CVE-2025-12107 - Potential authenticated Server-Side Template Injection (SSTI) vulnerability.
CVE ID : CVE-2025-12107
Published : Feb. 19, 2026, 10:04 a.m. | 2 hours, 18 minutes ago
Description : Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12107
Published : Feb. 19, 2026, 10:04 a.m. | 2 hours, 18 minutes ago
Description : Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13590 - Authenticated arbitrary file upload via a System REST API requiring administrator permission.
CVE ID : CVE-2025-13590
Published : Feb. 19, 2026, 10:05 a.m. | 2 hours, 18 minutes ago
Description : A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13590
Published : Feb. 19, 2026, 10:05 a.m. | 2 hours, 18 minutes ago
Description : A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15559 - Unauthenticated OS Command Injection in NesterSoft WorkTime
CVE ID : CVE-2025-15559
Published : Feb. 19, 2026, 10:45 a.m. | 1 hour, 37 minutes ago
Description : An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15559
Published : Feb. 19, 2026, 10:45 a.m. | 1 hour, 37 minutes ago
Description : An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15560 - SQL Injection in NesterSoft WorkTime
CVE ID : CVE-2025-15560
Published : Feb. 19, 2026, 10:48 a.m. | 1 hour, 34 minutes ago
Description : An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15560
Published : Feb. 19, 2026, 10:48 a.m. | 1 hour, 34 minutes ago
Description : An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15561 - Local Privilege Escalation in NesterSoft WorkTime
CVE ID : CVE-2025-15561
Published : Feb. 19, 2026, 10:53 a.m. | 1 hour, 30 minutes ago
Description : An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone". The executable will then be run by the WorkTime monitoring daemon.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15561
Published : Feb. 19, 2026, 10:53 a.m. | 1 hour, 30 minutes ago
Description : An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone". The executable will then be run by the WorkTime monitoring daemon.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15562 - Reflected Cross-Site Scripting in NesterSoft WorkTime
CVE ID : CVE-2025-15562
Published : Feb. 19, 2026, 10:54 a.m. | 1 hour, 28 minutes ago
Description : The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15562
Published : Feb. 19, 2026, 10:54 a.m. | 1 hour, 28 minutes ago
Description : The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9062 - IDOR in MeCODE Informatics' Envanty
CVE ID : CVE-2025-9062
Published : Feb. 19, 2026, 10:57 a.m. | 1 hour, 26 minutes ago
Description : Authorization Bypass Through User-Controlled Key vulnerability in MeCODE Informatics and Engineering Services Ltd. Envanty allows Parameter Injection.This issue affects Envanty: from 1.0.0 through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9062
Published : Feb. 19, 2026, 10:57 a.m. | 1 hour, 26 minutes ago
Description : Authorization Bypass Through User-Controlled Key vulnerability in MeCODE Informatics and Engineering Services Ltd. Envanty allows Parameter Injection.This issue affects Envanty: from 1.0.0 through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15563 - Broken Access Control results in Denial of Service in NesterSoft WorkTime
CVE ID : CVE-2025-15563
Published : Feb. 19, 2026, 11:01 a.m. | 1 hour, 21 minutes ago
Description : Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15563
Published : Feb. 19, 2026, 11:01 a.m. | 1 hour, 21 minutes ago
Description : Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-8350 - Authentication Bypass with Redirect in BiEticaret Software's BiEticaret CMS
CVE ID : CVE-2025-8350
Published : Feb. 19, 2026, 11:30 a.m. | 53 minutes ago
Description : Execution After Redirect (EAR), Missing Authentication for Critical Function vulnerability in Inrove Software and Internet Services BiEticaret CMS allows Authentication Bypass, HTTP Response Splitting.This issue affects BiEticaret CMS: from 2.1.13 through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-8350
Published : Feb. 19, 2026, 11:30 a.m. | 53 minutes ago
Description : Execution After Redirect (EAR), Missing Authentication for Critical Function vulnerability in Inrove Software and Internet Services BiEticaret CMS allows Authentication Bypass, HTTP Response Splitting.This issue affects BiEticaret CMS: from 2.1.13 through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9953 - SQLi in Database Software's Databank Accreditation Software
CVE ID : CVE-2025-9953
Published : Feb. 19, 2026, 11:55 a.m. | 28 minutes ago
Description : Authorization Bypass Through User-Controlled SQL Primary Key vulnerability in DATABASE Software Training Consulting Ltd. Databank Accreditation Software allows SQL Injection.This issue affects Databank Accreditation Software: through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9953
Published : Feb. 19, 2026, 11:55 a.m. | 28 minutes ago
Description : Authorization Bypass Through User-Controlled SQL Primary Key vulnerability in DATABASE Software Training Consulting Ltd. Databank Accreditation Software allows SQL Injection.This issue affects Databank Accreditation Software: through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2019-25429 - Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via openvpn_advanced
CVE ID : CVE-2019-25429
Published : Feb. 19, 2026, 1:16 p.m. | 3 hours, 13 minutes ago
