CVE-2026-27192 - Feathers has an origin validation bypass via prefix matching
CVE ID : CVE-2026-27192
Published : Feb. 21, 2026, 4:15 a.m. | 19 minutes ago
Description : Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.The getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this comparison is insufficient as it only validates the prefix. This is exploitable when the origins array is configured and an attacker registers a domain starting with an allowed origin string (e.g., https://target.com.attacker.com bypasses https://target.com). On its own, tokens are still redirected to a configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an unauthorized origin and exfiltrate tokens, achieving full account takeover. This issue has bee fixed in version 5.0.40.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27192
Published : Feb. 21, 2026, 4:15 a.m. | 19 minutes ago
Description : Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.The getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this comparison is insufficient as it only validates the prefix. This is exploitable when the origins array is configured and an attacker registers a domain starting with an allowed origin string (e.g., https://target.com.attacker.com bypasses https://target.com). On its own, tokens are still redirected to a configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an unauthorized origin and exfiltrate tokens, achieving full account takeover. This issue has bee fixed in version 5.0.40.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27194 - D-Tale affected by Remote Code Execution through the /save-column-filter endpoint
CVE ID : CVE-2026-27194
Published : Feb. 21, 2026, 4:25 a.m. | 9 minutes ago
Description : D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. This issue has been fixed in version 3.20.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27194
Published : Feb. 21, 2026, 4:25 a.m. | 9 minutes ago
Description : D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. This issue has been fixed in version 3.20.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27534 - Cisco Webex Meeting Server Cross-Site Request Forgery
CVE ID : CVE-2026-27534
Published : Feb. 21, 2026, 5:17 a.m. | 3 hours, 20 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27534
Published : Feb. 21, 2026, 5:17 a.m. | 3 hours, 20 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2860 - feng_ha_ha/megagao ssm-erp/production_ssm EmployeeController.java improper authorization
CVE ID : CVE-2026-2860
Published : Feb. 21, 2026, 5:17 a.m. | 3 hours, 20 minutes ago
Description : A security vulnerability has been detected in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. Impacted is an unknown function of the file EmployeeController.java. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2860
Published : Feb. 21, 2026, 5:17 a.m. | 3 hours, 20 minutes ago
Description : A security vulnerability has been detected in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. Impacted is an unknown function of the file EmployeeController.java. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-26045 - Moodle: moodle: improper validation in file restore functionality leading to remote code execution
CVE ID : CVE-2026-26045
Published : Feb. 21, 2026, 6:16 a.m. | 2 hours, 21 minutes ago
Description : A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since restore capabilities are typically available to privileged users, exploitation requires authenticated access. Successful exploitation could result in full compromise of the Moodle server.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-26045
Published : Feb. 21, 2026, 6:16 a.m. | 2 hours, 21 minutes ago
Description : A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since restore capabilities are typically available to privileged users, exploitation requires authenticated access. Successful exploitation could result in full compromise of the Moodle server.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-26046 - Moodle: moodle: improper input sanitization in tex filter administration setting
CVE ID : CVE-2026-26046
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an administrator could result in unintended system command execution. While exploitation requires administrative privileges, successful compromise could affect the entire Moodle server.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-26046
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an administrator could result in unintended system command execution. While exploitation requires administrative privileges, successful compromise could affect the entire Moodle server.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-26047 - Moodle: moodle: uncontrolled resource consumption in tex formula editor leading to denial of service
CVE ID : CVE-2026-26047
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade performance or cause service interruption.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-26047
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade performance or cause service interruption.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27198 - Formwork Improperly Manages Privileges During User Creation
CVE ID : CVE-2026-27198
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27198
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27199 - Werkzeug safe_join() allows Windows special device names
CVE ID : CVE-2026-27199
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that safe_join accepts paths with multiple segments, such as example/NUL. The function send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been fixed in version 3.1.6.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27199
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that safe_join accepts paths with multiple segments, such as example/NUL. The function send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been fixed in version 3.1.6.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27205 - Flask session does not add `Vary: Cookie` header when accessed in some ways
CVE ID : CVE-2026-27205
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.
Severity: 2.3 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27205
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.
