Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 27 February 2026
RSS217 vulnerabilities published on 27 February 2026
Severity:
XWEB Pro: Malicious Input Can Run Harmful System Commands
CVE-2026-21389
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code executi...
8.8
XWEB Pro versions 1.12.1 and earlier: Unauthorized System Access
CVE-2026-20910
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code executi...
8.8
XWEB Pro: Unsecured Map Upload Allows Remote Code Execution
CVE-2026-20902
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code exec...
8.8
XWEB Pro: Malicious Input Can Run Commands on the Server
CVE-2026-20742
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execut...
8.8
Tenda F453 Firmware 1.0.0.3: Uncontrolled Memory Access via DHCP Client List
CVE-2026-3272
A vulnerability was determined in Tenda F453 1.0.0.3. Affected is the function fromDhcpListClient of the file /goform/DhcpListClient of the component ...
7.4
PublicCMS v5.202506.d and earlier allows malicious PDFs to steal user data
CVE-2025-69437
PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the bac...
8.7
Google Web Designer allows malicious files to be written to your computer
CVE-2026-3223
Arbitrary file write & potential privilege escalation exploiting zip slip vulnerability in Google Web Designer....
8.4
ThinkWise versions 7-23 allow remote code execution
CVE-2026-24497
Stack-based Buffer Overflow vulnerability in SimTech Systems, Inc. ThinkWise allows Remote Code Inclusion.This issue affects ThinkWise: from 7 through...
8.4
CleverTap Web SDK allows attackers to inject malicious code
CVE-2026-26862
GHSA-jfrq-hj9f-c8qx
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module...
8.3
CleverTap Web SDK allows hackers to inject malicious code into websites
CVE-2026-26861
GHSA-j5mf-6rh3-rhgg
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessag...
8.3
Malformed Requests Crash Multer Server Before Version 2.1.0
CVE-2026-3304
GHSA-xf7r-hgr6-v32p
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a De...
8.3
Multer File Uploads Can Crash Your Website
CVE-2026-2359
GHSA-v52c-386h-88mc
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a De...
8.3
Red Hat Satellite BMC interface vulnerable to remote code execution
CVE-2026-0980
GHSA-hfcp-477w-3wjw
A flaw was found in rubyipmi, a gem used in the Baseboard Management Controller (BMC) component of Red Hat Satellite. An authenticated attacker with h...
8.3
NestJS: Authentication Bypass When Using Fastify Path Normalization
GHSA-7q64-3rg2-h9pf
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-r4wm-x892-vjmx. This link is maintained to preserve external ...
8.2
Homey BNB V4 Login Can Be Hijacked with Malicious Input
CVE-2019-25494
Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication ...
8.8
Apache::SessionX for Perl generates predictable session IDs
CVE-2025-40932
Apache::SessionX versions through 2.01 for Perl create insecure session id.
Apache::SessionX generates session ids insecurely. The default session id...
8.2
Apache::SessionX for Perl Generates Predictable Session IDs
CVE-2025-40932
Apache::SessionX versions through 2.01 for Perl create insecure session id.
Apache::SessionX generates session ids insecurely. The default session id...
8.2
Outdated SSH Algorithms Allow Data Tampering
CVE-2026-1627
An attacker may exploit the use of outdated and weak MAC algorithms in the device’s SSH service to potentially compromise the integrity of the SSH ses...
8.1
Vim versions before 9.2.0077 may crash or leak memory
CVE-2026-28421
Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's...
7.8
Vim: Malicious URLs Can Execute Commands with Elevated Privileges
CVE-2026-28417
Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugi...
7.8
GNU inetutils telnetd allows local privilege escalation
CVE-2026-28372
telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the log...
7.8
Unitree Firmware Update Encryption Compromised, Allows Tampering
CVE-2026-1442
Since the encryption algorithm used to protect firmware updates is itself encrypted using key material available to an attacker (or anyone paying atte...
7.8
OCaml Deserialization Allows Remote Code Execution
CVE-2026-28364
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a ...
7.8
Berry-lang Berry 1.1.0: Out-of-bounds read allows data exposure
CVE-2026-3285
A vulnerability was determined in berry-lang berry up to 1.1.0. The affected element is the function scan_string of the file src/be_lexer.c. This mani...
1.9
Libvips 8.19.0 Allows Local Code Execution Through Heap Overflow
CVE-2026-3281
A vulnerability was detected in libvips 8.19.0. This affects the function vips_bandrank_build of the file libvips/conversion/bandrank.c. Performing a ...
4.8