Total
7124 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-14038 | 1 Enterprisedb | 1 Hybrid Manager | 2026-02-18 | N/A | 7.0 HIGH |
| EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints. This could allow an attacker to read potentially sensitive data or possibly cause a denial-of-service by writing malformed data to certain gRPC endpoints. This flaw has been remediated in EDB Hybrid Manager 1.3.3, and customers should consider upgrading to 1.3.3 as soon as possible. The flaw is due to a misconfiguration in the Istio Gateway, which manages authentication and authorization for the affected endpoints. The security policy relies on an explicit definition of required permissions in the Istio Gateway configuration, and the affected endpoints were not defined in the configuration. This allowed requests to bypass both authentication and authorization within a Hybrid Manager service. All versions of Hybrid Manager - LTS should be upgraded to 1.3.3, and all versions of Hybrid Manager - Innovation should be upgraded to 2025.12. | |||||
| CVE-2026-23632 | 1 Gogs | 1 Gogs | 2026-02-17 | N/A | 6.5 MEDIUM |
| Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | |||||
| CVE-2026-22592 | 1 Gogs | 1 Gogs | 2026-02-17 | N/A | 6.5 MEDIUM |
| Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | |||||
| CVE-2024-12104 | 1 Atarim | 1 Atarim | 2026-02-17 | N/A | 5.3 MEDIUM |
| The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpf_delete_file and wpf_delete_file functions in all versions up to, and including, 4.0.9. This makes it possible for unauthenticated attackers to delete project pages and files. | |||||
| CVE-2026-24042 | 1 Appsmith | 1 Appsmith | 2026-02-17 | N/A | 9.4 CRITICAL |
| Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication. | |||||
| CVE-2026-24055 | 1 Langfuse | 1 Langfuse | 2026-02-17 | N/A | 5.3 MEDIUM |
| Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. This issue has been fixed in version 3.147.0. | |||||
| CVE-2026-0484 | 1 Sap | 1 Sap Basis | 2026-02-17 | N/A | 6.5 MEDIUM |
| Due to missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA, an authenticated attacker could access a specific transaction code and modify the text data in the system. This vulnerability has a high impact on integrity of the application with no effect on the confidentiality and availability. | |||||
| CVE-2026-0486 | 1 Sap | 1 Solution Tools Plug-in | 2026-02-17 | N/A | 5.0 MEDIUM |
| In ABAP based SAP systems a remote enabled function module does not perform necessary authorization checks for an authenticated user resulting in disclosure of system information.This has low impact on confidentiality. Integrity and availability are not impacted. | |||||
| CVE-2026-0488 | 1 Sap | 3 Netweaver Application Server Abap, S\/4hana, Webclient Ui Framework | 2026-02-17 | N/A | 9.9 CRITICAL |
| An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability. | |||||
| CVE-2026-0490 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2026-02-17 | N/A | 7.5 HIGH |
| SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on the availability but no impact on the confidentiality and integrity. | |||||
| CVE-2026-0509 | 1 Sap | 3 Netweaver As Abap Kernel, Netweaver As Abap Krnl64nuc, Netweaver As Abap Krnl64uc | 2026-02-17 | N/A | 9.6 CRITICAL |
| SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application. | |||||
| CVE-2026-23681 | 1 Sap | 1 Solution Tools Plug-in | 2026-02-17 | N/A | 4.3 MEDIUM |
| Due to missing authorization check in a function module in SAP Support Tools Plug-In, an authenticated attacker could invoke specific function modules to retrieve information about the system and its configuration. This disclosure of the system information could assist the attacker to plan subsequent attacks. This vulnerability has a low impact on the confidentiality of the application, with no effect on its integrity or availability. | |||||
| CVE-2026-23688 | 1 Sap | 1 S4core | 2026-02-17 | N/A | 4.3 MEDIUM |
| SAP Fiori App Manage Service Entry Sheets does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on integrity, confidentiality and availability are not impacted. | |||||
| CVE-2026-24312 | 1 Sap | 1 Sap Basis | 2026-02-17 | N/A | 5.2 MEDIUM |
| An erroneous authorization check in SAP Business Workflow leads to privilege escalation. An authenticated administrative user can bypass role restrictions by leveraging permissions from a less sensitive function to execute unauthorized, high-privilege actions. This has a high impact on data integrity, with low impact on confidentiality and no impact on availability of the application. | |||||
| CVE-2026-24322 | 1 Sap | 1 Solution Tools Plug-in | 2026-02-17 | N/A | 7.7 HIGH |
| SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability. | |||||
| CVE-2026-24326 | 1 Sap | 1 S\/4hana Defense \& Security | 2026-02-17 | N/A | 4.3 MEDIUM |
| Due to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker with user privileges could call remote-enabled function modules to do direct update on standard SAP database table . This results in low impact on integrity, with no impact on confidentiality or availability of the application. | |||||
| CVE-2026-24327 | 1 Sap | 1 Strategic Enterprise Management | 2026-02-17 | N/A | 4.3 MEDIUM |
| Due to missing authorization check in SAP Strategic Enterprise Management (Balanced Scorecard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This leads to low impact on confidentiality and no effect on integrity or availability. | |||||
| CVE-2025-67737 | 1 Azuracast | 1 Azuracast | 2026-02-17 | N/A | 3.1 LOW |
| AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a station's operations can craft a custom HTTP request that would affect the contents of a station's database, without revealing any internal information about the station. In order to carry out an attack, a malicious user would need to know a valid SFTP station username and the coordinating internal filesystem structure. This issue is fixed in version 0.23.2. | |||||
| CVE-2023-1333 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2026-02-13 | N/A | 4.3 MEDIUM |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_page_cache function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to delete the plugin's cache. | |||||
| CVE-2026-25531 | 1 Kanboard | 1 Kanboard | 2026-02-13 | N/A | 4.3 MEDIUM |
| Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access. This vulnerability is fixed in 1.2.50. | |||||