Total
336347 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-63649 | 1 Monkey-project | 1 Monkey | 2026-02-19 | N/A | 7.5 HIGH |
|
An out-of-bounds read in the http_parser_transfer_encoding_chunked function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the server.
|
|||||
| CVE-2025-63650 | 1 Monkey-project | 1 Monkey | 2026-02-19 | N/A | 7.5 HIGH |
|
An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
|
|||||
| CVE-2025-63651 | 1 Monkey-project | 1 Monkey | 2026-02-19 | N/A | 7.5 HIGH |
|
A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
|
|||||
| CVE-2026-25057 | 1 Markusproject | 1 Markus | 2026-02-19 | N/A | 9.1 CRITICAL |
|
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The uploaded zip file entry names are used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1.
|
|||||
| CVE-2026-27050 | 2026-02-19 | N/A | 5.4 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress RealPress realpress allows Cross Site Request Forgery.This issue affects RealPress: from n/a through <= 1.1.0.
|
|||||
| CVE-2026-25463 | 2026-02-19 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WpEstate Wpresidence Core wpresidence-core allows Stored XSS.This issue affects Wpresidence Core: from n/a through <= 5.4.0.
|
|||||
| CVE-2026-25419 | 2026-02-19 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in flycart UpsellWP checkout-upsell-and-order-bumps allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UpsellWP: from n/a through <= 2.2.3.
|
|||||
| CVE-2026-25416 | 2026-02-19 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in blazethemes News Kit Elementor Addons news-kit-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Kit Elementor Addons: from n/a through <= 1.4.2.
|
|||||
| CVE-2026-25409 | 2026-02-19 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in crgeary JAMstack Deployments wp-jamstack-deployments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JAMstack Deployments: from n/a through <= 1.1.1.
|
|||||
| CVE-2026-25408 | 2026-02-19 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in PluginRx Broken Link Notifier broken-link-notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broken Link Notifier: from n/a through <= 1.3.5.
|
|||||
| CVE-2026-25407 | 2026-02-19 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in cookiebot Cookiebot cookiebot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cookiebot: from n/a through <= 4.6.4.
|
|||||
| CVE-2026-25402 | 2026-02-19 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in echoplugins Knowledge Base for Documentation, FAQs with AI Assistance echo-knowledge-base allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Knowledge Base for Documentation, FAQs with AI Assistance: from n/a through <= 16.011.0.
|
|||||
| CVE-2026-25399 | 2026-02-19 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in CryoutCreations Serious Slider cryout-serious-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Serious Slider: from n/a through <= 1.2.7.
|
|||||
| CVE-2026-25395 | 2026-02-19 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in ikreatethemes Business Roy business-roy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Roy: from n/a through <= 1.1.4.
|
|||||
| CVE-2026-25394 | 2026-02-19 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in sparklewpthemes Fitness FSE fitness-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fitness FSE: from n/a through <= 1.0.6.
|
|||||
| CVE-2026-25393 | 2026-02-19 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in sparklewpthemes Hello FSE hello-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hello FSE: from n/a through <= 1.0.6.
|
|||||
| CVE-2026-25392 | 2026-02-19 | N/A | 4.7 MEDIUM | ||
|
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in KaizenCoders Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress update-urls allows Phishing.This issue affects Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress: from n/a through <= 1.4.0.
|
|||||
| CVE-2026-25391 | 2026-02-19 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in WP Grids WP Wand ai-content-generation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Wand: from n/a through <= 1.3.07.
|
|||||
| CVE-2026-25386 | 2026-02-19 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Elementor Ally pojo-accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ally: from n/a through <= 4.0.2.
|
|||||
| CVE-2026-25384 | 2026-02-19 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in WP Lab WP-Lister Lite for eBay wp-lister-for-ebay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-Lister Lite for eBay: from n/a through <= 3.8.5.
|
|||||
| CVE-2026-25375 | 2026-02-19 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through <= 3.6.10.
|
|||||
| CVE-2026-25372 | 2026-02-19 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Kodezen LLC Academy LMS academy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Academy LMS: from n/a through <= 3.5.3.
|
|||||
| CVE-2026-25368 | 2026-02-19 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in codepeople Calculated Fields Form calculated-fields-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Calculated Fields Form: from n/a through <= 5.4.4.1.
|
|||||
| CVE-2025-15113 | 1 Kseniasecurity | 2 Lares, Lares Firmware | 2026-02-19 | N/A | 9.3 CRITICAL |
|
Ksenia Security lares (legacy model) Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.
