CVE Vulnerabilities - 26 February 2026

Manyfold 3D Model Manager: Unauthorized Model Access Before 0.133.1

CVE-2026-28225

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version ...

6.5

hoppscotch API Development Ecosystem Exposes Sensitive Data

CVE-2026-28217

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ...

6.5

Discourse Discussion Platform: Unauthorized PM Data Exposure

CVE-2026-27149

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private...

4.9

Fleet: Low-Privilege Users Can See Google Calendar Passwords

CVE-2026-27465 GHSA-2v6m-6xw3-6467

### Summary A vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-pri...

7.1

Fleet: Unauthorized Certificate Template Deletion by Team Administrators

CVE-2026-25963 GHSA-5jvp-m9h4-253h

### Summary A broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate template...

5.0

Kibana Can Be Made Unresponsive by Malformed Input

CVE-2026-26934

Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denia...

6.5

Discourse Webhooks Allow Unauthenticated Access without Token

CVE-2026-26077

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints (SendGrid, Mailjet, Ma...

6.5

Elementor Addon Elements Leaks Sensitive Data From Embedded Content

CVE-2026-28131

Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows R...

6.5

Flatsome Theme: Stored Cross-Site Scripting Can Steal User Data

CVE-2026-28083

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UX-themes Flatsome flatsome allows Stored XSS.Th...

6.5

PcVue GraphicalData and WebClient Missing Security Attributes

CVE-2026-1697

The Secure and SameSite attribute are missing in the GraphicalData web services and WebClient web app of PcVue in version 12.0.0 through 16.3.3 includ...

5.3

Live Helper Chat: Operators can manage chats outside assigned departments

CVE-2026-27954

Live Helper Chat is an open-source application that enables live support websites. In versions up to and including 4.52, three chat action endpoints ...

4.9

OpenEMR: Unauthorized Access to Patient Data in Eye Exam View

CVE-2026-27943

OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the ey...

6.5

mcp-server-git allows attackers to access files outside the repository

CVE-2026-27735 GHSA-vjqx-cfc4-9h6v

In `mcp-server-git` versions prior to 2026.1.14, the `git_add` tool did not validate that file paths provided in the files argument were within the re...

6.4

Livemesh Addons for Beaver Builder: Malicious Code Injection via Shortcode

CVE-2026-2029

The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[labb_pricing_item]` shortcode's `ti...

6.4

SteVe: Unauthorized EV Charging Session Termination

CVE-2026-28230

SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message,...

7.1

n8n: Bypassing Single Sign-On Enforcement via API

GHSA-vjf3-2gpj-233v

## Impact An authenticated user signed in through Single Sign-On (SSO) could disable SSO enforcement for their own account through the n8n API. This a...

6.0

Dottie Library Allows Malicious Code Injection via Prototype Pollution

GHSA-r5mx-6wc6-7h9w CVE-2026-27837

### Summary dottie versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3...

6.3

Svelte SSR Webpage Tampering with Untrusted Data

CVE-2026-27901 GHSA-phwv-c562-gvmh

The contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and ...

5.3

Discourse allows malicious user names to execute code in posts

CVE-2026-27154

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML wh...

1.3

Windows Workstation: Malicious User Can Crash System with Special Input

CVE-2026-22722

A malicious actor with authenticated user privileges on a Windows based Workstation host may be able to cause a null pointer dereference error. To Rem...

6.1

A3factura Web Platform Allows Malicious Code Execution

CVE-2026-2680

Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'customerVATNumber', in 'a3factura-app.wolterskluwer.es/#/incomes/sal...

4.8

A3factura Web Platform: Malicious Code Injection via Customer Name

CVE-2026-2679

Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'customerName', in 'a3factura-app.wolterskluwer.es/#/incomes/salesInv...

4.8

A3factura Web Platform: Browser Code Injection Risk

CVE-2026-2678

Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'name', parameter 'name', in 'a3factura-app.wolterskluwer.es/#/income...

4.8

A3factura Web Platform Vulnerable to Malicious Browser Code Execution

CVE-2026-2677

Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'name', in 'a3factura-app.wolterskluwer.es/#/incomes/representatives-...

4.8

PcVue WebClient and WebScheduler allow malicious server manipulation

CVE-2026-1698

A HTTP Host header attack vulnerability affects WebClient and the WebScheduler web apps of PcVue in version 15.0.0 through 16.3.3 included, allowing a...

5.3