Total
3566 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-26977 | 1 Frappe | 1 Learning | 2026-02-20 | N/A | 5.3 MEDIUM |
| Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release. | |||||
| CVE-2026-21627 | 2026-02-20 | N/A | N/A | ||
| The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction. | |||||
| CVE-2026-24740 | 1 Amirraminfar | 1 Dozzle | 2026-02-19 | N/A | 9.9 CRITICAL |
| Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out‑of‑scope containers (for example, `env=prod`) on the same agent host by directly targeting their container IDs. Version 9.0.3 contains a patch for the issue. | |||||
| CVE-2026-2164 | 1 Detronetdip | 1 E-commerce | 2026-02-19 | 7.5 HIGH | 7.3 HIGH |
| A security flaw has been discovered in detronetdip E-commerce 1.0.0. This issue affects some unknown processing of the file /seller/assets/backend/profile/addadhar.php. Performing a manipulation of the argument File results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-25229 | 1 Gogs | 1 Gogs | 2026-02-19 | N/A | 6.5 MEDIUM |
| Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks. The vulnerability exists in the Web UI's label update endpoint POST /:username/:reponame/labels/edit. The handler function UpdateLabel uses an incorrect database query function that bypasses repository ownership validation. This issue has been fixed in version 0.14.1. | |||||
| CVE-2025-70866 | 1 Lavalite | 1 Lavalite | 2026-02-19 | N/A | 8.8 HIGH |
| LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider without role-based access control verification. | |||||
| CVE-2026-25231 | 1 Filerise | 1 Filerise | 2026-02-19 | N/A | 7.5 HIGH |
| FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 3.3.0, the application contains an unauthenticated file read vulnerability due to the lack of access control on the /uploads directory. Files uploaded to this directory can be accessed directly by any user who knows or can guess the file path, without requiring authentication. As a result, sensitive data could be exposed, and privacy may be breached. This vulnerability is fixed in 3.3.0. | |||||
| CVE-2026-2666 | 1 Mingsoft | 1 Mcms | 2026-02-19 | 5.8 MEDIUM | 4.7 MEDIUM |
| A flaw has been found in mingSoft MCMS 6.1.1. The affected element is an unknown function of the file /ms/file/uploadTemplate.do of the component Template Archive Handler. Executing a manipulation of the argument File can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | |||||
| CVE-2026-25758 | 1 Spreecommerce | 1 Spree | 2026-02-19 | N/A | 7.5 HIGH |
| Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2. | |||||
| CVE-2025-61879 | 1 Infoblox | 1 Nios | 2026-02-19 | N/A | 7.7 HIGH |
| In Infoblox NIOS through 9.0.7, a High-Privileged User Can Trigger an Arbitrary File Write via the Account Creation Mechanism. | |||||
| CVE-2026-2665 | 2026-02-19 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was detected in huanzi-qch base-admin up to 57a8126bb3353a004f3c7722089e3b926ea83596. Impacted is the function Upload of the file SysFileController.java of the component JSP Parser. Performing a manipulation of the argument File results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2025-12884 | 2026-02-19 | N/A | 4.3 MEDIUM | ||
| The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update ad placements, allowing them to change which ad or ad group a placement serves. | |||||
| CVE-2026-25519 | 1 Openslides | 1 Openslides | 2026-02-18 | N/A | 8.1 HIGH |
| OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins with username and password or an optionally configurable single sign on with SAML via an external IDP. For users synced to OpenSlides via an external IDP, there is an incorrect access control regarding the local login of these users. Users can successfully login using the local login form and the OpenSlides username of a SAML user and a trivial password. This password is valid for all SAML users. This issue has been patched in version 4.2.29. | |||||
| CVE-2026-2550 | 2026-02-18 | 10.0 HIGH | 9.8 CRITICAL | ||
| A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-2592 | 2026-02-18 | N/A | 7.7 HIGH | ||
| The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'Return_from_ZarinPal_Gateway' failing to validate that the authority token provided in the callback URL belongs to the specific order being marked as paid. This makes it possible for unauthenticated attackers to potentially mark orders as paid without proper payment by reusing a valid authority token from a different transaction of the same amount. | |||||
| CVE-2026-2549 | 2026-02-18 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability has been found in zhanghuanhao LibrarySystem 图书馆管理系统 up to 1.1.1. This impacts an unknown function of the file BookController.java. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-20642 | 1 Apple | 2 Ipados, Iphone Os | 2026-02-18 | N/A | 2.4 LOW |
| An input validation issue was addressed. This issue is fixed in iOS 26.3 and iPadOS 26.3. A person with physical access to an iOS device may be able to access photos from the lock screen. | |||||
| CVE-2026-20603 | 1 Apple | 1 Macos | 2026-02-18 | N/A | 4.4 MEDIUM |
| This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Tahoe 26.3. An app with root privileges may be able to access private information. | |||||
| CVE-2026-20628 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2026-02-17 | N/A | 7.1 HIGH |
| A permissions issue was addressed with additional restrictions. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An app may be able to break out of its sandbox. | |||||
| CVE-2026-2054 | 1 Dlink | 4 Dir-605l, Dir-605l Firmware, Dir-619l and 1 more | 2026-02-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| A security flaw has been discovered in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. Impacted is an unknown function of the component Wifi Setting Handler. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. | |||||