|
|||||
| CVE-2025-15111 | 1 Kseniasecurity | 2 Lares, Lares Firmware | 2026-02-19 | N/A | 9.8 CRITICAL |
|
Ksenia Security lares (legacy model) version 1.6 contains a default credentials vulnerability that allows unauthorized attackers to gain administrative access. Attackers can exploit the weak default administrative credentials to obtain full control of the home automation system.
|
|||||
| CVE-2026-2164 | 1 Detronetdip | 1 E-commerce | 2026-02-19 | 7.5 HIGH | 7.3 HIGH |
|
A security flaw has been discovered in detronetdip E-commerce 1.0.0. This issue affects some unknown processing of the file /seller/assets/backend/profile/addadhar.php. Performing a manipulation of the argument File results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2026-2165 | 1 Detronetdip | 1 E-commerce | 2026-02-19 | 7.5 HIGH | 7.3 HIGH |
|
A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument email can lead to missing authentication. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2026-25474 | 1 Openclaw | 1 Openclaw | 2026-02-19 | N/A | 7.5 HIGH |
|
OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates (for example spoofing message.from.id). If an attacker can reach the webhook endpoint, they may be able to send forged updates that are processed as if ...
Show More |
|||||
| CVE-2026-24900 | 1 Markusproject | 1 Markus | 2026-02-19 | N/A | 6.5 MEDIUM |
|
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correctly scoped to the requesting user, allowing users access arbitrary submission file contents by id. This vulnerability is fixed in 2.9.1.
|
|||||
| CVE-2026-25230 | 1 Filerise | 1 Filerise | 2026-02-19 | N/A | 4.6 MEDIUM |
|
FileRise is a self-hosted web file manager / WebDAV server. Prior to 3.3.0, an HTML Injection vulnerability allows an authenticated user to modify the DOM and add e.g. form elements that call certain endpoints or link elements that redirect the user on active interaction. This vulnerability is fixed in 3.3.0.
|
|||||
| CVE-2025-12107 | 1 Wso2 | 1 Identity Server | 2026-02-19 | N/A | 10.0 CRITICAL |
|
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates.
Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.
|
|||||
| CVE-2026-2616 | 1 Beetel | 2 777vr1, 777vr1 Firmware | 2026-02-19 | 8.3 HIGH | 8.8 HIGH |
|
A vulnerability has been found in Beetel 777VR1 up to 01.00.09. The impacted element is an unknown function of the component Web Management Interface. The manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. It is advisable to modify the configuration settings. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-25527 | 1 Webtechnologies | 1 Changedetection | 2026-02-19 | N/A | 5.3 MEDIUM |
|
changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the `/static/<group>/<filename>` route accepts `group=".."`, which causes `send_from_directory("static/..", filename)` to execute. This moves the base directory up to `/app/changedetectionio`, enabling unauthenticated local file read of application source files (e.g., `flask_app.py`). Version 0.53.2 fixes the issue.
|
|||||
| CVE-2026-2617 | 1 Beetel | 2 777vr1, 777vr1 Firmware | 2026-02-19 | 5.8 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in Beetel 777VR1 up to 01.00.09. This affects an unknown function of the component Telnet Service/SSH Service. The manipulation results in insecure default initialization of resource. The attack can only be performed from the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2019-25430 | 1 Comodo | 1 Dome Firewall | 2026-02-19 | N/A | 6.1 MEDIUM |
|
Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the username parameter. Attackers can send POST requests to the vpn_users endpoint with script payloads in the username field to execute arbitrary JavaScript in victim browsers.
|
|||||
| CVE-2026-25120 | 1 Gogs | 1 Gogs | 2026-02-19 | N/A | 2.7 LOW |
|
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypassing authorization controls. The DeleteComment function retrieves a comment by ID without verifying repository ownership and the Database function DeleteCommentByID performs no repository valida ...
Show More |
|||||
| CVE-2026-2525 | 1 Free5gc | 1 Free5gc | 2026-02-19 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability has been found in Free5GC up to 4.1.0. This affects an unknown function of the component PFCP UDP Endpoint. Such manipulation leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2026-2531 | 1 Mindsdb | 1 Mindsdb | 2026-02-19 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 74d6f0fd4b630218519a700fbee1c05c7fd4b1ed. It is best practice to apply a patch to resolve this issue.
|
|||||
| CVE-2026-25242 | 1 Gogs | 1 Gogs | 2026-02-19 | N/A | 9.8 CRITICAL |
|
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-o ...
Show More |
|||||
| CVE-2026-25229 | 1 Gogs | 1 Gogs | 2026-02-19 | N/A | 6.5 MEDIUM |
|
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks. The vulnerability exists in the Web UI's lab ...
Show More |
|||||