Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 26 February 2026

RSS

186 vulnerabilities published on 26 February 2026

Severity:
Red Hat Linux Kernel Security Update Exposes System to Privilege Escalation
RHSA-2026:3293
7.5
OpenTelemetry Collector for Red Hat: Unauthenticated Data Exposure
RHSA-2026:3289
7.5
OpenShift and other Docker-based systems on Red Hat vulnerable to privilege escalation
RHSA-2026:3291
7.5
Red Hat Linux Kernel Security Update Exposes System to Privilege Escalation
RHSA-2026:3277
7.5
PcVue Web Features Still Use Outdated Password-Credential Sharing
CVE-2026-1693
The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and ...
5.3
WordPress Arbitrary File Upload Vulnerability in Plugin
BELL-CVE-2026-21863
7.5
WP Responsive Images plugin allows attackers to read server files
CVE-2026-1557
The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This ...
7.5
Adobe PDF Library (pypdf) can be crashed by a malicious PDF
CVE-2026-27888 GHSA-x7hp-r3qg-r3cj
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RA...
8.3
TinyWeb web server crashes with large HTTP requests
CVE-2026-27633
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via mem...
8.7
TinyWeb web server versions 2.02 and earlier can be crashed by slow network traffic
CVE-2026-27630
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack k...
8.7
Microsoft Remote Desktop Client Vulnerability in Red Hat Packages
RHSA-2026:3334
7.4
Zed Code Editor: Malicious Extensions Can Write Outside Sandbox
CVE-2026-27800
Zed, a code editor, has a Zip Slip (Path Traversal) vulnerability exists in its extension archive extraction functionality prior to version 0.224.4. T...
7.4
Vikunja Task Manager: Malicious ZIP Can Overwrite System Files
CVE-2026-27819 GHSA-42wg-38gx-85rh
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore...
7.2
uListing 2.2.0 and earlier allows arbitrary data injection
CVE-2026-28138
Deserialization of Untrusted Data vulnerability in Stylemix uListing ulisting allows Object Injection.This issue affects uListing: from n/a through <=...
7.2
Astro Web Framework Allows Unauthorized Image Fetching
CVE-2026-27829 GHSA-cj9f-h6r6-4cx2
Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` r...
7.2
Curio Exposes Database Credentials in HTTP Error Responses
GHSA-gj6x-q8rh-wj6x
## Summary Multiple HTTP handlers in Curio passed raw database error messages to HTTP clients via `http.Error()`. When the PostgreSQL/YugabyteDB driv...
7.1
Zulip: Non-admin users can change organization payment method
CVE-2026-25741
Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update...
7.1
Adobe Acrobat Reader allows unauthorized access to sensitive files
BELL-CVE-2025-67733
7.1
Zed Code Editor Leaks Sensitive Project Files Outside Workspace
CVE-2026-27967
Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading ...
7.1
ImageMagick: Unpatched Versions Can Crash with Malicious Images
DEBIAN-CVE-2026-27798
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer...
7.1
MCP Go SDK Fails to Validate Field Names Correctly
CVE-2026-27896 GHSA-wvj2-96wp-fq3f
The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing. Go's standard library performs case-insensiti...
7.0
hexpm self-hosted storage allows attackers to access unauthorized files
CVE-2026-23939
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Store.Local' module) ...
6.9
Spin can run out of memory if database or web server responses are too large
CVE-2026-27887
Spin is an open source developer tool for building and running serverless applications powered by WebAssembly. When Spin is configured to allow connec...
6.9
Manyfold versions before 0.133.0 allow hackers to steal user sessions
CVE-2026-27933
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Versions prior to...
6.8
Phishing Club: Unauthenticated SQL Injection in GetOrphaned Recipient Listing
CVE-2026-28226
Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists i...
6.5
25 Feb 2026 All days 27 Feb 2026