Severity: 2.3 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27210 - Pannellum has a XSS vulnerability in hot spot attributes
CVE ID : CVE-2026-27210
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : Pannellum is a lightweight, free, and open source panorama viewer for the web. In versions 3.5.0 through 2.5.6, the hot spot attributes configuration property allowed any attribute to be set, including HTML event handler attributes, allowing for potential XSS attacks. This affects websites hosting the standalone viewer HTML file and any other use of untrusted JSON config files (bypassing the protections of the escapeHTML parameter). As certain events fire without any additional user interaction, visiting a standalone viewer URL that points to a malicious config file — without additional user interaction — is sufficient to trigger the vulnerability and execute arbitrary JavaScript code, which can, for example, replace the contents of the page with arbitrary content and make it appear to be hosted by the website hosting the standalone viewer HTML file. This issue has been fixed in version 2.5.7. To workaround, setting the Content-Security-Policy header to script-src-attr 'none' will block execution of inline event handlers, mitigating this vulnerability. Don't host pannellum.htm on a domain that shares cookies with user authentication to mitigate XSS risk.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27210
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : Pannellum is a lightweight, free, and open source panorama viewer for the web. In versions 3.5.0 through 2.5.6, the hot spot attributes configuration property allowed any attribute to be set, including HTML event handler attributes, allowing for potential XSS attacks. This affects websites hosting the standalone viewer HTML file and any other use of untrusted JSON config files (bypassing the protections of the escapeHTML parameter). As certain events fire without any additional user interaction, visiting a standalone viewer URL that points to a malicious config file — without additional user interaction — is sufficient to trigger the vulnerability and execute arbitrary JavaScript code, which can, for example, replace the contents of the page with arbitrary content and make it appear to be hosted by the website hosting the standalone viewer HTML file. This issue has been fixed in version 2.5.7. To workaround, setting the Content-Security-Policy header to script-src-attr 'none' will block execution of inline event handlers, mitigating this vulnerability. Don't host pannellum.htm on a domain that shares cookies with user authentication to mitigate XSS risk.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27211 - Cloud Hypervisor: Host File Exfiltration via QCOW Backing File Abuse
CVE ID : CVE-2026-27211
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure pointing to a sensitive host path. Upon the next VM boot or disk scan, the image format auto-detection parses this header and serves the host file's contents to the guest. Guest-initiated VM reboots are sufficient to trigger a disk scan and do not cause the Cloud Hypervisor process to exit. Therefore, a single VM can perform this attack without needing interaction from the management stack. Successful exploitation requires the backing image to be either writable by the guest or sourced from an untrusted origin. Deployments utilizing only trusted, read-only images are not affected. This issue has been fixed in version 50.1. To workaround, enable land lock sandboxing and restrict process privileges and access.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27211
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure pointing to a sensitive host path. Upon the next VM boot or disk scan, the image format auto-detection parses this header and serves the host file's contents to the guest. Guest-initiated VM reboots are sufficient to trigger a disk scan and do not cause the Cloud Hypervisor process to exit. Therefore, a single VM can perform this attack without needing interaction from the management stack. Successful exploitation requires the backing image to be either writable by the guest or sourced from an untrusted origin. Deployments utilizing only trusted, read-only images are not affected. This issue has been fixed in version 50.1. To workaround, enable land lock sandboxing and restrict process privileges and access.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27212 - Swiper has a Prototype Pollution Vulnerability
CVE ID : CVE-2026-27212
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check whether user provided input contain forbidden strings. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. Any application that processes attacker-controlled input using this package may be affected by the following: Authentication Bypass, Denial of Service and RCE. This issue is fixed in version 12.1.2.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27212
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check whether user provided input contain forbidden strings. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. Any application that processes attacker-controlled input using this package may be affected by the following: Authentication Bypass, Denial of Service and RCE. This issue is fixed in version 12.1.2.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2861 - Foswiki Changes/Viewfile/Oops information disclosure
CVE ID : CVE-2026-2861
