CVE-2026-25894 - FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
CVE ID : CVE-2026-25894
Published : Feb. 9, 2026, 10:28 p.m. | 42 minutes ago
Description : FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25894
Published : Feb. 9, 2026, 10:28 p.m. | 42 minutes ago
Description : FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25895 - FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API
CVE ID : CVE-2026-25895
Published : Feb. 9, 2026, 10:29 p.m. | 41 minutes ago
Description : FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25895
Published : Feb. 9, 2026, 10:29 p.m. | 41 minutes ago
Description : FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25957 - Cube Denial of Service (DoS) - An authenticated attacker can crash the server by sending a specially crafted request
CVE ID : CVE-2026-25957
Published : Feb. 9, 2026, 10:39 p.m. | 31 minutes ago
Description : Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25957
Published : Feb. 9, 2026, 10:39 p.m. | 31 minutes ago
Description : Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25958 - Cube privilege escalation via a specially crafted request
CVE ID : CVE-2026-25958
Published : Feb. 9, 2026, 10:42 p.m. | 28 minutes ago
Description : Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25958
Published : Feb. 9, 2026, 10:42 p.m. | 28 minutes ago
Description : Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15319 - Tanium addressed a local privilege escalation vulnerability in Endpoint Configuration Toolset Solution.
CVE ID : CVE-2025-15319
Published : Feb. 9, 2026, 10:52 p.m. | 18 minutes ago
Description : Tanium addressed a local privilege escalation vulnerability in Endpoint Configuration Toolset Solution.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15319
Published : Feb. 9, 2026, 10:52 p.m. | 18 minutes ago
Description : Tanium addressed a local privilege escalation vulnerability in Endpoint Configuration Toolset Solution.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15318 - Tanium addressed an arbitrary file deletion vulnerability in End User Notifications and Endpoint Configuration Toolset Solution.
CVE ID : CVE-2025-15318
Published : Feb. 9, 2026, 10:56 p.m. | 14 minutes ago
Description : Tanium addressed an arbitrary file deletion vulnerability in Endpoint Configuration Toolset Solution.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15318
Published : Feb. 9, 2026, 10:56 p.m. | 14 minutes ago
Description : Tanium addressed an arbitrary file deletion vulnerability in Endpoint Configuration Toolset Solution.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25931 - vscode-spell-checker has a workspace-trust bypass Code Execution
CVE ID : CVE-2026-25931
Published : Feb. 9, 2026, 11:16 p.m. | 3 hours, 55 minutes ago
Description : vscode-spell-checker is a basic spell checker that works well with code and documents. Prior to v4.5.4, DocumentSettings._determineIsTrusted treats the configuration value cSpell.trustedWorkspace as the authoritative trust flag. The value defaults to true (package.json) and is read from workspace configuration each time settings are fetched. The code coerces any truthy value to true and forwards it to ConfigLoader.setIsTrusted , which in turn allows JavaScript/TypeScript configuration files ( .cspell.config.js/.mjs/.ts , etc.) to be located and executed. Because no VS Code workspace-trust state is consulted, an untrusted workspace can keep the flag true and place a malicious .cspell.config.js ; opening the workspace causes the extension host to execute attacker-controlled Node.js code with the user’s privileges. This vulnerability is fixed in v4.5.4.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25931
Published : Feb. 9, 2026, 11:16 p.m. | 3 hours, 55 minutes ago
Description : vscode-spell-checker is a basic spell checker that works well with code and documents. Prior to v4.5.4, DocumentSettings._determineIsTrusted treats the configuration value cSpell.trustedWorkspace as the authoritative trust flag. The value defaults to true (package.json) and is read from workspace configuration each time settings are fetched. The code coerces any truthy value to true and forwards it to ConfigLoader.setIsTrusted , which in turn allows JavaScript/TypeScript configuration files ( .cspell.config.js/.mjs/.ts , etc.) to be located and executed. Because no VS Code workspace-trust state is consulted, an untrusted workspace can keep the flag true and place a malicious .cspell.config.js ; opening the workspace causes the extension host to execute attacker-controlled Node.js code with the user’s privileges. This vulnerability is fixed in v4.5.4.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25934 - go-git improperly verifies data integrity values for .idx and .pack files
CVE ID : CVE-2026-25934
Published : Feb. 9, 2026, 11:16 p.m. | 3 hours, 55 minutes ago
Description : go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25934
Published : Feb. 9, 2026, 11:16 p.m. | 3 hours, 55 minutes ago
Description : go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15147 - WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment
CVE ID : CVE-2025-15147
Published : Feb. 10, 2026, 12:16 a.m. | 2 hours, 55 minutes ago
Description : The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15147
Published : Feb. 10, 2026, 12:16 a.m. | 2 hours, 55 minutes ago
Description : The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15310 - Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools.
CVE ID : CVE-2025-15310
Published : Feb. 10, 2026, 12:16 a.m. | 2 hours, 55 minutes ago
Description : Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15310
Published : Feb. 10, 2026, 12:16 a.m. | 2 hours, 55 minutes ago
Description : Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15313 - Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS.
