Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 25 February 2026

RSS

235 vulnerabilities published on 25 February 2026

Severity:
Telerik UI for AJAX versions before 2026.1.225: Predictable file upload IDs
CVE-2026-2878
In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable t...
5.9
Red Hat's edk2 Software May Allow Unauthorized Code Execution
RHSA-2026:3164
5.6
Windows Drivers Can Crash from Invalid Input
CVE-2026-2636
This vulnerability is caused by a CWE‑159: "Improper Handling of Invalid Use of Special Elements" weakness, which leads to an unrecoverable inconsiste...
5.5
Cisco APIC reloads unexpectedly due to invalid input
CVE-2026-20107
A vulnerability in the Object Model CLI component of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, local att...
5.5
iccDEV: Crashes or incorrect color profiles from large input data
CVE-2026-27691
iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, signed integer o...
5.5
Unprivileged users can copy LUKS encryption headers from Linux systems
CVE-2026-26104
A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The ...
5.5
libvips Crashes with Bad Image Files
CVE-2026-3146
A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/forei...
5.5
n8n: Malicious Flows Can Hijack User Sessions
CVE-2026-27578 GHSA-2p9h-rqjw-gm92
## Impact An authenticated user with permission to create or modify workflows could inject arbitrary scripts into pages rendered by the n8n applicatio...
8.5
WordPress The Events Calendar plugin allows attackers to modify events
CVE-2026-2694
The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check o...
5.4
Cisco Catalyst SD-WAN Manager allows authenticated attacker to overwrite files locally
CVE-2026-20122
A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local fi...
5.4
TypiCMS Allows Malicious SVG Uploads, Compromising User Sessions
CVE-2026-27621 GHSA-xfvg-8v67-j7wp
#### I. Summary A Stored Cross-Site Scripting (XSS) vulnerability exists in the file upload module of TypiCMS. The application allows users with file...
6.8
Patrick Mvuma Queue Management System Cross-Site Scripting Risk
CVE-2026-3171
A flaw has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown ...
5.1
Mercator Maps Software: Unsecured Data Injection Risk Through User Input
CVE-2026-27639
Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists...
8.5
OpenEMR older versions allow malicious scripts to run on patient forms
CVE-2025-69231
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a stored cross-site s...
5.4
OpenEMR: Stored XSS in Billing Interface Allows Session Cookie Theft
CVE-2025-67491
OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a store...
8.5
FreeRDP Remote Desktop Protocol Buffer Overread Vulnerability
CVE-2026-26271
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in `freerdp_image_copy_from_icon_data()` (...
5.5
Parse Dashboard Leaks Master Key to Unauthorized Users
CVE-2026-27610 GHSA-jhp4-jvq3-w5xr
### Impact The `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specif...
7.0
Rucio WebUI Exposes Valid Usernames
GHSA-38wq-6q2w-hcf9 CVE-2026-25138
### Summary The WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attacke...
5.3
Fickling has safety check bypass via REDUCE+BUILD opcode sequence
GHSA-mhc9-48gj-9gp3
# Assessment It is believed that the analysis pass works as intended, `REDUCE` and `BUILD` are not at fault here. The few potentially unsafe modules ...
5.3
Feiyuchuixue sz-boot-parent API Endpoint Allows Unauthorized Access
CVE-2026-3185
A vulnerability was found in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected is an unknown function of the file /api/admin/sys-message/ of the ...
5.5
JetBrains YouTrack: Unsecured App Permissions Requests
CVE-2026-28193
In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint...
5.3
Hitachi Ops Center Software Session Hijacking Risk
CVE-2025-5781
Information Exposure Vulnerability in Hitachi Ops Center API Configuration Manager, Hitachi Configuration Manager, Hitachi Device Manager allows Sessi...
5.2
WordPress Responsive Lightbox Plugin Lets Attackers Access Internal Services
CVE-2026-2479
The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.1. This ...
5.0
OpenEMR Software Clicking on Phishing Links Can Expose Patient Data
CVE-2025-68277
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, when a link is sent v...
7.2
Devolutions Server stores user account info in plain text, exposing it to database access
CVE-2026-3221
Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with acces...
4.9
24 Feb 2026 All days 26 Feb 2026