Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 26 February 2026
RSS186 vulnerabilities published on 26 February 2026
Severity:
Apache HTTP Server Exposes Sensitive Information to Web Clients
CVE-2026-1696
Some HTTP security headers are not properly set by the web server when sending responses to the client application....
2.3
PcVue OAuth Error Page Allows Remote Code Injection
CVE-2026-1695
An XSS vulnerability affects the OAuth web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through...
5.3
PcVue Web Services Allow Remote Attackers to Lure Users to Malicious Websites
CVE-2026-1692
A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue ...
5.3
EM Cost Calculator plugin for WordPress allows attackers to inject malicious scripts
CVE-2026-2506
The EM Cost Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to the p...
6.1
VMware Workstation and Fusion Can Let Attackers Hijack Network Traffic
CVE-2026-22715
VMWare Workstation and Fusion contain a logic flaw in the management of network packets.
Known attack vectors: A malicious actor with administrative...
5.9
Mailpit Exposes Private Servers to Unauthorized Access
GHSA-mpf7-p9x7-96r3
CVE-2026-27808
### Summary
The Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD re...
5.8
Fleet: Predictable Lock PIN Can Be Cracked with Device Access
CVE-2026-23999
GHSA-ppwx-5jq7-px2w
### Summary
Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key...
4.1
Copyparty: Malicious Links Can Steal or Delete Files
CVE-2026-27948
GHSA-62cr-6wp5-q43h
### Summary
An XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`
### Details
A reflected cross-site scripting (XSS) vulner...
5.4
Svelte: Malicious Code Injection in Error Messages
CVE-2026-27902
GHSA-qgvg-pr8v-6rr3
Errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attack...
5.3
Discourse Data Explorer plugin allows unauthorized SQL queries
CVE-2026-28218
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin...
5.3
Discourse: Unauthorized Users Can Access Private Posts
CVE-2026-26207
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `discourse-policy` plugin allows any authenticat...
5.4
PuneethReddyHC Event Management System 1.0: Malicious Code Can Run in Browser
CVE-2025-56605
A reflected Cross-Site Scripting (XSS) vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. The mobi...
5.4
Checkmk: Malicious JavaScript injection in Synthetic Monitoring logs
CVE-2025-64999
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's ...
7.3
Unauthorized access to poll data in Discourse before 2025.12.2, 2026.1.1, and 2026.2.0
CVE-2026-27021
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked po...
6.9
Fleet: Android Devices Can Be Removed from Management Without Password
CVE-2026-24004
GHSA-9pm7-6g36-6j78
### Summary
A vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This ...
6.3
WooCommerce Photo Reviews allows malicious code to be injected into web pages
CVE-2026-28132
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-...
5.3
WordPress User Registration Plugin Exposes New User Accounts to Deletion
CVE-2026-2356
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Obje...
5.3
NetExec's spider_plus module fails to handle malicious SMB file paths
CVE-2026-27884
NetExec is a network execution tool. Prior to version 1.5.1, the module spider_plus improperly creates the output file and folder path when saving fil...
5.3
Kubernetes Sealed Secrets Allows Cluster-Wide Access to Restricted Secrets
CVE-2026-22728
GHSA-465p-v42x-3fmj
This report shows a scope-widening issue in the rotate (re-encrypt) flow: the output scope can be derived from untrusted `spec.template.metadata.annot...
4.9
Discourse: Unsecured posts returned in some cases
CVE-2026-27162
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `posts_nearby` was checking topic access but the...
4.9
VLC for Android Prior to 3.7.0 Allows Hackers to Access Internal Files
CVE-2026-26228
VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endp...
2.3
n8n's Chat Trigger Node Fails to Verify User Authentication
GHSA-jh8h-6c9q-7gmw
## Impact
When the Chat Trigger node is configured with n8n User Auth authentication, the authentication check could be circumvented.
- This issue re...
6.3
Audiobookshelf mobile app: Malicious library metadata can hijack your account
CVE-2026-27974
Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of th...
4.8
Audiobookshelf Versions Before 2.32.0 Allow Hackers to Steal Data
CVE-2026-27963
Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.32.0 of ...
4.8
Audiobookshelf Mobile App: Malicious Library Data Can Hijack Sessions
CVE-2026-27973
Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-bet...
4.8