Latest CVE Feed
-
6.3
MEDIUMCVE-2026-27837
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separate... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Misconfiguration
-
7.5
HIGHCVE-2026-27831
rldns is an open source DNS server. Version 2.3 has a heap-based out-of-bounds read that leads to denial of service. Version 1.4 contains a patch for the issue.... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Memory Corruption
-
8.9
HIGHCVE-2026-27830
c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString`... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2026-27829
Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an `infe... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Server-Side Request Forgery
-
8.8
HIGHCVE-2026-27976
Zed, a code editor, has an extension installer allows tar/gzip downloads. Prior to version 0.224.4, the tar extractor (`async_tar::Archive::unpack`) creates symlinks from the archive without validation, and the path guard (`writeable_path_from_extension`)... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Path Traversal
-
7.1
HIGHCVE-2026-27967
Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directory** when a project contains symbolic links pointing to ex... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Path Traversal
-
6.8
MEDIUMCVE-2026-27933
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Versions prior to 0.133.0 are vulnerable to session hijack via cookie leakage in proxy caches. Version 0.133.0 fixes the i... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Misconfiguration
-
7.7
HIGHCVE-2026-27821
GPAC is an open-source multimedia framework. In versions up to and including 26.02.0, a stack buffer overflow occurs during NHML file parsing in `src/filters/dmx_nhml.c`. The value of the xmlHeaderEnd XML attribute is copied from att->value into szXmlHead... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Memory Corruption
-
8.7
HIGHCVE-2026-27818
TerriaJS-Server is a NodeJS Express server for TerriaJS, a library for building web-based geospatial data explorers. A validation bug in versions prior to 4.0.3 allows an attacker to proxy domains not explicitly allowed in the `proxyableDomains` configura... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Misconfiguration
-
8.0
HIGHCVE-2026-27812
Sub2API is an AI API gateway platform designed to distribute and manage API quotas from AI product subscriptions. A vulnerability in versions prior to 0.1.85 is a Password Reset Poisoning (Host Header / Forwarded Header trust issue), which allows attacker... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Authentication
-
6.8
MEDIUMCVE-2026-27809
psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decode_rle() raises ValueError wh... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Information Disclosure
-
5.8
MEDIUMCVE-2026-27808
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an ema... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Server-Side Request Forgery
-
9.3
CRITICALCVE-2026-27804
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Authentication
-
7.4
HIGHCVE-2026-27800
Zed, a code editor, has a Zip Slip (Path Traversal) vulnerability exists in its extension archive extraction functionality prior to version 0.224.4. The `extract_zip()` function in `crates/util/src/archive.rs` fails to validate ZIP entry filenames for pat... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Path Traversal
-
4.0
MEDIUMCVE-2026-27799
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Memory Corruption
-
4.0
MEDIUMCVE-2026-27798
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability occurs when processing an image with small dimension using the `-wavelet-denoise... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Memory Corruption
-
6.4
MEDIUMCVE-2026-27735
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2026.1.14, the git_add tool did not validate that file paths provided in the files argument were within t... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Path Traversal
-
5.1
MEDIUMCVE-2026-27711
NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, a memory corruption vulnerability in NanaZip’s UFS parser allows a crafted `.ufs/.ufs2/.img` file to trigger out-of-bounds memory acces... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Memory Corruption
-
5.1
MEDIUMCVE-2026-27710
NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, a denial-of-service vulnerability exists in NanaZip’s `.NET Single File Application` parser. A crafted bundle can force an integer unde... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Denial of Service
-
5.1
MEDIUMCVE-2026-27709
NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, NanaZip’s `.NET Single File Application` parser has an out-of-bounds read vulnerability in manifest parsing. A crafted bundle can provi... Read more
Affected Products :- Published: Feb. 26, 2026
- Modified: Feb. 26, 2026
- Vuln Type: Memory Corruption