Total
2704 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-24780 | 1 Agpt | 1 Autogpt Platform | 2026-02-17 | N/A | 8.8 HIGH |
| AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix. | |||||
| CVE-2026-26012 | 1 Dani-garcia | 1 Vaultwarden | 2026-02-13 | N/A | 6.5 MEDIUM |
| vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3. | |||||
| CVE-2026-25924 | 1 Kanboard | 1 Kanboard | 2026-02-13 | N/A | 8.4 HIGH |
| Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface when the PLUGIN_INSTALLER configuration is set to false, the underlying backend endpoint fails to verify this security setting. An attacker can exploit this oversight to force the server to download and install a malicious plugin, leading to arbitrary code execution. This vulnerability is fixed in 1.2.50. | |||||
| CVE-2023-31726 | 1 Alistgo | 1 Alist | 2026-02-13 | N/A | 7.5 HIGH |
| AList 3.15.1 is vulnerable to Incorrect Access Control, which can be exploited by attackers to obtain sensitive information. | |||||
| CVE-2026-20624 | 1 Apple | 1 Macos | 2026-02-13 | N/A | 5.5 MEDIUM |
| An injection issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7.4, macOS Tahoe 26.3, macOS Sonoma 14.8.4. An app may be able to access sensitive user data. | |||||
| CVE-2026-20960 | 1 Microsoft | 1 Power Apps | 2026-02-12 | N/A | 8.0 HIGH |
| Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network. | |||||
| CVE-2025-70997 | 1 Eladmin | 1 Eladmin | 2026-02-12 | N/A | 6.5 MEDIUM |
| A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level. | |||||
| CVE-2026-26031 | 1 Frappe | 1 Learning | 2026-02-12 | N/A | 5.3 MEDIUM |
| Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolled students (by email) in batches. This vulnerability is fixed in 2.44.0. | |||||
| CVE-2025-15395 | 1 Ibm | 1 Jazz Foundation | 2026-02-11 | N/A | 4.3 MEDIUM |
| IBM Jazz Foundation 7.0.3 through 7.0.3 iFix019 and 7.1.0 through 7.1.0 iFix005 is vulnerable to access control violations that allows the users to view or access/perform actions beyond their expected capability. | |||||
| CVE-2025-66719 | 1 Free5gc | 1 Nrf | 2026-02-11 | N/A | 9.1 CRITICAL |
| An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers to obtain an access token with any arbitrary scope. | |||||
| CVE-2026-25875 | 1 Prasklatechnology | 1 Placipy | 2026-02-11 | N/A | 9.8 CRITICAL |
| PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims (role and scope) without enforcing server-side role verification. | |||||
| CVE-2026-1734 | 1 Crmeb | 1 Crmeb | 2026-02-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| A security flaw has been discovered in Zhong Bang CRMEB up to 5.6.3. This vulnerability affects unknown code of the file crmeb/app/api/controller/v1/CrontabController.php of the component crontab Endpoint. The manipulation results in missing authorization. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-1553 | 1 Drupal Canvas Project | 1 Drupal Canvas | 2026-02-11 | N/A | 4.8 MEDIUM |
| Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4. | |||||
| CVE-2026-2208 | 1 Wekan Project | 1 Wekan | 2026-02-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended to address this issue. The identifier of the patch is a787bcddf33ca28afb13ff5ea9a4cb92dceac005. The affected component should be upgraded. | |||||
| CVE-2026-25561 | 1 Wekan Project | 1 Wekan | 2026-02-10 | N/A | 7.5 HIGH |
| WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships. | |||||
| CVE-2026-25565 | 1 Wekan Project | 1 Wekan | 2026-02-10 | N/A | 6.5 MEDIUM |
| WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access. | |||||
| CVE-2026-25568 | 1 Wekan Project | 1 Wekan | 2026-02-10 | N/A | 4.3 MEDIUM |
| WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement. | |||||
| CVE-2026-25859 | 1 Wekan Project | 1 Wekan | 2026-02-10 | N/A | 8.8 HIGH |
| Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations. | |||||
| CVE-2025-15342 | 1 Tanium | 1 Reputation | 2026-02-10 | N/A | 4.3 MEDIUM |
| Tanium addressed an improper access controls vulnerability in Reputation. | |||||
| CVE-2026-1897 | 1 Wekan Project | 1 Wekan | 2026-02-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to version 8.21 can resolve this issue. The patch is identified as 55576ec17722db094835470b386162c9a662fb60. It is advisable to upgrade the affected component. | |||||