form mod...

6.1

OpenEMR Unescaped Strings Expose Medical Practice to Malicious Code Injection

CVE-2026-21443

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the `xl()` translatio...

1.2

Astro Server Crashes from Large POST Requests

CVE-2026-27729 GHSA-jm64-8m5q-4qh8

## Summary Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid acti...

5.9