Latest Security Vulnerabilities

Sunday February 22, 2026

 

D-Link Dwr M960

CVE-2026-2926 D-Link DWR-M960 1.01.07 LTE Config Stack Buffer Overflow (remote)
CVE-2026-2928 D-Link DWR-M960 1.01.07 WLAN Encryption Config Endpoint Stack Overflow
CVE-2026-2927 Stack-based buffer overflow in D-Link DWR-M960 1.01.07 OpMode Cfg
CVE-2026-2925 D-Link DWR-M960 1.01.07 Bridge VLAN Buffer Overflow (sub_42B5A0)
CVE-2026-2929 D-Link DWR-M960 1.01.07 WAC Endpoint Bof via submit-url
CVE-2026-2885 D-Link DWR-M960 1.01.07 Buffer Overflow: sub_469104 in formIpv6Setup
CVE-2026-2884 D-Link DWR-M960 1.01.07 WAN Handler Stack Buffer Overflow
CVE-2026-2883 Stack Buffer Overflow in D-Link DWR-M960 1.01.07 via submit-url
CVE-2026-2882 D-Link DWR-M960 1.01.07: Remote Stack Buffer Overflow in submiturl
And others...

Tenda

CVE-2026-2910 Tenda HG9 /boaform/formPing6 Stack Buffer Overflow (CVE-2026-2910)
CVE-2026-2907 Stack-based buffer overflow in Tenda HG9 GPON Config (/boaform/formgponConf)
CVE-2026-2906 Stack BVF in Tenda HG9 Samba Config Endpoint
CVE-2026-2908 Stack Buffer Overflow in Tenda HG9 /boaform formLoopBack Endpoint
CVE-2026-2905 Tenda HG9 Wireless Config Endpoint Stack Buffer Overflow via SSID
CVE-2026-2909 Stack-based BOF in Tenda HG9 /boaform/formPing
CVE-2026-2911 Tenda FH451 <1.0.0.9 Buffer Overflow via /goform/GstDhcpSetSer
CVE-2026-2873 Tenda A21 v1.0 buffer overflow in setSchedWifi (/goform/openSchedWifi)
CVE-2026-2872 Tenda A21 1.0.0.0 MC Config Remote Stack Overflow
And others...

Funadmin

CVE-2026-2897 funadmin 7.1.0-rc4 XSS via Value param in Backend Interface
CVE-2026-2898 funadmin <=7.1.0-rc4 Backend Endpoint getMember deserialization remote
CVE-2026-2895 funadmin <=7.1.0-rc4 Weak Password Recovery in Member.php repass
CVE-2026-2896 funadmin 7.1.0-rc4 Improper Authorization via setConfig in Configuration Handler (Remote)
CVE-2026-2894 Funadmin <=7.1.0-rc4: Remote Info Disclosure via getMember in login/forget
 

Unclassified

CVE-2026-1369 Conditional CAPTCHA WP Plugin 4.0.0 Open Redirect
CVE-2026-2904 UTT HiPER 810G 1.7.7-171114 Remote Buffer Overflow in ConfigExceptAli (strcpy)
CVE-2026-27212 Swiper Prototype Pollution (6.5.112.1.1) via Array.prototype
CVE-2026-27482 Ray 2.53.0 Dashboard DELETE Unauthenticated, Drive-By Availability
CVE-2026-27199 Werkzeug <3.1.6 unsafe safe_join allows Windows device names
CVE-2026-27211 Arbitrary Host File Exfiltration in Cloud Hypervisor 34-50 via virtio-block
CVE-2026-27197 Sentry SAML SSO Vulnerability Enables Account Takeover (pre26.2.0)
CVE-2026-27205 Flask <3.1.3: Use of Cache Containing Sensitive Info via session Vary:Cookie
CVE-2026-27210 Pannellum <=2.5.6 XSS via unrestricted hotspot attributes
And others...

