CVE Vulnerabilities - 26 February 2026

WordPress Custom Logo Plugin Allows Malicious Content Injection via Admin Settings

CVE-2026-2499

The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2 due to ...

4.4

WP Social Meta Plugin for WordPress Allows Malicious Scripts in Admin Settings

CVE-2026-2498

The WP Social Meta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.1 du...

4.4

TP2WP Importer plugin for WordPress can execute malicious scripts

CVE-2026-2489

The TP2WP Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Watched domains' textarea on the attachment importer set...

4.4

ImageMagick: Out-of-bounds memory read when processing certain image files

DEBIAN-CVE-2026-27799

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer...

4.4

PSI Probe 5.3.0 allows remote attackers to bypass security controls

CVE-2026-3268

A vulnerability was detected in psi-probe PSI Probe up to 5.3.0. The affected element is an unknown function of the file psi-probe-core/src/main/java/...

5.3

Discourse: Authenticated users can promote topics to site-wide banners

CVE-2026-28219

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an improper authorization check in the topic man...

1.3

wger: Unauthorized Access to Private Dietary Data

CVE-2026-27839 GHSA-g8gc-6c4h-jg86

## Summary Three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped qu...

4.3

wger: Access to Other Users' Workout Data

CVE-2026-27835 GHSA-xf68-8hjw-7mpm

### Summary `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` call...

4.3

Weblate API Exposes All Addon Configurations to All Users

CVE-2026-27457 GHSA-wppc-7cq7-cgfv

Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = ...

4.3

Discourse Platform: Unsecured Note Access for Category Moderators

CVE-2026-26973

Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR (Insecure Direct Object Reference) i...

4.3

Specially crafted FTP file paths can crash or execute code on Linux systems

CVE-2026-28296

A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file path...

4.3

FTP Client Can Connect to Arbitrary IP and Port on Malicious Server

CVE-2026-28295

A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its p...

4.3

IIS and ASP.net headers expose sensitive server information

CVE-2026-1694

HTTP headers are added by the default configuration of IIS and ASP.net, and are not removed at the deployment phase of the webservices used by the Web...

2.3

Old Packistry version fails to check token expiration

CVE-2026-27968

Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::author...

4.3

Zendesk Webhook Forgery in n8n Allows Unauthorized Workflow Triggers

GHSA-38c7-23hj-2wgq

## Impact An attacker who knows the webhook URL of a workflow using the ZendeskTrigger node could send unsigned POST requests and trigger the workflow...

6.3

n8n: Hackers can trick n8n workflows with fake GitHub messages

GHSA-mqpr-49jj-32rc

## Impact An attacker who knows the webhook URL of a workflow using the GitHub Webhook Trigger node could send unsigned POST requests and trigger the ...

6.3

Discourse: Bypassing Private Message Blocking in Direct Messages

CVE-2026-27152

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding m...

1.3

Discourse Discussion Platform: Unauthorized Bookmark Creation

CVE-2026-27150

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, missing `validate_before_create` authorization i...

1.3

n8n Workflow Guardrail Can Be Bypassed by Malicious Users

GHSA-fvfv-ppw4-7h2w

## Impact An end user interacting with a workflow that uses the Guardrail node could craft an input that bypasses the default guardrail instructions. ...

6.3

VLC for Android Remote Access Server has a password guessing risk before version 3.7.0

CVE-2026-26227

VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient r...

6.3

Golioth Firmware SDK crashes when processing certain network data

CVE-2026-23748

Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit d7f55b38, contain an out-of-bounds read in LightDB State string parsing. When pro...

6.3

Golioth Firmware SDK: Malicious Payload Can Crash System

CVE-2026-23747

Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit 48f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payl...

6.3

wger Routine Data Leaked via User-Scoped Cache Key

CVE-2026-27838 GHSA-42cr-w2gr-m54q

### Summary Five routine detail action endpoints check a cache before calling `self.get_object()`. Cache keys are scoped only by `pk` — no user ID is...

3.1

Golioth Firmware SDK Crashes or Denies Service due to Malicious Path Input

CVE-2026-23749

Golioth Firmware SDK version 0.19.1 prior to 0.22.0, fixed in commit 0e788217, contain an out-of-bounds read due to improper null termination of a blo...

2.1

Discourse: Malicious users can post in staff-only categories.

CVE-2026-28227

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only cat...

1.2