CVE Vulnerabilities - 27 February 2026

Unauthenticated Access to Centreon Open Tickets on Linux Servers

CVE-2026-2749

Vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centroen Open Ticket modules).This issue affects Centreon Open Tickets on ...

9.9

openDCIM: Untrusted Network Map Data Can Run Malicious Commands

CVE-2026-28517

openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves t...

9.3

WeGIA: Unauthenticated Access to Admin Areas

CVE-2026-28411

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal a...

9.8

WeGIA Web Manager: Unrestricted Access to Employee Features

CVE-2026-28408

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionar_tipo_docs_atendido.php does not go through the pro...

9.8

Seerr: Unauthenticated Account Registration on Plex Configured Instances

CVE-2026-27707

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an aut...

9.8

SODOLA SL902-SWTGW124AS Firmware Session IDs Can Be Predicted

CVE-2026-27755

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a weak session identifier generation vulnerability that allows attackers to forge a...

9.3

SODOLA SL902-SWTGW124AS: Default Password Allows Remote Access

CVE-2026-27751

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a default credentials vulnerability that allows remote attackers to obtain administ...

9.3

Langflow CSV Agent allows malicious code execution

CVE-2026-27966 GHSA-3645-fxcv-hqr4

# 1. Summary The CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python...

9.8

Centreon Web on Linux Central Server: Malicious Data Injection Risk

CVE-2026-2751

Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Centreon Web on Central Server on Linux (Se...

9.8

Windesk.Fm: Hacker Could Execute Unwanted Database Commands

CVE-2025-11252

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Wi...

9.8

PluXml CMS lets attackers hijack user sessions

CVE-2026-24352

PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This ...

4.8

Dayneks E-Commerce Platform SQL Injection Risk: Unauthorized Data Access

CVE-2025-11251

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dayneks Software Industry and Trade Inc. E-Comme...

9.8

Frick Controls Quantum HD Versions 10.22 and Prior: Exposed Email Passwords Allow Unauthorized Access

CVE-2026-21660

Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD versi...

6.9

Frick Controls Quantum HD: Unauthenticated Attackers Can Run Malicious Code

CVE-2026-21659

Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Qu...

8.7

Xerox FreeFlow Core allows unauthorized access to internal directories

CVE-2026-2251

Improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability in Xerox FreeFlow Core allows unauthorized path traversal l...

9.8

Frick Controls Quantum HD: Unauthenticated Code Injection Risk

CVE-2026-21658

Unauthenticated Remote Code Execution i.e Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Q...

8.8

Frick Controls Quantum HD: Code Injection through Unvalidated Input

CVE-2026-21657

Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insuffici...

8.8

Frick Controls Quantum HD: Unvalidated Input Allows Unauthorized Actions

CVE-2026-21656

Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insuffici...

8.8

Frick Controls Quantum HD: Unsecured Input Allows Unauthorized Actions

CVE-2026-21654

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Johnson Controls Frick Controls Quantum HD...

8.8

The Listee theme allows anyone to become an Administrator

CVE-2025-12981

The Listee theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.1.6. This is due to a broken validation c...

9.8

Totolink N300RH: Unsecured web interface allows remote attacks

CVE-2026-3301

A security flaw has been discovered in Totolink N300RH 6.1c.1353_B20190305. Affected by this vulnerability is the function setWebWlanIdx of the file /...

8.9

Sanluan PublicCMS 6.202506.d: Path Traversal Attack Risk

CVE-2026-3289

A weakness has been identified in Sanluan PublicCMS 6.202506.d. This impacts the function saveMetadata of the file TemplateCacheComponent.java of the ...

5.3

Youlai-mall 2.0.0 Exposes Data to Hackers via Unsecured SQL Query

CVE-2026-3287

A security flaw has been discovered in youlaitech youlai-mall 2.0.0. This affects the function listPagedSpuForApp of the file mall-pms/pms-boot/src/ma...

5.3

XWEB Pro version 1.12.1 and prior: Unauthenticated Program Crash

CVE-2026-20797

A stack based buffer overflow exists in an API route of XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to cause stack corrupt...

9.8

Charging Station Malicious Users Can Hijack Sessions

CVE-2026-27647

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same sessi...

6.9