Libvips

CVE-2026-2913 Heap Overflow in libvips 8.19.0 vips_source_read_to_memory

Code Projects

CVE-2026-2912 SQLi in Online Reviewer 1.0 via test_id in studentresult-view.php

Re2c

CVE-2026-2903 re2c 4.4 NPE in check_and_merge_special_rules (skvadrik)

Saturday February 21, 2026

Apache AirFlow

CVE-2025-65995 Airflow UI Leak of Operator Kwargs in Tracebacks Fixed in 3.1.4 & 2.11.1

Moodle

CVE-2026-26046 Command Injection via Moodle TeX Filter (v<4.5.9, <5.0.5, <5.1.2)
CVE-2026-26047 Moodle TeX Editor DoS via Mimetex pre-<4.5.9/5.0.5/5.1.2
CVE-2026-26045 Moodle Backup Restore RCE in v4.5.8 and earlier; fixed v4.5.9,5.0.5,5.1.2
 

Unclassified

CVE-2026-1369 Conditional CAPTCHA WP Plugin 4.0.0 Open Redirect
CVE-2026-2904 UTT HiPER 810G 1.7.7-171114 Remote Buffer Overflow in ConfigExceptAli (strcpy)
CVE-2026-27212 Swiper Prototype Pollution (6.5.112.1.1) via Array.prototype
CVE-2026-27482 Ray 2.53.0 Dashboard DELETE Unauthenticated, Drive-By Availability
CVE-2026-27199 Werkzeug <3.1.6 unsafe safe_join allows Windows device names
CVE-2026-27211 Arbitrary Host File Exfiltration in Cloud Hypervisor 34-50 via virtio-block
CVE-2026-27197 Sentry SAML SSO Vulnerability Enables Account Takeover (pre26.2.0)
CVE-2026-27205 Flask <3.1.3: Use of Cache Containing Sensitive Info via session Vary:Cookie
CVE-2026-27210 Pannellum <=2.5.6 XSS via unrestricted hotspot attributes
And others...
 

D-Link Dwr M960

CVE-2026-2926 D-Link DWR-M960 1.01.07 LTE Config Stack Buffer Overflow (remote)
CVE-2026-2928 D-Link DWR-M960 1.01.07 WLAN Encryption Config Endpoint Stack Overflow
CVE-2026-2927 Stack-based buffer overflow in D-Link DWR-M960 1.01.07 OpMode Cfg
CVE-2026-2925 D-Link DWR-M960 1.01.07 Bridge VLAN Buffer Overflow (sub_42B5A0)
CVE-2026-2929 D-Link DWR-M960 1.01.07 WAC Endpoint Bof via submit-url
CVE-2026-2885 D-Link DWR-M960 1.01.07 Buffer Overflow: sub_469104 in formIpv6Setup
CVE-2026-2884 D-Link DWR-M960 1.01.07 WAN Handler Stack Buffer Overflow
CVE-2026-2883 Stack Buffer Overflow in D-Link DWR-M960 1.01.07 via submit-url
CVE-2026-2882 D-Link DWR-M960 1.01.07: Remote Stack Buffer Overflow in submiturl
And others...

Tenda

CVE-2026-2910 Tenda HG9 /boaform/formPing6 Stack Buffer Overflow (CVE-2026-2910)
CVE-2026-2907 Stack-based buffer overflow in Tenda HG9 GPON Config (/boaform/formgponConf)
CVE-2026-2906 Stack BVF in Tenda HG9 Samba Config Endpoint
CVE-2026-2908 Stack Buffer Overflow in Tenda HG9 /boaform formLoopBack Endpoint
CVE-2026-2905 Tenda HG9 Wireless Config Endpoint Stack Buffer Overflow via SSID
CVE-2026-2909 Stack-based BOF in Tenda HG9 /boaform/formPing
CVE-2026-2911 Tenda FH451 <1.0.0.9 Buffer Overflow via /goform/GstDhcpSetSer
CVE-2026-2873 Tenda A21 v1.0 buffer overflow in setSchedWifi (/goform/openSchedWifi)
CVE-2026-2872 Tenda A21 1.0.0.0 MC Config Remote Stack Overflow
And others...

