Latest CVE Vulnerabilities

6.9 MEDIUM

CVE-2026-25738 — Indico has Server-Side Request Forgery (SSRF) in multiple places

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes o…

indico | Remote | Server-Side Request Forgery

Feb 19, 2026 Feb 26, 2026

Feb 19, 2026

Feb 26, 2026

6.1 MEDIUM

CVE-2025-71244 — SPIP < 4.4.5 Open Redirect via Login Form

SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary ext…

spip | Remote | Misconfiguration

Feb 19, 2026 Feb 24, 2026

Feb 19, 2026

Feb 24, 2026

9.8 CRITICAL

CVE-2025-71243 — SPIP Saisies Plugin < 5.11.1 Remote Code Execution

The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An attacker can exploit this vulnerability to exec…

saisies_pour_formulaire saisies | Remote | Injection

Feb 19, 2026 Feb 26, 2026

Feb 19, 2026

Feb 26, 2026

6.5 MEDIUM

CVE-2025-71242 — SPIP < 4.3.6 Authorization Bypass Leading to Content Disclosure

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and section…

spip | Remote | Authorization

Feb 19, 2026 Mar 02, 2026

Feb 19, 2026

Mar 02, 2026

6.1 MEDIUM

CVE-2025-71241 — SPIP < 4.3.6 Cross-Site Scripting in Private Area

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an…

spip | Remote | Cross-Site Scripting

Feb 19, 2026 Mar 02, 2026

Feb 19, 2026

Mar 02, 2026

5.4 MEDIUM

CVE-2025-71240 — SPIP < 4.2.15 Cross-Site Scripting via Code Tags

SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malici…

spip | Remote | Cross-Site Scripting

Feb 19, 2026 Feb 24, 2026

Feb 19, 2026

Feb 24, 2026

8.8 HIGH

CVE-2026-25755 — jsPDF has PDF Object Injection via Unsanitized Input in addJS Method

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. B…

jspdf | Remote | Injection

Feb 19, 2026 Feb 23, 2026

Feb 19, 2026

Feb 23, 2026

8.7 HIGH

CVE-2026-25535 — jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitiz…

jspdf | Remote | Denial of Service

Feb 19, 2026 Feb 23, 2026

Feb 19, 2026

Feb 23, 2026

5.3 MEDIUM

CVE-2026-25527 — changedetection.io vulnerable to unauthenticated static path traversal

changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the `/static/<group>/<filename>` route accepts `group=".."`, which causes `send_from_directory("s…

changedetection changedetection | Remote | Path Traversal

Feb 19, 2026 Feb 19, 2026

Feb 19, 2026

9.1 CRITICAL

CVE-2025-55853 — SoftVision webPDF SSRF Vulnerability

SoftVision webPDF before 10.0.2 is vulnerable to Server-Side Request Forgery (SSRF). The PDF converter function does not check if internal or external resources are requested in the uploaded files an…

Remote | Server-Side Request Forgery

Feb 19, 2026 Feb 23, 2026

Feb 19, 2026

Feb 23, 2026

Browse by Apps

Latest CVE Feed

Cookie Preferences