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : A vulnerability was detected in Foswiki up to 2.1.10. The affected element is an unknown function of the component Changes/Viewfile/Oops. The manipulation results in information disclosure. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to version 2.1.11 is sufficient to fix this issue. The patch is identified as 31aeecb58b64/d8ed86b10e46. Upgrading the affected component is recommended.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2861
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : A vulnerability was detected in Foswiki up to 2.1.10. The affected element is an unknown function of the component Changes/Viewfile/Oops. The manipulation results in information disclosure. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to version 2.1.11 is sufficient to fix this issue. The patch is identified as 31aeecb58b64/d8ed86b10e46. Upgrading the affected component is recommended.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2863 - feng_ha_ha/megagao ssm-erp/production_ssm FileServiceImpl.java deleteFile path traversal
CVE ID : CVE-2026-2863
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : A flaw has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. The impacted element is the function deleteFile of the file FileServiceImpl.java. This manipulation causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2863
Published : Feb. 21, 2026, 6:17 a.m. | 2 hours, 21 minutes ago
Description : A flaw has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. The impacted element is the function deleteFile of the file FileServiceImpl.java. This manipulation causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27206 - Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize()
CVE ID : CVE-2026-27206
Published : Feb. 21, 2026, 7:16 a.m. | 1 hour, 22 minutes ago
Description : Zumba Json Serializer is a library to serialize PHP variables in JSON format. In versions 3.2.2 and below, the library allows deserialization of PHP objects from JSON using a special @type field. The deserializer instantiates any class specified in the @type field without restriction. When processing untrusted JSON input, this behavior may allow an attacker to instantiate arbitrary classes available in the application. If a vulnerable application passes attacker-controlled JSON into JsonSerializer::unserialize() and contains classes with dangerous magic methods (such as __wakeup() or __destruct()), this may lead to PHP Object Injection and potentially Remote Code Execution (RCE), depending on available gadget chains in the application or its dependencies. This behavior is similar in risk profile to PHP's native unserialize() when used without the allowed_classes restriction. Applications are impacted only if untrusted or attacker-controlled JSON is passed into JsonSerializer::unserialize() and the application or its dependencies contain classes that can be leveraged as a gadget chain. This issue has been fixed in version 3.2.3. If an immediate upgrade isn't feasible, mitigate the vulnerability by never deserializing untrusted JSON with JsonSerializer::unserialize(), validating and sanitizing all JSON input before deserialization, and disabling @type-based object instantiation wherever possible.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27206
Published : Feb. 21, 2026, 7:16 a.m. | 1 hour, 22 minutes ago
Description : Zumba Json Serializer is a library to serialize PHP variables in JSON format. In versions 3.2.2 and below, the library allows deserialization of PHP objects from JSON using a special @type field. The deserializer instantiates any class specified in the @type field without restriction. When processing untrusted JSON input, this behavior may allow an attacker to instantiate arbitrary classes available in the application. If a vulnerable application passes attacker-controlled JSON into JsonSerializer::unserialize() and contains classes with dangerous magic methods (such as __wakeup() or __destruct()), this may lead to PHP Object Injection and potentially Remote Code Execution (RCE), depending on available gadget chains in the application or its dependencies. This behavior is similar in risk profile to PHP's native unserialize() when used without the allowed_classes restriction. Applications are impacted only if untrusted or attacker-controlled JSON is passed into JsonSerializer::unserialize() and the application or its dependencies contain classes that can be leveraged as a gadget chain. This issue has been fixed in version 3.2.3. If an immediate upgrade isn't feasible, mitigate the vulnerability by never deserializing untrusted JSON with JsonSerializer::unserialize(), validating and sanitizing all JSON input before deserialization, and disabling @type-based object instantiation wherever possible.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27452 - ASN.1 TypeScript Library: Decoding an INTEGER could leak the underlying ArrayBuffer
CVE ID : CVE-2026-27452
Published : Feb. 21, 2026, 7:16 a.m. | 1 hour, 22 minutes ago
Description : ASN.1 TypeScript ESM library, including codecs for Basic Encoding Rules (BER) and Distinguished Encoding Rules (DER). In versions 11.0.5 and below, in some cases, decoding an INTEGER could leak the underlying ArrayBuffer. This issue is expected to be fixed in version 11.0.6.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27452
Published : Feb. 21, 2026, 7:16 a.m. | 1 hour, 22 minutes ago
