Common Vulnerabilities and Exposures (CVE)

CVE-2026-27169

Feb 20, 2026 23:51:45 UTC

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Versions 1.1.2-alpha and below render untrusted user/model content in chat tool UI surfaces using unsafe HTML interpolation patterns, le...

CVE-2026-27168

Feb 20, 2026 23:34:54 UTC

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. All versions are vulnerable to Heap-based Buffer Overflow through the XWD parser's use of the bytes_per_line value. The v...

CVE-2026-27203

Feb 20, 2026 23:30:46 UTC

eBay API MCP Server is an open source local MCP server providing AI assistants with comprehensive access to eBay's Sell APIs. All versions are vulnerable to Environment Variable Injection through the updateEnvFile function. The ebay_set_use...

CVE-2026-27202

Feb 20, 2026 23:26:23 UTC

GetSimple CMS is a content management system. All versions of GetSimple CMS have a flaw in the Uploaded Files feature that allows for arbitrary file reads. This issue has not been fixed at the time of publication.

CVE-2025-68461

Feb 20, 2026 23:20:24 UTC

Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.

CVE-2025-49113

Feb 20, 2026 23:20:24 UTC

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

CVE-2026-27161

Feb 20, 2026 23:19:08 UTC

GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared ...

CVE-2026-27147

Feb 20, 2026 23:14:00 UTC

GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sani...

CVE-2026-27146

Feb 20, 2026 23:10:09 UTC

GetSimple CMS is a content management system. All versions of GetSimple CMS do not implement CSRF protection on the administrative file upload endpoint. As a result, an attacker can craft a malicious web page that silently triggers a file u...

CVE-2026-27134

Feb 20, 2026 23:05:04 UTC

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. In versions 0.49.0 through 0.50.0, when using a custom Cluster or Clients CA with a multistage CA chain consisting of mu...

CVE-2026-2333

Feb 20, 2026 23:04:22 UTC

Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.

CVE-2026-26093

Feb 20, 2026 23:04:14 UTC

Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.

CVE-2026-26095

Feb 20, 2026 23:04:03 UTC

Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.

CVE-2026-26096

Feb 20, 2026 23:03:54 UTC

Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.

CVE-2026-26097

Feb 20, 2026 23:03:43 UTC

Uncontrolled Search Path Element in Owl opds 2.2.0.4 allows Leveraging/Manipulating Configuration File Search Paths via a crafted network request.