Latest CVE Feed
-
7.7
HIGHCVE-2026-27464
Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During tes... Read more
Affected Products :- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Information Disclosure
-
9.3
CRITICALCVE-2026-27471
ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions... Read more
Affected Products : erpnext- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Authorization
-
8.7
HIGHCVE-2026-27458
LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists (/lists/feed). An authenticated user can inject a CDATA-breaking payload into a l... Read more
Affected Products : linkace- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Cross-Site Scripting
-
9.2
CRITICALCVE-2026-27452
ASN.1 TypeScript ESM library, including codecs for Basic Encoding Rules (BER) and Distinguished Encoding Rules (DER). In versions 11.0.5 and below, in some cases, decoding an INTEGER could leak the underlying ArrayBuffer. This issue is expected to be fixe... Read more
Affected Products :- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Information Disclosure
-
8.1
HIGHCVE-2026-27206
Zumba Json Serializer is a library to serialize PHP variables in JSON format. In versions 3.2.2 and below, the library allows deserialization of PHP objects from JSON using a special @type field. The deserializer instantiates any class specified in the @t... Read more
Affected Products :- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Information Disclosure
-
5.5
MEDIUMCVE-2026-2863
A flaw has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. The impacted element is the function deleteFile of the file FileServiceImpl.java. This manipulation causes path traversal. The attack ca... Read more
Affected Products :- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Path Traversal
-
5.5
MEDIUMCVE-2026-2861
A vulnerability was detected in Foswiki up to 2.1.10. The affected element is an unknown function of the component Changes/Viewfile/Oops. The manipulation results in information disclosure. It is possible to launch the attack remotely. The exploit is now ... Read more
Affected Products :- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Information Disclosure
-
9.4
CRITICALCVE-2026-27212
Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() funct... Read more
Affected Products :- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Misconfiguration
-
9.1
CRITICALCVE-2026-27211
Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can... Read more
Affected Products :- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Path Traversal
-
5.3
MEDIUMCVE-2026-27210
Pannellum is a lightweight, free, and open source panorama viewer for the web. In versions 3.5.0 through 2.5.6, the hot spot attributes configuration property allowed any attribute to be set, including HTML event handler attributes, allowing for potential... Read more
Affected Products :- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Cross-Site Scripting
-
2.3
LOWCVE-2026-27205
Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerabili... Read more
Affected Products :- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Misconfiguration
-
6.3
MEDIUMCVE-2026-27199
Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filt... Read more
Affected Products : werkzeug- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Path Traversal
-
8.8
HIGHCVE-2026-27198
Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it do... Read more
Affected Products : formwork- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2026-26047
A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated us... Read more
Affected Products : moodle- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Denial of Service
-
7.2
HIGHCVE-2026-26046
A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted sett... Read more
Affected Products : moodle- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Injection
-
7.2
HIGHCVE-2026-26045
A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since res... Read more
Affected Products : moodle- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2026-2860
A security vulnerability has been detected in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. Impacted is an unknown function of the file EmployeeController.java. The manipulation leads to improper authorizati... Read more
Affected Products :- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2026-27197
Sentry is a developer-first error tracking and performance monitoring tool. Versions 21.12.0 through 26.1.0 have a critical vulnerability in its SAML SSO implementation which allows an attacker to take over any user account by using a malicious SAML Iden... Read more
Affected Products : sentry- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Authentication
-
8.1
HIGHCVE-2026-27196
Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissi... Read more
Affected Products : statamic- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Cross-Site Scripting
-
8.1
HIGHCVE-2026-27194
D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to ru... Read more
Affected Products : d-tale- Published: Feb. 21, 2026
- Modified: Feb. 21, 2026
- Vuln Type: Injection