9.3

CVSS4.0

CVE-2026-26065 - calibre: Path Traversal can Lead to Arbitrary File Write and Potential Code Execution

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary con…

πŸ“… Published: Feb. 20, 2026, 1:54 a.m. πŸ”„ Last Modified: Feb. 20, 2026, 1:54 a.m.

9.3

CVSS4.0

CVE-2026-26064 - calibre: Path Traversal Vulnerability Enables Arbitrary File Write and Remote Code Execution

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing …

πŸ“… Published: Feb. 20, 2026, 1:44 a.m. πŸ”„ Last Modified: Feb. 20, 2026, 1:44 a.m.

5.4

CVSS3.1

CVE-2026-27016 - LibreNMS has Stored XSS in Custom OID - unit parameter missing strip_tags()

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The u…

πŸ“… Published: Feb. 20, 2026, 1:34 a.m. πŸ”„ Last Modified: Feb. 20, 2026, 1:34 a.m.

5.3

CVSS4.0

CVE-2026-2819 - Dromara RuoYi-Vue-Plus Workflow deleteByInstanceIds SaServletFilter authorization

A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the function SaServletFilter of the file /workflow/instance/deleteByInstanceIds of the component Workflow Module. The manipulation leads to missing authorization. The attack may be initiated remotely. T…

πŸ“… Published: Feb. 20, 2026, 1:32 a.m. πŸ”„ Last Modified: Feb. 20, 2026, 1:32 a.m.

8.8

CVSS3.1

CVE-2026-26990 - LibreNMS has Time-Based Blind SQL Injection in address-search.inc.php

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into …

πŸ“… Published: Feb. 20, 2026, 1:29 a.m. πŸ”„ Last Modified: Feb. 20, 2026, 1:29 a.m.

4.3

CVSS3.1

CVE-2026-26989 - LibreNMS has Stored XSS in Alert Rule

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser…

πŸ“… Published: Feb. 20, 2026, 1:25 a.m. πŸ”„ Last Modified: Feb. 20, 2026, 1:25 a.m.

9.3

CVSS4.0

CVE-2026-26988 - LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, …

πŸ“… Published: Feb. 20, 2026, 1:17 a.m. πŸ”„ Last Modified: Feb. 20, 2026, 1:17 a.m.

5.3

CVSS4.0

CVE-2026-26987 - LibreNMS affected by reflected XSS via email field

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are vulnerable to Reflected XSS attacks via email field. This issue has been fixed in version 26.2.0.

πŸ“… Published: Feb. 20, 2026, 1:11 a.m. πŸ”„ Last Modified: Feb. 20, 2026, 1:11 a.m.

7.1

CVSS3.1

CVE-2026-26960 - node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extracti…

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user.…

πŸ“… Published: Feb. 20, 2026, 1:07 a.m. πŸ”„ Last Modified: Feb. 20, 2026, 1:07 a.m.

9.4

CVSS3.1

CVE-2026-26980 - Ghost has a SQL Injection in its Content API

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

πŸ“… Published: Feb. 20, 2026, 1 a.m. πŸ”„ Last Modified: Feb. 20, 2026, 1 a.m.
Total resulsts: 333770
Page 2 of 33,377
Β« previous page Β» next page
Filters