Feathersjs

CVE-2026-27193 FeathersJS <=5.0.39: Unencrypted Session Cookie Exposes HTTP Headers
CVE-2026-27192 Feathersjs 5.x Referrer Origin Validation Bypass (OAuth Token Leak)
CVE-2026-27191 Feathersjs 5.0.39 Redirect URL Injection Full Account Takeover

Metabase

CVE-2026-27464 Metabase 0.57.13/0.58.x Auth Users Retrieve DB Credentials via Eval

Bigbluebutton

CVE-2026-27467 BigBlueButton <3.0.20: Muted Mic Still Sends Audio
CVE-2026-27466 BBB 3.0.21 and earlier: DDoS via exposed clamd ports (3310/7357)

Wedevs Wemail

CVE-2025-14339 weMail: Unauthorized Form Deletion WP Plugin 2.0.7

Frappe Erpnext

CVE-2026-27471 Unauthorized Document Access in ERPNext <=15.98.0,16.0.0-rc.1&<=16.6.0 (CVE-2026-27471)

Thimpress Learnpress

CVE-2026-1787 LearnPress Export Import WP Plugin Unauth Data Delete (4.1.0)

Kovah

CVE-2026-27458 LinkAce 2.4.2 & Prior - Stored XSS via Atom Feed (/lists/feed)

Funadmin

CVE-2026-2897 funadmin 7.1.0-rc4 XSS via Value param in Backend Interface
CVE-2026-2898 funadmin <=7.1.0-rc4 Backend Endpoint getMember deserialization remote
CVE-2026-2895 funadmin <=7.1.0-rc4 Weak Password Recovery in Member.php repass
CVE-2026-2896 funadmin 7.1.0-rc4 Improper Authorization via setConfig in Configuration Handler (Remote)
CVE-2026-2894 Funadmin <=7.1.0-rc4: Remote Info Disclosure via getMember in login/forget

Zoneminder

CVE-2026-27470 ZoneMinder 1.36.37 & 1.38.0 second-order SQLi

Statamic

CVE-2026-27196 Statmatic CMS Stored XSS in html fieldtypes up to 5.73.8 / 6.3.1

Itsourcecode

CVE-2026-2867 CVE-2026-2867
CVE-2026-2865 CVE-2026-2865

Friday February 20, 2026

Tensorflow

CVE-2026-2492 TensorFlow HDF5 Local Privilege Escalation via Uncontrolled Search Path

Google

CVE-2026-2473 Cloud Vertex AI v1.21.0-1.132.x Predictable Bucket RCE
CVE-2026-2472 Stored XSS in Vertex AI SDK genai/evals_visualization 1.981.130

Kamleshyadav Miraculous El

CVE-2025-67998 Authentication Bypass via Alt Path in Miraculous Elementor <=2.0.7

Acronis Cyber Protect

CVE-2025-30410 Acronis Cyber Protect: Authless Sensitive Data Disclosure (CVE-2025-30410)
CVE-2025-30416 Acronis Cyber Protect Sensitive Data Disclosure via Missing Authorization
CVE-2025-30411 Acronis Cyber Protect 15/16 Improper Auth Exposes Sensitive Data
CVE-2025-30412 Acronis Cyber Protect 15/16 Improper Auth Exposes Sensitive Data

Soporteblue Bluex For Woocommerce

CVE-2025-68022 Missing Authorization in BlueX for WooCommerce <=3.1.6

Pdf Xchange Editor

CVE-2026-2040 PDF-XChange Editor TrackerUpdate LPE via Uncontrolled Search Path
 

Unclassified

CVE-2026-1369 Conditional CAPTCHA WP Plugin 4.0.0 Open Redirect
CVE-2026-2904 UTT HiPER 810G 1.7.7-171114 Remote Buffer Overflow in ConfigExceptAli (strcpy)
CVE-2026-27212 Swiper Prototype Pollution (6.5.112.1.1) via Array.prototype
CVE-2026-27482 Ray 2.53.0 Dashboard DELETE Unauthenticated, Drive-By Availability
CVE-2026-27199 Werkzeug <3.1.6 unsafe safe_join allows Windows device names
CVE-2026-27211 Arbitrary Host File Exfiltration in Cloud Hypervisor 34-50 via virtio-block
CVE-2026-27197 Sentry SAML SSO Vulnerability Enables Account Takeover (pre26.2.0)
CVE-2026-27205 Flask <3.1.3: Use of Cache Containing Sensitive Info via session Vary:Cookie
CVE-2026-27210 Pannellum <=2.5.6 XSS via unrestricted hotspot attributes
And others...

