Monitor vulnerabilities that affect your stack.
Sign up free to get alerts when software you use is affected.
CVE Vulnerabilities - 27 February 2026
RSS217 vulnerabilities published on 27 February 2026
Severity:
Libvips Integer Overflow in Local File Exports
CVE-2026-3284
A vulnerability was found in libvips 8.19.0. Impacted is the function vips_extract_area_build of the file libvips/conversion/extract.c. The manipulati...
4.8
Seerr: Unauthorized Users Can Access Other Users' Data
CVE-2026-27792
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in...
5.4
ClipBucket Video Sharing Platform: Administrator Can Execute Malicious Code
CVE-2026-26997
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, a normal authenticated user can store the XSS payload. The payload...
2.0
PluXml CMS: Malicious Code Can Be Injected into Static Pages
CVE-2026-24351
PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into w...
5.1
PluXml CMS allows malicious SVG files to be uploaded and executed
CVE-2026-24350
PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payloa...
5.1
WordPress Featured Image Plugin Allows Author-Level Users to Access Sensitive Internal Data
CVE-2026-27759
Featured Image from Content (featured-image-from-content) WordPress plugin versions prior to 1.7 contain an authenticated server-side request forgery ...
5.3
Dify API Leaks Email Addresses Before Version 1.9.0
CVE-2026-28288
Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowin...
5.5
calibre Content Server's Brute-Force Protection Can Be Bypassed
CVE-2026-27824
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Serve...
5.3
Japanized for WooCommerce Plugin Allows Unpaid Orders to be Marked as Paid
CVE-2026-1305
The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a ...
5.3
WP Recipe Maker plugin for WordPress exposes sensitive recipe data
CVE-2026-1558
The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is...
5.3
Public Access to Charging Station Authentication Identifiers
CVE-2026-25774
Charging station authentication identifiers are publicly accessible via web-based mapping platforms....
6.9
Electric Vehicle Charging Station Credentials Exposed Online
CVE-2026-22878
Charging station authentication identifiers are publicly accessible via web-based mapping platforms....
6.9
Electric Vehicle Charging Station Login Info Exposed Through Online Maps
CVE-2026-27773
Charging station authentication identifiers are publicly accessible via web-based mapping platforms....
6.9
Electric Vehicle Charging Station Credentials Exposed Online
CVE-2026-22890
Charging station authentication identifiers are publicly accessible via web-based mapping platforms....
6.9
Charging Station Credentials Exposed on Public Maps
CVE-2026-20733
Charging station authentication identifiers are publicly accessible via web-based mapping platforms....
6.9
VMware Workstation: Unprivileged Guest User Can Crash Host Processes
CVE-2026-22716
Out-of-bound write vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM...
5.0
Foreman GraphQL API Allows Low-Privileged Users to Access Sensitive Metadata
CVE-2025-9572
n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, w...
5.0
MailArchiver Plugin for WordPress Allows Sensitive Data Theft
CVE-2026-2831
The MailArchiver plugin for WordPress is vulnerable to SQL Injection via the ‘logid’ parameter in all versions up to, and including, 4.5.0 due to insu...
4.9
Keycloak Server: Admins Can Modify Sensitive User Data
CVE-2026-0871
GHSA-v4jw-m6rm-399h
A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attr...
4.9
Kiteworks Email Protection Gateway: Admins can inject malicious scripts
CVE-2026-28272
Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administ...
4.8
Dato CMS Web Previews plugin allows malicious users to load unauthorized content
CVE-2026-3327
Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restrictio...
4.8
Vim Terminal Emulator Can Crash or Allow Unauthorized Access
CVE-2026-28420
Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim'...
4.4
ZITADEL Opaque Tokens Can Be Truncated Without Losing Validity
CVE-2026-27840
GHSA-6mq3-xmgp-pjm5
### Summary
Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid.
ZITADEL uses a symmetric AES encryption ...
4.3
WordPress SmartRemote Module Allows Unauthorized URL Loading
CVE-2025-15509
The SmartRemote module has insufficient restrictions on loading URLs, which may lead to some information leakage....
7.1
Itwanger Paicoding 1.0.0-1.0.3: Save Function Allows Remote Attack
CVE-2026-3286
A vulnerability was identified in itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3. The impacted element is the function Save of the file paicoding-web/src/...
5.3