Overview
- open-webui
- open-webui
19 Feb 2026
Published
19 Feb 2026
Updated
CVSS v3.1
HIGH (7.3)
EPSS
0.03%
KEV
Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.44, aanually modifying chat history allows setting the `embeds` property on a response message, the content of which is loaded into an iFrame with a sandbox that has `allow-scripts` and `allow-same-origin` set, ignoring the "iframe Sandbox Allow Same Origin" configuration. This enables stored XSS on the affected chat. This also triggers when the chat is in the shared format. The result is a shareable link containing the payload that can be distributed to any other users on the instance. Version 0.6.44 fixes the issue.
Statistics
- 1 Post
Last activity: 5 hours ago
Overview
- Cdome
- Comodo Dome Firewall
19 Feb 2026
Published
19 Feb 2026
Updated
CVSS v4.0
MEDIUM (5.3)
EPSS
0.05%
KEV
Description
Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the schedule endpoint. Attackers can submit POST requests with JavaScript payloads in the SCHNAME parameter to execute arbitrary code in administrators' browsers when the schedule page is accessed.
Statistics
- 1 Post
Last activity: 22 hours ago
Overview
Description
curl's code for managing SSH connections when SFTP was done using the wolfSSH
powered backend was flawed and missed host verification mechanisms.
This prevents curl from detecting MITM attackers and more.
Statistics
- 1 Post
Last activity: 16 hours ago
Overview
- Alloksoft
- WMV to AVI MPEG DVD WMV Convertor
18 Feb 2026
Published
19 Feb 2026
Updated
CVSS v4.0
HIGH (8.4)
EPSS
0.03%
KEV
Description
WMV to AVI MPEG DVD WMV Convertor 4.6.1217 contains a buffer overflow vulnerability that allows attackers to crash the application by providing an oversized license input. Attackers can generate a 6000-byte payload and paste it into the 'License Name and License Code' field to trigger an application crash.
Statistics
- 1 Post
Last activity: 8 hours ago
Overview
- Shenzhen Smarteye Digital Electronics Co., Ltd.
- iSmartViewPro
18 Feb 2026
Published
19 Feb 2026
Updated
CVSS v4.0
MEDIUM (4.6)
EPSS
0.02%
KEV
Description
iSmartViewPro 1.3.34 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the camera ID input field. Attackers can paste a 257-character buffer into the camera DID and password fields to trigger an application crash on iOS devices.
Statistics
- 1 Post
Last activity: 14 hours ago
Overview
- itsourcecode
- Event Management System
19 Feb 2026
Published
19 Feb 2026
Updated
CVSS v4.0
MEDIUM (6.9)
EPSS
0.03%
KEV
Description
A vulnerability has been found in itsourcecode Event Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/manage_register.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Statistics
- 1 Post
Last activity: 23 hours ago
Overview
- openclaw
- openclaw
19 Feb 2026
Published
20 Feb 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.06%
KEV
Description
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem paths and read them directly. If an attacker can influence tool calls (directly or via prompt injection), they may be able to exfiltrate local files by supplying paths such as `/etc/passwd` as `mediaUrl`. Upgrade to OpenClaw `2026.2.14` or newer to receive a fix. The fix removes direct local file reads from this path and routes media loading through hardened helpers that enforce local-root restrictions.
Statistics
- 1 Post
Last activity: 8 hours ago
Overview
- sebhildebrandt
- systeminformation
19 Feb 2026
Published
19 Feb 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.05%
KEV
Description
systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.
Statistics
- 1 Post
Last activity: 7 hours ago
Overview
- HappySeaFox
- sail
20 Feb 2026
Published
20 Feb 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
Pending
KEV
Description
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. All versions are vulnerable to Heap-based Buffer Overflow through the XWD parser's use of the bytes_per_line value. The value os read directly from the file as the read size in io->strict_read(), and is never compared to the actual size of the destination buffer. An attacker can provide an XWD file with an arbitrarily large bytes_per_line, causing a massive write operation beyond the buffer heap allocated for the image pixels. The issue did not have a fix at the time of publication.
Statistics
- 1 Post
Last activity: 1 hour ago
Fediverse
⚠️ CVE-2026-27168: HIGH severity heap overflow in HappySeaFox sail (≤0.9.10). Remote code execution possible via crafted XWD files — no patch yet. Audit, block untrusted XWDs, and monitor! https://radar.offseq.com/threat/cve-2026-27168-cwe-122-heap-based-buffer-overflow--338e400d #OffSeq #Vulnerability #HappySeaFox #CyberAlert
Overview
Description
Penpot is an open-source design tool for design and code collaboration. Prior to version 2.13.2, an authenticated user can read arbitrary files from the server by supplying a local file path (e.g. `/etc/passwd`) as a font data chunk in the `create-font-variant` RPC endpoint, resulting in the file contents being stored and retrievable as a "font" asset. This is an arbitrary file read vulnerability. Any authenticated user with team edit permissions can read arbitrary files accessible to the Penpot backend process on the host filesystem. This can lead to exposure of sensitive system files, application secrets, database credentials, and private keys, potentially enabling further compromise of the server. In containerized deployments, the blast radius may be limited to the container filesystem, but environment variables, mounted secrets, and application configuration are still at risk. Version 2.13.2 contains a patch for the issue.
Statistics
- 1 Post
Last activity: 6 hours ago