Elementor Website Builder

CVE-2024-50555 Elementor Website Builder <=3.29.0 Stored XSS

Totalbounty Widget Logic Visual

CVE-2025-68842 XSS in WidgetLogic Visual <=1.52 (totalbounty)

Case Themes Booked

CVE-2026-22341 WordPress Booked 3.0.0 Auth Bypass via Alt Path

Add Onsorg Pdf For Elementor Forms

CVE-2026-22350 Missing Auth on PDF for Elementor Forms 6.3.1

Automattic Jetpack Crm

CVE-2026-22356 Jetpack CRM <=6.7.0 LFI via Improper Filename Control

Nagios

CVE-2026-2042 Nagios Monitoringwizard Cmd Injection RCE
CVE-2026-2041 Nagios Host zabbixagent_configwizard_func Cmd Injection Vulnerability
CVE-2026-2043 Nagios Host: esensors Command Injection RCE (Auth Req)

Staviravn All In One Wp Builder

CVE-2025-53217 Missing Auth in AIO WP Builder <= 2.0.2

Wpwax Directorist

CVE-2025-68069 Missing Auth in wpWax Directorist <=8.5.10: Access Control

Gimp

CVE-2026-0797 GIMP ICO Buffer Overflow Enables RCE
CVE-2026-2048 GIMP XWD Parsing OOB Write RCE Vulnerability
CVE-2026-2047 GIMP ICNS Parser Heap Overflow RCE
CVE-2026-2045 GIMP XWD File Parsing OOB Write RCE

Pixelyoursite

CVE-2026-27072 PixelYourSite <=11.2.0.1 PIXEL Manager StoredXSS

Kovidgoyal

CVE-2026-26065 Calibre <9.3 Path Traversal via PDB Readers (Arbitrary File Write)
CVE-2026-26064 Calibre 9.2.1 Path Traversal -> Arbitrary File Write (RCE on Windows)

Marcus Aka Msykes Wp Fullcalendar

CVE-2026-22351 WP FullCalendar <=1.6 Missing Auth Vulnerability

Webcodingplace Woo Coming Soon Product

CVE-2025-68552 WooCommerce Coming Soon Product with Countdown <=5.0 PHP LFI (File Include)

VMware

CVE-2026-2818 Zip-Slip Path Traversal in Spring Data Geode Import Snapshot (Windows Only)

Jthemes Prestige

CVE-2025-69330 Prestige Reflected XSS before 1.4.1
CVE-2025-69329 Object Injection via Untrusted Deserialization in Jthemes Prestige <1.4.1

Posimyth Plus Addons Block Editor

CVE-2024-50452 WordPress Nexter Blocks <=3.3.3 Stored XSS via plus-addons-for-block-editor

Liton Arefin Master Addons

CVE-2024-52387 Master Addons for Elementor <=2.0.9.x Stored XSS

Litespeed Technologies Litespeed Cache

CVE-2024-51915 LiteSpeed Cache <=6.5.2 XSS Stored Vulnerability

Secupress

CVE-2024-43228 Missing Auth in SecuPress Free (2.2.5.3)

Fox Themes Prague Plugins

CVE-2025-67972 Reflected XSS in Fox-Themes Prague v2.2.8 (WordPress Plugin)

Realmag777 Gmap Targeting

CVE-2025-67990 Reflected XSS in RealMag777 GMap Targeting <=1.1.7

Pickplugins Testimonial

CVE-2025-68000 Missing Auth in PickPlugins Testimonial Slider 2.0.15 via ACL

Conveythis Translate

CVE-2025-68021 Missing Auth in ConveyThis conveythis-translate <=269.5

Passionate Brains Ga For Wp

CVE-2025-68028 Missing Auth in GA4WP: Google Analytics Wp <=2.10.0

Lottiefiles

CVE-2025-68043 LottieFiles lottiefiles Missing Auth <=3.0.0

Crocoblock Jetengine

CVE-2025-68495 JetEngine <=3.8.0 XSS via Reflected Input

Boldthemes Ippsum

CVE-2025-68541 Object Injection via Deserialization in BoldThemes Ippsum <= 1.2.0

