Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 27 February 2026
RSS217 vulnerabilities published on 27 February 2026
Severity:
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker ca...
CVE-2026-27028
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent...
9.3
Apache Kafka WebSocket API Fails to Limit Authentication Requests
CVE-2026-26305
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow...
8.7
Unsecured Charging Station Sessions Allow Session Hijacking
CVE-2026-26290
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same sessi...
6.9
Copeland XWEB Pro: Unauthenticated Access to Sensitive Data
CVE-2026-25085
A vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, in
which an unexpected return value from the authentication routine is
later o...
9.8
XWEB Pro Can Execute Malicious Commands Remotely
CVE-2026-24663
An OS command injection vulnerability exists in XWEB Pro version 1.12.1
and prior, enabling an unauthenticated attacker to achieve remote code
execu...
9.8
Unlimited Authentication Requests in WebSocket API
CVE-2026-24445
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow...
8.7
Copeland XWEB Pro: Unauthenticated Access to System
CVE-2026-21718
An authentication bypass vulnerability exists in Copeland XWEB Pro
version 1.12.1 and prior, enabling any attackers to bypass the
authentication req...
9.8
kyverno Package Allows Unauthorized Access
CLEANSTART-2026-ZG64300
Multiple security vulnerabilities affect the kyverno package. Within HostnameError. See references for individual vulnerability details....
9.8
go-git Library Exposes Git Data to Unauthorized Access
CLEANSTART-2026-YW12690
Multiple security vulnerabilities affect the argo-cd-fips package. go-git is a highly extensible git implementation library written in pure Go. See re...
9.8
Nginx: Shared IP Port Allows Bypass of Client Certificate Checks
CLEANSTART-2026-ZN32454
Multiple security vulnerabilities affect the nginx package. When multiple server blocks are configured to share the same IP address and port, an attac...
9.8
Prometheus FIPS Wildcard Certificates Not Restricted
CLEANSTART-2026-XZ04425
Multiple security vulnerabilities affect the prometheus-fips package. An excluded subdomain constraint in a certificate chain does not restrict the us...
9.8
Tenda F453 Software Allows Remote Attackers to Crash the Router
CVE-2026-3271
A vulnerability was found in Tenda F453 1.0.0.3. This impacts the function fromP2pListFilter of the file /goform/P2pListFilterof of the component http...
7.4
Unauthenticated access to OCPP WebSocket endpoints
CVE-2026-27772
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent...
9.3
Unauthorized access to OCPP WebSocket endpoint allows manipulation
CVE-2026-27767
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent...
9.3
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attac...
CVE-2026-25945
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow...
8.7
OCPP WebSocket Endpoints Lack Authentication, Allowing Unauthorized Access
CVE-2026-25851
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent...
9.3
WebSockets API Fails to Limit Authentication Requests
CVE-2026-25114
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow...
8.7
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow an attacker to conduct denial-of-service attac...
CVE-2026-25113
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow...
8.7
Unsecured WebSockets let hackers pretend to be charging stations
CVE-2026-24731
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent...
9.3
Unlimited Login Attempts in WebSocket Interface
CVE-2026-20792
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests. This absence of rate limiting may
allow...
8.7
Open ChargePoint Protocol (OCPP) WebSocket Unauthenticated Access
CVE-2026-20781
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent...
9.3
openDCIM Installer Exposes Configuration to Unauthorized Users
CVE-2026-28515
openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installe...
9.3
Pro3W CMS allows attackers to gain administrative access
CVE-2025-15498
Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to by...
9.3
Pillow HEIF Plugin Crashes or Discloses Data with Malformed Images
CVE-2026-28231
pillow_heif is a Python library for working with HEIF images and plugin for Pillow. Prior to version 1.3.0, an integer overflow in the encode path buf...
5.5
Homey BNB Version 4 Allows Unauthenticated Database Access
CVE-2019-25489
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through...
8.8