Overview
Description
HDF5 is software for managing data. Prior to version 1.14.4-2, an attacker who can control an `h5` file parsed by HDF5 can trigger a write-based heap buffer overflow condition. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. Real-world exploitability of this issue in terms of remote-code execution is currently unknown. Version 1.14.4-2 fixes the issue.
Statistics
- 1 Post
Last activity: Last hour
Overview
- kovidgoyal
- calibre
20 Feb 2026
Published
20 Feb 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.01%
KEV
Description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in 'wb' mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0.
Statistics
- 1 Post
Last activity: 18 hours ago
Fediverse
⚠️ CRITICAL vuln: calibre <9.3.0 (CVE-2026-26065) allows arbitrary file writes via path traversal in PDB reader. Risks: code execution, DoS. Patch to 9.3.0+ ASAP! No known exploits yet. https://radar.offseq.com/threat/cve-2026-26065-cwe-22-improper-limitation-of-a-pat-53326093 #OffSeq #Vuln #Calibre #InfoSec
Overview
- openclaw
- openclaw
19 Feb 2026
Published
20 Feb 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.03%
KEV
Description
OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Telnyx webhooks are expected to be authenticated via Ed25519 signature verification. In affected versions, TelnyxProvider.verifyWebhook() could effectively fail open when no Telnyx public key was configured, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events. This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy). The issue has been fixed in version 2026.2.14.
Statistics
- 1 Post
Last activity: Last hour
Overview
- EPSON
- EPSON Printer Controller Installer
- com.epson.InstallNavi.helper
19 Feb 2026
Published
19 Feb 2026
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.01%
KEV
Description
The com.epson.InstallNavi.helper tool, deployed with the EPSON printer driver installer, contains a local privilege escalation vulnerability due to multiple flaws in its implementation. It fails to properly authenticate clients over the XPC protocol and does not correctly enforce macOS’s authorization model, exposing privileged functionality to untrusted users. Although it invokes the AuthorizationCopyRights API, it does so using overly permissive custom rights that it registers in the system’s authorization database (/var/db/auth.db).
These rights can be requested and granted by the authorization daemon to any local user, regardless of privilege level. As a result, an attacker can exploit the vulnerable service to perform privileged operations such as executing arbitrary commands or installing system components without requiring administrative credentials.
Statistics
- 1 Post
Last activity: 22 hours ago
Overview
- Apache Software Foundation
- Apache Tomcat
17 Feb 2026
Published
17 Feb 2026
Updated
CVSS
Pending
EPSS
0.04%
KEV
Description
Improper Input Validation vulnerability in Apache Tomcat.
Tomcat did not limit HTTP/0.9 requests to the GET method. If a security
constraint was configured to allow HEAD requests to a URI but deny GET
requests, the user could bypass that constraint on GET requests by
sending a (specification invalid) HEAD request using HTTP/0.9.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.
Older, EOL versions are also affected.
Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.
Statistics
- 1 Post
Last activity: 8 hours ago
Fediverse
Apache Tomcat has a CVE-2026-24733 vulnerability that allows attackers to bypass security constraints via HTTP/0.9 requests when specific access-control rules are configured. This issue requires a particular configuration where HEAD requests are allowed but GET requests are denied, and an attacker must be able to send crafted HTTP/0.9 traffic.
https://cybersecuritynews.com/apache-tomcat-bypass-vulnerabilities/
Overview
- scadaapp
- scadaApp for iOS
18 Feb 2026
Published
19 Feb 2026
Updated
CVSS v4.0
MEDIUM (4.6)
EPSS
0.03%
KEV
Description
ScadaApp for iOS 1.1.4.0 contains a denial of service vulnerability that allows attackers to crash the application by inputting an oversized buffer in the Servername field. Attackers can paste a 257-character buffer during login to trigger an application crash on iOS devices.
Statistics
- 1 Post
Last activity: 17 hours ago
Overview
- Acronis
- Acronis Cyber Protect 16
20 Feb 2026
Published
20 Feb 2026
Updated
CVSS v3.0
CRITICAL (10.0)
EPSS
0.02%
KEV
Description
Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.
Statistics
- 1 Post
Last activity: 5 hours ago
Overview
- NaturalIntelligence
- fast-xml-parser
19 Feb 2026
Published
19 Feb 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.05%
KEV
Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.
Statistics
- 1 Post
Last activity: 9 hours ago
Overview
Description
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
Statistics
- 1 Post
Last activity: 9 hours ago
Fediverse
Rapid weaponization of SmarterMail flaws exposed through underground Telegram channels. Just days after CVE-2026-24423 and CVE-2026-23760 were disclosed, exploit PoCs and stolen admin credentials were shared among these communities, highlighting the urgent need for...
Read more: https://steelefortress.com/dlk923
Overview
Description
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE:Â SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
Statistics
- 1 Post
Last activity: 9 hours ago
Fediverse
Rapid weaponization of SmarterMail flaws exposed through underground Telegram channels. Just days after CVE-2026-24423 and CVE-2026-23760 were disclosed, exploit PoCs and stolen admin credentials were shared among these communities, highlighting the urgent need for...
Read more: https://steelefortress.com/dlk923