Shahjada Wpdm Elementor

CVE-2026-24956 Shahjada Download Manager Addons for Elementor <=1.3.0 Blind SQL Injection (CVE-2026-24956)

Tychesoftwares Print Invoice Delivery Notes Woocommerce

CVE-2026-24946 Missing Auth in TycheSoftwares Print Invoice & Delivery Notes WP plugin <=5.8.0

Wedevs Subscribe2

CVE-2026-24944 Missing Auth in weDevs Subscribe2 <=10.44 (Incorrect Access Control)

Spencer Haws Link Whisper

CVE-2026-22357 Link Whisper Free <=0.9.0 Reflected XSS (CVE-2026-22357)

Axiomthemes Photolia

CVE-2026-22362 Photolia <=1.0.3 PHP RFI Vulnerability

Ancorathemes Isida

CVE-2026-22372 Isida <=1.4.2 PHP LFI/RFI via include/require

Pjsip

CVE-2026-26967 PJSIP 2.16 & below: Heap Buffer Overflow in H.264 unpacketizer (SRTP)

Gfi Archiver

CVE-2026-2039 GFI Archiver MArc.Store Auth Bypass on Remoting.exe (port 8018)

Paris Holley Asynchronous Javascript

CVE-2025-68846 Asynchronous JavaScript <=1.3.5 Reflected XSS

Themeglow Job Board Light

CVE-2025-68855 themeglow JobBoard Job listing <=1.2.8 Sensitive Data Leakage

Teconcetheme Allmart Core

CVE-2025-69304 TeconceTheme Allmart-core SQLi <=1.1 Blind Injection

Veronalabs Wp Slimstat

CVE-2025-69323 WP Slimstat Analytics <=5.3.2 Reflected XSS via wp-slimstat (VeronaLabs)

Basix Nex Forms Express Wp Form Builder

CVE-2025-69324 NEX-Forms <9.1.7 Stored XSS via nex-forms-express-wp-form-builder
CVE-2025-69326 NEX-Forms <=9.1.7 Reflected XSS via nex-forms-express-wp-form-builder

Magepeopleteam Booking Rental Manager Woocommerce

CVE-2025-69328 Deserialization Object Injection in Booking & Rental Manager <=2.5.9

Themegoods Capella

CVE-2025-69370 Object Injection via Deserialization in Capella <=2.5.5

Ancorathemes Sevenhills

CVE-2025-69372 AncoraThemes SevenHills Object Injection via Deserialization (<=1.6.2)

Vanquish User Extra Fields

CVE-2025-69376 WordPress User Extra Fields <=17.0 Path Traversal (CVE-2025-69376)

Xforwoocommerce Prdctfltr

CVE-2025-69378 Privilege Escalation in Product Filter for WooCommerce <=9.1.2

Vanquish Wp Upload Files Anywhere

CVE-2025-69379 Upload Files Anywhere WP Plugin Path Traversal (2.8)

Vanquish Woocommerce Quick Product Editor

CVE-2025-69381 Missing Auth in WooCommerce Bulk Product Editor <=3.0

Themebon Templates Addons Wpbakery Page Builder

CVE-2025-69390 Business Template Blocks WPBakery XSS Reflected in <=1.3.2

Themerex Plank

CVE-2025-69398 ThemeREX Plank <=1.7 LFI via include/require filename control

Mdalabar Byconsole Woo Order Delivery Time

CVE-2025-69401 WordPress WooODT Lite <=2.5.2 Auth Bypass Spoofing

Themerex Lorem Ipsum Books Media Store

CVE-2025-69405 ThemeREX Lorem Ipsum Books Media Store <=1.2.6: OBJ INJ Deserial Vulnerability
 

D-Link Dwr M960

CVE-2026-2926 D-Link DWR-M960 1.01.07 LTE Config Stack Buffer Overflow (remote)
CVE-2026-2928 D-Link DWR-M960 1.01.07 WLAN Encryption Config Endpoint Stack Overflow
CVE-2026-2927 Stack-based buffer overflow in D-Link DWR-M960 1.01.07 OpMode Cfg
CVE-2026-2925 D-Link DWR-M960 1.01.07 Bridge VLAN Buffer Overflow (sub_42B5A0)
CVE-2026-2929 D-Link DWR-M960 1.01.07 WAC Endpoint Bof via submit-url
CVE-2026-2885 D-Link DWR-M960 1.01.07 Buffer Overflow: sub_469104 in formIpv6Setup
CVE-2026-2884 D-Link DWR-M960 1.01.07 WAN Handler Stack Buffer Overflow
CVE-2026-2883 Stack Buffer Overflow in D-Link DWR-M960 1.01.07 via submit-url
CVE-2026-2882 D-Link DWR-M960 1.01.07: Remote Stack Buffer Overflow in submiturl
And others...