Description : ASN.1 TypeScript ESM library, including codecs for Basic Encoding Rules (BER) and Distinguished Encoding Rules (DER). In versions 11.0.5 and below, in some cases, decoding an INTEGER could leak the underlying ArrayBuffer. This issue is expected to be fixed in version 11.0.6.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27458 - LinkAce: Stored XSS in Atom Feed via CDATA Escape in List Description
CVE ID : CVE-2026-27458
Published : Feb. 21, 2026, 7:16 a.m. | 1 hour, 22 minutes ago
Description : LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists (/lists/feed). An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA section, injects a native SVG element into the Atom XML document, and executes arbitrary JavaScript directly in the browser when the feed URL is visited. No RSS reader or additional rendering context is required — the browser's native XML parser processes the injected SVG and fires the onload event handler. This vulnerability exists because the lists feed template outputs list descriptions using Blade's raw syntax ({!! !!}) without sanitization inside a CDATA block. The critical detail is that because the output sits inside , an attacker can inject the sequence ]]> to close the CDATA section prematurely, then inject arbitrary XML/SVG elements that the browser parses and executes natively as part of the Atom document. This issue has been fixed in version 2.4.3.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27458
Published : Feb. 21, 2026, 7:16 a.m. | 1 hour, 22 minutes ago
Description : LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists (/lists/feed). An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA section, injects a native SVG element into the Atom XML document, and executes arbitrary JavaScript directly in the browser when the feed URL is visited. No RSS reader or additional rendering context is required — the browser's native XML parser processes the injected SVG and fires the onload event handler. This vulnerability exists because the lists feed template outputs list descriptions using Blade's raw syntax ({!! !!}) without sanitization inside a CDATA block. The critical detail is that because the output sits inside , an attacker can inject the sequence ]]> to close the CDATA section prematurely, then inject arbitrary XML/SVG elements that the browser parses and executes natively as part of the Atom document. This issue has been fixed in version 2.4.3.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27471 - ERP: Document access through endpoints due to missing validation
CVE ID : CVE-2026-27471
Published : Feb. 21, 2026, 7:16 a.m. | 1 hour, 22 minutes ago
Description : ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27471
Published : Feb. 21, 2026, 7:16 a.m. | 1 hour, 22 minutes ago
Description : ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27479 - Wallos: SSRF via Redirect Bypass in Logo/Icon URL Fetch
CVE ID : CVE-2026-27479
Published : Feb. 21, 2026, 8:15 a.m. | 22 minutes ago
Description : Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the request, but allows HTTP redirects (CURLOPT_FOLLOWLOCATION = true), enabling an attacker to bypass the IP validation and access internal resources, including cloud instance metadata endpoints. The getLogoFromUrl() function validates the URL by resolving the hostname and checking if the resulting IP is in a private or reserved range using FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE. However, the subsequent cURL request is configured with CURLOPT_FOLLOWLOCATION = true and CURLOPT_MAXREDIRS = 3, which means the request will follow HTTP redirects without re-validating the destination IP. This issue has been fixed in version 4.6.1.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27479
Published : Feb. 21, 2026, 8:15 a.m. | 22 minutes ago
Description : Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the request, but allows HTTP redirects (CURLOPT_FOLLOWLOCATION = true), enabling an attacker to bypass the IP validation and access internal resources, including cloud instance metadata endpoints. The getLogoFromUrl() function validates the URL by resolving the hostname and checking if the resulting IP is in a private or reserved range using FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE. However, the subsequent cURL request is configured with CURLOPT_FOLLOWLOCATION = true and CURLOPT_MAXREDIRS = 3, which means the request will follow HTTP redirects without re-validating the destination IP. This issue has been fixed in version 4.6.1.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27464 - Metabase: Server-Side Template Injection via Notifications Endpoint Leads to RCE
CVE ID : CVE-2026-27464
Published : Feb. 21, 2026, 8:16 a.m. | 22 minutes ago
Description : Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privileged user can extract sensitive information including database credentials, into the email body via template evaluation. This issue has been fixed in versions 0.57.13 and 0.58.7. To workaround this issue, users can disable notifications in their Metabase instance to disallow access to the vulnerable endpoints.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27464
Published : Feb. 21, 2026, 8:16 a.m. | 22 minutes ago
Description : Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privileged user can extract sensitive information including database credentials, into the email body via template evaluation. This issue has been fixed in versions 0.57.13 and 0.58.7. To workaround this issue, users can disable notifications in their Metabase instance to disallow access to the vulnerable endpoints.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...