CVE Vulnerabilities - 26 February 2026

Fast-XML-Parser Crashes with Certain XML Input

CVE-2026-27942 GHSA-fj3w-jwp8-x2g3

### Impact Application crashes with stack overflow when user use XML builder with `prserveOrder:true` for following or similar input ``` [{ 'foo...

7.8

minimatch: Unbounded backtracking with GLOBSTAR segments causes delays

CVE-2026-27903 GHSA-7r86-cg39-jmmj

### Summary `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and th...

7.5

minimatch Catastrophic Backtracking with Deep Regex Patterns

CVE-2026-27904 GHSA-23c5-xmqv-rm74

### Summary Nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking i...

7.5

SPIP versions before 4.4.10: Unauthenticated access to sensitive data

CVE-2026-22205

SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to acce...

8.7

Apache HTTP Server Panics When Receiving Invalid HTTP/2 Frames

CVE-2026-27141

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

7.5

HTTP/2 Server Crashes when Receiving Invalid Frames

UBUNTU-CVE-2026-27141

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

7.5

Kibana Timelion Can Be Crashed by Malformed Input Data

CVE-2026-26937

Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)...

7.5

Kibana AI Inference Anonymization Engine crashes from bad input

CVE-2026-26936

Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Express...

7.5

Kibana: Malicious Search Queries Can Crash the Application

CVE-2026-26935

Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation...

7.5

Packetbeat may crash if an attacker sends a bad PostgreSQL packet

CVE-2026-26932

Improper Validation of Array Index (CWE-129) in the PostgreSQL protocol parser in Packetbeat can lead Denial of Service via Input Data Manipulation (C...

7.5

Discourse: Anyone Can Access Private User Data

CVE-2026-26265

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items end...

7.5

Discourse: Patreon Integration Secret Key Missing, Data at Risk

CVE-2026-26078

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting i...

7.5

TerriaJS-Server: Malicious Domains Can Be Proxied

CVE-2026-27818 GHSA-w789-49fc-v8hr

### Impact A validation bug allows an attacker to proxy domains not explicitly allowed in the `proxyableDomains` configuration. The validation only c...

8.7

Red Hat Kernel RT Security Update Affects System Integrity

RHSA-2026:3375

7.5

Firefox: Unpatched Vulnerabilities Allow Malicious Code Execution

RHSA-2026:3361

7.5

Red Hat Python Library Exposes Sensitive Data

RHSA-2026:3359

7.5

Red Hat Kernel Real-Time Update Fixes Security Flaw

RHSA-2026:3358

7.5

Python pyasn1 Library Allows Remote Code Execution

RHSA-2026:3354

7.5

Skopeo Container Tool Security Update Fixes Privilege Escalation Flaw

RHSA-2026:3343

7.5

Skopeo: Unprivileged Access to Docker Images on Linux Systems

RHSA-2026:3340

7.5

Red Hat Container Networking Plugins Security Update Exposes Container Data

RHSA-2026:3341

7.5

Firefox Security Update for Multiple Vulnerabilities

RHSA-2026:3339

7.5

Firefox: Unpatched Flaw Allows Remote Code Execution

RHSA-2026:3338

7.5

Podman: Unauthenticated Container Escalation of Privilege

RHSA-2026:3336

7.5

Podman Vulnerability: Remote Code Execution via Container

RHSA-2026:3337

7.5