HP

CVE-2026-2832 Samsung MultiXpress Info Disclosure via Unauthenticated APIs

Nenad Obradovic Extensive Vc Addon

CVE-2025-60087 WP Extensive VC Addons <=1.9.1 RFI via Filename Control

Soflyy Wp Wizard Cloak

CVE-2025-53237 Soflyy WP Wizard Cloak <=1.0.1 Reflected XSS (CVE-2025-53237)

Addonify Floating Cart

CVE-2025-68025 Missing Auth in Addonify Floating Cart For WooCommerce <=1.2.17 (Access Control)

Leadpages

CVE-2025-68050 Leadpages Missing Auth (1.1.3) Incorrect Access Control

Modeltheme Addons For Wpbakery

CVE-2025-68531 ModelTheme Addons WPBakery/Elementor Deserialization <1.5.6

Teconcetheme Uroan Core

CVE-2025-69365 Blind SQL Injection in TeconceTheme Uroan Core 1.4.4

Agence Web Eoxia Montpellier Wpshop

CVE-2025-69383 WP shop <=2.6.1 LFI via Unvalidated Include/Require

Hugh Mungus Visitor Maps Extended Referer Field

CVE-2025-69389 WP Visitor Maps Extended Referer Field <=1.2.6 Reflected XSS

Gt3themes Diamond

CVE-2025-69391 Reflected XSS in GT3themes Diamond <=2.4.8

Jthemes Exzo

CVE-2025-69393 Jthemes Exzo <=1.2.4 Missing Auth Access Control Vulnerability

Themerex Cobble

CVE-2025-69399 PHP LFI in ThemeREX Cobble <=1.7 via Include/Require

Saiful Islam Product Sync Master Sheet

CVE-2025-68834 Missing Auth in Sync Master Sheet WP Plugin (<=1.1.3)

Elextensions Elex Helpdesk Customer Support Ticket System

CVE-2025-68837 Missing Auth CVE-2025-68837 in ELEX WP HelpDesk <=3.3.5

Themepul Topper Pack

CVE-2025-68841 PHP RFI in Themepul TopperPack <=1.2.1

Bas Schuiling Faf

CVE-2025-68843 FeedWordPress Advanced Filters <=0.6.2 Reflected XSS

Daleab Membees Member Login Widget

CVE-2025-68844 DaleAB Membee Login 2.3.6 Reflected XSS in membees-member-login-widget

Zack Katz Gravity Forms Icontact

CVE-2025-68863 XSS in iContact for Gravity Forms <=1.3.2 via Input Reflection

Saad Iqbal New User Approve

CVE-2025-69063 Missing Auth in Saad Iqbal New User Approve <=3.2.0 'new-user-approve' AC

Teconcetheme Coven Core

CVE-2025-69295 TeconceTheme Coven Core <=1.3 Blind SQL Injection (coven-core)

Ghostpool Aardvark

CVE-2025-69296 GhostPool Aardvark 4.6.3 Reflected XSS (WEB UI)

Ghostpool Gauge

CVE-2025-69298 GhostPool Gauge Missing Auth (<=6.56.4) Exploitable by Misconfigured Access

Laborator Oxygen

CVE-2025-69299 SSRF in Oxygen Builder <=6.0.8

Themegoods Photome

CVE-2025-69301 Insecure Deserialization in ThemeGoods PhotoMe <=5.6.11 (Untrusted Data)

Designthemes Core Features

CVE-2025-69302 XSS in DesignThemes Core Features <= 2.3

Teconcetheme Woodly Core

CVE-2025-69310 Blnd SQLi in TeconceTheme Woodly Core <=1.4 via Unsanitized Input