Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 26 February 2026

RSS

186 vulnerabilities published on 26 February 2026

Severity:
Initiative Project Management Platform: Malicious File Uploads
CVE-2026-28274
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XS...
8.7
Pelco Sarix Cameras' Web Interface Can Be Bypassed for Unauthorized Access
CVE-2026-1241
The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems...
8.7
SIMPLE.ERP search function allows malicious database queries
CVE-2026-1198
SIMPLE.ERP is vulnerable to the SQL Injection in search functionality in "Obroty na kontach" window. Lack of input validation allows an authenticated ...
8.6
Google Cloud Vertex AI Workbench Exposes Access Tokens
CVE-2026-2244
A vulnerability in Google Cloud Vertex AI Workbench from 7/21/2025 to 01/30/2026 allows an attacker to exfiltrate valid Google Cloud access tokens of ...
8.4
Hoppscotch API Ecosystem: Unauthorized Access to User Environments
CVE-2026-28216
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's person...
8.3
VM Can Crash Host Server with Flood of Malicious Writes
CVE-2023-31364
Improper handling of direct memory writes in the input-output memory management unit could allow a malicious guest virtual machine (VM) to flood a hos...
8.3
D-Link Wireless N 300 ADSL2+ Modem Router session hijacking risk
CVE-2025-71057
Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows attackers to execute a session hijacking attack via sp...
8.2
n8n: Attackers can inject malicious database queries
GHSA-f3f2-mcxc-pwjx
## Impact An authenticated user with permission to create or modify workflows and access to a database credential could unknowingly create a workflow ...
5.3
OpenShift Container Platform 4.18.34 Security Patch Released
RHSA-2026:2975
8.2
Initiative Project Management Platform: Password Change Token Risk
CVE-2026-28275
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access to...
8.1
Golioth Pouch: Buffer Overflow in BLE Certificate Handling
CVE-2026-23750
Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_writ...
7.2
WordPress User Registration & Membership plugin lets attackers log in new users
CVE-2026-1779
The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to...
8.1
Unitree Go2 firmware: Unauthenticated code execution via DDS protocol
CVE-2026-27509
Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS ...
8.5
Malicious Log Files Can Run Code on NVDA with Log Reader
CVE-2026-28211
The NVDA Dev & Test Toolbox is an NVDA add-on for gathering tools to help NVDA development and testing. A vulnerability exists in versions 2.0 through...
7.8
FastCMS PluginController Code Execution Vulnerability
CVE-2026-26682
An issue in fastCMS before v.0.1.6 allows a local attacker to execute arbitrary code via the PluginController.java component...
7.8
Red Hat Linux Kernel Security Update: Privilege Escalation Risk
RHSA-2026:3360
7.8
FinalCode Client Installer Allows Malicious DLL Execution
CVE-2026-25191
The installer of FinalCode Client provided by Digital Arts Inc. contains an issue with the DLL search path. If a user is directed to place a malicious...
8.4
FinalCode Client Installer Grants Unauthorized System Privileges
CVE-2026-23703
The installer of FinalCode Client provided by Digital Arts Inc. contains an incorrect default permissions vulnerability. A non-administrative user may...
8.5
Kibana Workflows Can Allow Attackers to Read Server Files
CVE-2026-26938
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read a...
7.7
WPGraphQL: Malicious Code Can Be Run on GitHub Actions Runner
CVE-2026-27938
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflo...
7.7
Terraform for Linode logs sensitive data in debug logs
CVE-2026-27900 GHSA-5rc7-2jj6-mp64
The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object stor...
7.7
E-Commerce Product allows Malicious Code to Run on Your Site
CVE-2025-14343
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology Ltd. E-Commerce Prod...
7.6
WP SMS for WordPress can be tricked into running malicious SQL commands
CVE-2026-28136
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.Th...
7.6
Uploaded documents are publicly accessible in Initiative project management platform
CVE-2026-28276
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded ...
7.5
Koa Allows Malicious Host Names in Password Reset Links
CVE-2026-27959 GHSA-7gcc-r8m5-44qm
## Summary Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating t...
7.5
25 Feb 2026 All days 27 Feb 2026