CVE ID : CVE-2025-15313
Published : Feb. 10, 2026, 12:16 a.m. | 2 hours, 55 minutes ago
Description : Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15313
Published : Feb. 10, 2026, 12:16 a.m. | 2 hours, 55 minutes ago
Description : Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15314 - Tanium addressed an arbitrary file deletion vulnerability in end-user-cx.
CVE ID : CVE-2025-15314
Published : Feb. 10, 2026, 12:16 a.m. | 2 hours, 55 minutes ago
Description : Tanium addressed an arbitrary file deletion vulnerability in end-user-cx.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15314
Published : Feb. 10, 2026, 12:16 a.m. | 2 hours, 55 minutes ago
Description : Tanium addressed an arbitrary file deletion vulnerability in end-user-cx.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-0845 - WCFM - WooCommerce Frontend Manager <= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update
CVE ID : CVE-2026-0845
Published : Feb. 10, 2026, 12:16 a.m. | 2 hours, 55 minutes ago
Description : The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-0845
Published : Feb. 10, 2026, 12:16 a.m. | 2 hours, 55 minutes ago
Description : The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2258 - aardappel lobster wfc.h WaveFunctionCollapse memory corruption
CVE ID : CVE-2026-2258
Published : Feb. 10, 2026, 12:16 a.m. | 2 hours, 55 minutes ago
Description : A flaw has been found in aardappel lobster up to 2025.4. Affected by this vulnerability is the function WaveFunctionCollapse in the library dev/src/lobster/wfc.h. Executing a manipulation can lead to memory corruption. The attack can only be executed locally. The exploit has been published and may be used. This patch is called c2047a33e1ac2c42ab7e8704b33f7ea518a11ffd. It is advisable to implement a patch to correct this issue.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2258
Published : Feb. 10, 2026, 12:16 a.m. | 2 hours, 55 minutes ago
Description : A flaw has been found in aardappel lobster up to 2025.4. Affected by this vulnerability is the function WaveFunctionCollapse in the library dev/src/lobster/wfc.h. Executing a manipulation can lead to memory corruption. The attack can only be executed locally. The exploit has been published and may be used. This patch is called c2047a33e1ac2c42ab7e8704b33f7ea518a11ffd. It is advisable to implement a patch to correct this issue.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-24328 - Open Redirection vulnerability in Business Server Pages Application (TAF_APPLAUNCHER)
CVE ID : CVE-2026-24328
Published : 2026年2月10日 04:16 | 3 小时 ago
Description : SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-24328
Published : 2026年2月10日 04:16 | 3 小时 ago
Description : SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2259 - aardappel lobster Parsing parser.h ParseStatements memory corruption
CVE ID : CVE-2026-2259
Published : 2026年2月10日 04:16 | 3 小时 ago
Description : A vulnerability has been found in aardappel lobster up to 2025.4. Affected by this issue is the function lobster::Parser::ParseStatements in the library dev/src/lobster/parser.h of the component Parsing. The manipulation leads to memory corruption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The identifier of the patch is 2f45fe860d00990e79e13250251c1dde633f1f89. Applying a patch is the recommended action to fix this issue.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2259
Published : 2026年2月10日 04:16 | 3 小时 ago
Description : A vulnerability has been found in aardappel lobster up to 2025.4. Affected by this issue is the function lobster::Parser::ParseStatements in the library dev/src/lobster/parser.h of the component Parsing. The manipulation leads to memory corruption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The identifier of the patch is 2f45fe860d00990e79e13250251c1dde633f1f89. Applying a patch is the recommended action to fix this issue.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2260 - D-Link DCS-931L setSysAdmin os command injection
CVE ID : CVE-2026-2260
Published : 2026年2月10日 04:16 | 3 小时 ago
Description : A vulnerability was found in D-Link DCS-931L up to 1.13.0. This affects an unknown part of the file /goform/setSysAdmin. The manipulation of the argument AdminID results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2260
Published : 2026年2月10日 04:16 | 3 小时 ago
Description : A vulnerability was found in D-Link DCS-931L up to 1.13.0. This affects an unknown part of the file /goform/setSysAdmin. The manipulation of the argument AdminID results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25973 - "Apache HTTP Server Cross-Site Request Forgery"
CVE ID : CVE-2026-25973
Published : 2026年2月10日 05:16 | 1 小时,59 分钟 ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25973
Published : 2026年2月10日 05:16 | 1 小时,59 分钟 ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25974 - Apache HTTP Server Unvalidated User Input
CVE ID : CVE-2026-25974
Published : 2026年2月10日 05:16 | 1 小时,59 分钟 ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25974
Published : 2026年2月10日 05:16 | 1 小时,59 分钟 ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25975 - Apache HTTP Server Remote Code Execution
CVE ID : CVE-2026-25975
Published : 2026年2月10日 05:16 | 1 小时,59 分钟 ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25975
Published : 2026年2月10日 05:16 | 1 小时,59 分钟 ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25976 - Apache HTTP Server Denial of Service
CVE ID : CVE-2026-25976
Published : 2026年2月10日 05:16 | 1 小时,59 分钟 ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25976
Published : 2026年2月10日 05:16 | 1 小时,59 分钟 ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...