Latest CVE Feed
-
7.5
HIGHCVE-2026-2391
### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to th... Read more
Affected Products : qs- Published: Feb. 12, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Denial of Service
-
7.5
HIGHCVE-2026-3026
A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side reques... Read more
Affected Products : jeewms- Published: Feb. 23, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Server-Side Request Forgery
-
9.0
HIGHCVE-2026-2086
A vulnerability was detected in UTT HiPER 810G up to 1.7.7-171114. Affected by this vulnerability is the function strcpy of the file /goform/formFireWall of the component Management Interface. The manipulation of the argument GroupName results in buffer o... Read more
- Published: Feb. 07, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Memory Corruption
-
8.3
HIGHCVE-2026-2980
A vulnerability has been found in UTT HiPER 810G up to 1.7.7-1711. Impacted is the function strcpy of the file /goform/setSysAdm. The manipulation of the argument passwd1 leads to buffer overflow. The attack may be initiated remotely. The exploit has been... Read more
- Published: Feb. 23, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Memory Corruption
-
6.1
MEDIUMCVE-2026-3027
A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The ... Read more
Affected Products : jeewms- Published: Feb. 23, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Cross-Site Scripting
-
9.0
HIGHCVE-2026-2981
A vulnerability was found in UTT HiPER 810G up to 1.7.7-1711. The affected element is the function strcpy of the file /goform/formTaskEdit_ap. The manipulation of the argument txtMin2 results in buffer overflow. The attack may be launched remotely. The ex... Read more
- Published: Feb. 23, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Memory Corruption
-
9.0
HIGHCVE-2026-3015
A vulnerability was determined in UTT HiPER 810G up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/formPolicyRouteConf. Executing a manipulation of the argument GroupName can lead to buffer overflow. The attack may be launched remote... Read more
- Published: Feb. 23, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Memory Corruption
-
7.5
HIGHCVE-2026-26316
OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when t... Read more
Affected Products : openclaw- Published: Feb. 19, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Authentication
-
7.1
HIGHCVE-2025-15313
Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS.... Read more
- Published: Feb. 10, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Path Traversal
-
7.8
HIGHCVE-2025-15310
Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools.... Read more
- Published: Feb. 10, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2026-25957
Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13... Read more
Affected Products : cube.js- Published: Feb. 09, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Denial of Service
-
6.1
MEDIUMCVE-2026-26223
SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix... Read more
Affected Products : spip- Published: Feb. 19, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Cross-Site Scripting
-
8.6
HIGHCVE-2026-26345
SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately sanitize user-controlled content, allowing authenticate... Read more
Affected Products : spip- Published: Feb. 19, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Cross-Site Scripting
-
5.5
MEDIUMCVE-2026-24846
malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a s... Read more
Affected Products : malcontent- Published: Jan. 29, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Supply Chain
-
7.5
HIGHCVE-2025-62599
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sen... Read more
- Published: Feb. 03, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Denial of Service
-
5.3
MEDIUMCVE-2026-27472
SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker ... Read more
Affected Products : spip- Published: Feb. 19, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Server-Side Request Forgery
-
6.4
MEDIUMCVE-2026-27473
SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inje... Read more
Affected Products : spip- Published: Feb. 19, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2026-27474
SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker... Read more
Affected Products : spip- Published: Feb. 19, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Cross-Site Scripting
-
9.2
CRITICALCVE-2026-27475
SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or ano... Read more
Affected Products : spip- Published: Feb. 19, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Information Disclosure
-
2.7
LOWCVE-2026-23859
Dell Wyse Management Suite, versions prior to WMS 5.5, contain a Client-Side Enforcement of Server-Side Security vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability to Protection mechanism bypass.... Read more
Affected Products :- Published: Feb. 24, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Misconfiguration