Description : Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the openvpn_advanced endpoint. Attackers can inject JavaScript code through the GLOBAL_NETWORKS and GLOBAL_DNS parameters via POST requests to execute arbitrary scripts in users' browsers.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2019-25429
Published : Feb. 19, 2026, 1:16 p.m. | 3 hours, 13 minutes ago
Description : Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the openvpn_advanced endpoint. Attackers can inject JavaScript code through the GLOBAL_NETWORKS and GLOBAL_DNS parameters via POST requests to execute arbitrary scripts in users' browsers.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2019-25430 - Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via vpn_users
CVE ID : CVE-2019-25430
Published : Feb. 19, 2026, 1:16 p.m. | 3 hours, 13 minutes ago
Description : Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the username parameter. Attackers can send POST requests to the vpn_users endpoint with script payloads in the username field to execute arbitrary JavaScript in victim browsers.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2019-25430
Published : Feb. 19, 2026, 1:16 p.m. | 3 hours, 13 minutes ago
Description : Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the username parameter. Attackers can send POST requests to the vpn_users endpoint with script payloads in the username field to execute arbitrary JavaScript in victim browsers.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2744 - Blind SQL Injection
CVE ID : CVE-2026-2744
Published : Feb. 19, 2026, 2:16 p.m. | 2 hours, 13 minutes ago
Description : Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2744
Published : Feb. 19, 2026, 2:16 p.m. | 2 hours, 13 minutes ago
Description : Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71240 - SPIP < 4.2.15 Cross-Site Scripting via Code Tags
CVE ID : CVE-2025-71240
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71240
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71241 - SPIP < 4.3.6 Cross-Site Scripting in Private Area
CVE ID : CVE-2025-71241
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71241
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71242 - SPIP < 4.3.6 Authorization Bypass Leading to Content Disclosure
CVE ID : CVE-2025-71242
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to access restricted content. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71242
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to access restricted content. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71243 - SPIP Saisies Plugin < 5.11.1 Remote Code Execution
CVE ID : CVE-2025-71243
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An attacker can exploit this vulnerability to execute arbitrary code on the server. Users should immediately update to version 5.11.1 or later.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71243
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An attacker can exploit this vulnerability to execute arbitrary code on the server. Users should immediately update to version 5.11.1 or later.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71244 - SPIP < 4.4.5 Open Redirect via Login Form
CVE ID : CVE-2025-71244
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary external site after login. This vulnerability only affects sites where the login page has been overridden to function in AJAX mode. It is not mitigated by the SPIP security screen.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71244
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary external site after login. This vulnerability only affects sites where the login page has been overridden to function in AJAX mode. It is not mitigated by the SPIP security screen.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71245 - SPIP < 4.4.8 Cross-Site Scripting via Iframe Tags in Private Area
CVE ID : CVE-2025-71245
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71245
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71246 - SPIP < 4.4.8 Cross-Site Scripting in Public Area
CVE ID : CVE-2025-71246
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the public area for certain edge-case usage patterns. The echapper_html_suspect() function does not adequately detect all forms of malicious content, permitting an attacker to inject scripts that execute in a visitor's browser. This vulnerability is not mitigated by the SPIP security screen.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71246
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the public area for certain edge-case usage patterns. The echapper_html_suspect() function does not adequately detect all forms of malicious content, permitting an attacker to inject scripts that execute in a visitor's browser. This vulnerability is not mitigated by the SPIP security screen.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71247 - SPIP < 4.4.9 Blind Server-Side Request Forgery via Syndicated Sites
CVE ID : CVE-2025-71247
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitrary internal or external destinations. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71247
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitrary internal or external destinations. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...