Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 26 February 2026
RSS186 vulnerabilities published on 26 February 2026
Severity:
Vitess: Unauthorized access to production by backup storage users
CVE-2026-27965
GHSA-8g8j-r87h-p36x
### Impact
Any user with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary ...
8.4
Agenta API: Unauthorized Code Execution on Server
CVE-2026-27952
Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code...
9.9
OpenLIT prior to 1.37.1 allows untrusted code to access sensitive data
CVE-2026-27941
OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use th...
9.9
EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response retu...
CVE-2026-28213
EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifyin...
9.8
itsourcecode School Management System 1.0 SQL Injection Flaw
CVE-2026-3261
A flaw has been found in itsourcecode School Management System 1.0. This impacts an unknown function of the file /settings/index.php of the component ...
6.9
ZenTaoPMS allows attackers to run malicious code
CVE-2025-50857
ZenTaoPMS v18.11 through v21.6.beta is vulnerable to Directory Traversal in /module/ai/control.php. This allows attackers to execute arbitrary code vi...
9.8
Unauthenticated access to servers using Ajenti admin panel
CVE-2026-27975
Ajenti is a Linux and BSD modular server admin panel. Prior to version 2.2.13, an unauthenticated user could gain access to a server to execute arbitr...
8.1
Dottie versions 2.0.4 to 2.0.6: Unfixed Prototype Pollution
DEBIAN-CVE-2026-27837
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The pr...
9.8
Hoppscotch API Ecosystem: Unauthorized Config Overwrite
CVE-2026-28215
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure...
9.1
Adobe Photoshop PSD Tools: Memory Exhaustion from Malicious Files
CVE-2026-27809
GHSA-24p2-j2jr-386w
## Summary
A security review of the `psd_tools.compression` module (conducted against the `fix/invalid-rle-compression` branch, commits `7490ffa`–`2a...
6.8
Sub2API Password Reset Link Hijacking in Versions Prior to 0.1.85
CVE-2026-27812
Sub2API is an AI API gateway platform designed to distribute and manage API quotas from AI product subscriptions. A vulnerability in versions prior to...
8.0
Go2iMails Free-CRM Allows Malicious Users to Access Unauthorized Data
CVE-2026-3265
A vulnerability was identified in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. This affects an unknown part of the file /api/Sec...
5.3
Free-CRM Administrative Interface Allows Remote Code Execution
CVE-2026-3264
A vulnerability was determined in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. Affected by this issue is some unknown functional...
5.3
Kiteworks Can Be Tricked into Overwriting Important System Files
CVE-2026-28269
Kiteworks is a private data network (PDN). Prior to version 9.2.0, avulnerability in Kiteworks command execution functionality allows authenticated us...
8.8
WireGuard Portal Allows Non-Admins to Gain Administrator Privileges
CVE-2026-27899
GHSA-5rmx-256w-8mj9
# Privilege Escalation to Admin via User Self-Update in wg-portal
## Summary
Any authenticated non-admin user can become a full administrator by sen...
8.8
Asp.Net-Core-Inventory-Order-Management-System: Unauthorized Access to Security API
CVE-2026-3263
A vulnerability was found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected by this vulnerability is an unknown f...
5.3
Unsecured Redirect in Asp.Net-Core-Inventory-Order-Management-System
CVE-2026-3262
A vulnerability has been found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected is an unknown function of the co...
5.3
SPIP versions 4.4.10 and earlier allow attackers to execute SQL code on the server
CVE-2026-22206
SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by ...
8.7
Unitree Go2 Firmware: Remote Code Execution through Android App
CVE-2026-27510
Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote ...
6.4
WordPress Plugin Allows Malicious Files to be Uploaded
CVE-2026-1565
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to arbitrar...
8.8
Fleet SQL injection in API allows attackers to access sensitive data
CVE-2026-26186
GHSA-49xw-vfc4-7p43
### Summary
A SQL Injection vulnerability in Fleet’s software versions API allowed authenticated users to inject arbitrary SQL expressions via the `o...
5.1
Worry Proof Backup plugin allows attackers to upload malicious files to your WordPress site
CVE-2026-1311
The Worry Proof Backup plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.2.4 via the backup upload function...
8.8
Agenta LLMOps Platform: API Server Template Injection Risk
CVE-2026-27961
Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API ser...
8.8
Zed Code Editor Extension Installer Allows Arbitrary File Writes
CVE-2026-27976
Zed, a code editor, has an extension installer allows tar/gzip downloads. Prior to version 0.224.4, the tar extractor (`async_tar::Archive::unpack`) c...
8.8
Manyfold 3D Model Manager: Unrestricted File Upload Allows Remote Code Execution
CVE-2026-27635
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version ...
8.8