Latest CVE Feed
-
8.8
HIGHCVE-2026-3101
A vulnerability was found in Intelbras TIP 635G 1.12.3.5. This vulnerability affects unknown code of the component Ping Handler. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and co... Read more
- Published: Feb. 24, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2026-3102
A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command in... Read more
- Published: Feb. 24, 2026
- Modified: Feb. 26, 2026
-
9.8
CRITICALCVE-2026-2964
A vulnerability was identified in higuma web-audio-recorder-js 0.1/0.1.1. Impacted is the function extend in the library lib/WebAudioRecorder.js of the component Dynamic Config Handling. Such manipulation leads to improperly controlled modification of obj... Read more
Affected Products : webaudiorecorder.js- Published: Feb. 23, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Misconfiguration
-
4.6
MEDIUMCVE-2025-11563
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.... Read more
- Published: Feb. 25, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-70044
An issue pertaining to CWE-295: Improper Certificate Validation was discovered in fofolee uTools-quickcommand 5.0.3.... Read more
Affected Products : utools-quickcommand- Published: Feb. 23, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Misconfiguration
-
7.4
HIGHCVE-2025-70045
An issue pertaining to CWE-295: Improper Certificate Validation was discovered in jxcore jxm master. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in HTTPS request options when 'jx_obj.IsSecure' is true... Read more
Affected Products : jxm- Published: Feb. 23, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Misconfiguration
-
7.4
HIGHCVE-2025-70058
An issue pertaining to CWE-295: Improper Certificate Validation was discovered in YMFE yapi v1.12.0. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in the HTTPS agent configuration for Axios requests... Read more
Affected Products : yapi- Published: Feb. 23, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Cryptography
-
6.1
MEDIUMCVE-2026-26464
Stored Cross-Site Scripting (XSS) was found in the /admin/edit_user.php page of Society Management System Portal V1.0, which allows remote attackers to inject and store arbitrary JavaScript code that is executed in users' browsers. This vulnerability can ... Read more
Affected Products : society_management_system_portal- Published: Feb. 23, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Cross-Site Scripting
-
4.0
MEDIUMCVE-2025-61146
saitoha libsixel until v1.8.7 was discovered to contain a memory leak via the component malloc_stub.c.... Read more
Affected Products : libsixel- Published: Feb. 23, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Memory Corruption
-
4.9
MEDIUMCVE-2026-0399
Multiple post-authentication stack-based buffer overflow vulnerabilities in the SonicOS management interface due to improper bounds checking in a API endpoint.... Read more
Affected Products : sonicos nsa_2700 nsa_3700 nsa_4700 nsa_5700 nsa_6700 nssp_10700 nssp_11700 nssp_13700 tz270 +23 more products- Published: Feb. 24, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Memory Corruption
-
0.0
NACVE-2026-27152
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via `Chat::AddUsersToChannel` — a user could add targets who have blocked/ignored/muted them to an... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2026-27567
Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient ... Read more
Affected Products : payload- Published: Feb. 24, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Server-Side Request Forgery
-
0.0
NACVE-2026-27162
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `posts_nearby` was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. U... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Authorization
-
6.1
MEDIUMCVE-2026-27568
WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered ... Read more
Affected Products : avideo- Published: Feb. 24, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2026-0805
An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.... Read more
Affected Products : crafty_controller- Published: Jan. 30, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Path Traversal
-
0.0
NACVE-2026-27151
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated write permissions on the destination topic. This allowed T... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Authorization
-
0.0
NACVE-2026-27150
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, missing `validate_before_create` authorization in Data Explorer's `QueryGroupBookmarkable` allows any logged-in user to create bookmarks for query groups... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Authorization
-
9.9
CRITICALCVE-2026-0963
An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.... Read more
Affected Products : crafty_controller- Published: Jan. 30, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Path Traversal
-
0.0
NACVE-2026-27149
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private_messages_tag`) allows bypassing tag filter conditions, potentially disclosing unauthorized private messa... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Injection
-
0.0
NACVE-2026-27021
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized access to voters details of polls in any post. Versions 2... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Authorization