Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 27 February 2026

RSS

217 vulnerabilities published on 27 February 2026

Severity:
Docker Model Runner exposes sensitive files to unauthorized access
CVE-2026-28400
Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a POST `/engines/_confi...
7.5
phpMyFAQ Allows Unauthenticated User Account Creation
CVE-2026-27836 GHSA-w22q-m2fm-x9f4
### Summary The WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, CAP...
7.5
Umbraco Engage API Endpoints Exposed to Unauthorized Access
CVE-2026-27449 GHSA-86vq-ccwf-rm62
### Description A vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or auth...
7.5
osCommerce: Malicious Code Can Be Injected Through Currency Parameter
CVE-2019-25497
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code t...
8.8
osCommerce 2.3.4.1: Attackers can steal sensitive database info
CVE-2019-25496
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code t...
8.8
osCommerce 2.3.4.1 allows hackers to steal sensitive data
CVE-2019-25495
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code t...
8.8
Homey BNB V4 allows unauthenticated database access via malicious GET requests
CVE-2019-25493
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code throug...
8.8
Homey BNB V4: Unauthenticated attackers can extract sensitive database info
CVE-2019-25492
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code throug...
8.8
Homey BNB V4 allows unauthenticated access to sensitive database info
CVE-2019-25491
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code throug...
8.8
Homey BNB V4 allows unauthorized access to database info
CVE-2019-25490
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through...
8.8
REXML can be forced to use excessive CPU when parsing XML files
CVE-2025-10990
A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character refere...
7.5
Red Hat Container Tools for RHEL 8 May Allow Malicious Container Escalation
RHSA-2026:3428
7.5
Linux Kernel Update Fixes Multiple Security Flaws in Red Hat Enterprise Linux
RHSA-2026:3388
7.5
OpenShift Container Platform 4.14.62 Security Update
RHSA-2026:2973
7.5
Xerox FreeFlow Core allows attackers to hijack server requests via XML input
CVE-2026-2252
An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malici...
7.5
Fluent Forms Pro WordPress plugin vulnerable to fake payment notifications
CVE-2026-2428
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and inclu...
7.5
Perl's Crypt::SysRandom::XS can crash if given a negative length
CVE-2026-2597
Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes(). The function does not ...
7.5
Charging Station Identifiers Can Be Hijacked by Malicious Actors
CVE-2026-27652
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same sessi...
6.9
Charging Station Sessions Can Be Hijacked by Unsecured IDs
CVE-2026-25778
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same sessi...
6.9
Charging Station Sessions Can Be Hijacked or Overwhelmed
CVE-2026-25711
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same sessi...
6.9
Charging Station Sessions Not Properly Secured in WebSocket Backend
CVE-2026-20895
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same sessi...
6.9
Charging Station Authentication Details Leaked on Public Maps
CVE-2026-20791
Charging station authentication identifiers are publicly accessible via web-based mapping platforms....
6.9
WeGIA Web Manager: Malicious File Upload Exploit
CVE-2026-28409
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA a...
7.2
Kiteworks: Unauthorized Files Can Be Uploaded by Malicious Admins
CVE-2026-28270
Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks configuration allows uploading of arbitrary files with...
7.2
SODOLA SL902-SWTGW124AS Passwords Can Be Changed Without Old Password Verification
CVE-2026-27757
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication vulnerability that allows authenticated users to change account p...
7.1
26 Feb 2026 All days 28 Feb 2026