The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Open Redirects: A Forgotten Vulnerability?

Published: 2026-02-24

Last Updated: 2026-02-24 18:04:01 UTC

by Johannes Ullrich (Version: 1)

In 2010, OWASP added "Unvalidated Redirects and Forwards" to its Top 10 list and merged it into "Sensitive Data Exposure" in 2013 [owasp1] [owasp2]. Open redirects are often overlooked, and their impact is not always well understood. At first, it does not look like a big deal. The user is receiving a 3xx status code and is being redirected to another URL. That target URL should handle all authentication and access control, regardless of where the data originated.

Historically, one of the main concerns was phishing. A user clicks on a link to a trusted URL, and is immediately redirected to a malicious phishing URL. The issue becomes trickier if trusted data sent via the URL is now forwarded to an untrusted destination with minimal user interaction. The vulnerability has become more important with the ubiquitous use of OAUTH. OAUTH relies on "redirect URLs" to pass an authorization token from the authorization server to the client. Best practice requires allowlisting specific URL patterns for the redirect URL, but an open redirect within the allow-listed URL range may be used to subvert the token.

Interestingly, recently our honeypots detected an increase in scans for various redirect-related URLs. For example, ...

Read the full entry: https://isc.sans.edu/diary/Open+Redirects+A+Forgotten+Vulnerability/32742/

Another day, another malicious JPEG

Published: 2026-02-23

Last Updated: 2026-02-23 14:26:39 UTC

by Jan Kopriva (Version: 1)

In his last two diaries, Xavier discussed recent malware campaigns that download JPEG files with embedded malicious payload. At that point in time, I’ve not come across the malicious “MSI image” myself, but while I was going over malware samples that were caught by one of my customer’s e-mail proxies during last week, I found another campaign in which the same technique was used.

Xavier already discussed how the final portion of a payload that was embedded in the JPEG was employed, but since the campaign he came across used a batch downloader as the first stage, and the one I found employed JScript instead, I thought it might be worthwhile to look at the first part of the infection chain in more detail, and discuss few tips and tricks that may ease analysis of malicious scripts along the way.

To that end, we should start with the e-mail to which the JScript file (in a GZIP “envelope”) was attached.

The e-mail had a spoofed sender address to make it look like it came from a legitimate Czech company, and in its body was present a logo of the same organization, so at first glance, it might have looked somewhat trustworthy. Nevertheless, this would only hold if the message didn’t fail the usual DMARC/SPF checks, which it did, and therefore would probably be quarantined by most e-mail servers, regardless of the malicious attachment.

As we’ve already mentioned, the attachment was a JScript file. It was quite a large one, “weighing in” at 1.17 MB. The large file size was caused by a first layer of obfuscation. The script contained 17,222 lines, of which 17,188 were the same, as you can see in the following image ...

Read the full entry: https://isc.sans.edu/diary/Another+day+another+malicious+JPEG/32738/

Under the Hood of DynoWiper

Published: 2026-02-19

Last Updated: 2026-02-19 19:43:30 UTC

by John Moutos (Version: 1)

[This is a Guest Diary contributed by John Moutos]

Overview

In this post, I'm going over my analysis of DynoWiper, a wiper family that was discovered during attacks against Polish energy companies in late December of 2025. ESET Research and CERT Polska have linked the activity and supporting malware to infrastructure and tradecraft associated with Russian state-aligned threat actors, with ESET assessing the campaign as consistent with operations attributed to Russian APT Sandworm, who are notorious for attacking Ukrainian companies and infrastructure, with major incidents spanning throughout years 2015, 2016, 2017, 2018, and 2022. For more insight into Sandworm or the chain of compromise leading up to the deployment of DynoWiper, ESET and CERT Polska published their findings in great detail, and I highly recommend reading them for context.

IOCs

The sample analyzed in this post is a 32-bit Windows executable, and is version A of DynoWiper ...

Initial Inspection

To start, I ran the binary straight through DIE (Detect It Easy) catch any quick wins regarding packing or obfuscation, but this sample does not appear to utilize either (unsurprising for wiper malware). To IDA we go! ...

Read the full entry: https://isc.sans.edu/diary/Under+the+Hood+of+DynoWiper/32730/

Japanese-Language Phishing Emails (2026.02.21)

https://isc.sans.edu/diary/JapaneseLanguage+Phishing+Emails/32734/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2026-22769 - Dell RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1 has a critical hardcoded credential vulnerability that can be exploited by unauthenticated remote attackers for unauthorized access to the system.

Product: Dell RecoverPoint For Virtual Machines

CVSS Score: 10.0

** KEV since 2026-02-18 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22769

NVD References:

- https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-22769

CVE-2025-49113 - Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 is vulnerable to remote code execution by authenticated users due to unvalidated _from parameter in upload.php, allowing PHP Object Deserialization.

Product: Roundcube Webmail

CVSS Score: 0

** KEV since 2026-02-20 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49113

ISC Podcast: https://isc.sans.edu/podcastdetail/9822

CVE-2026-26119 - Improper authentication in Windows Admin Center allows an authorized attacker to elevate privileges over a network.

Product: Microsoft Windows Admin Center

CVSS Score: 8.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26119

ISC Podcast: https://isc.sans.edu/podcastdetail/9816

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26119

CVE-2026-2329 - Grandstream GXP series devices are vulnerable to unauthenticated remote code execution due to a stack-based buffer overflow in the /cgi-bin/api.values.get HTTP API endpoint.

Product: Grandstream GXP series

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2329

ISC Podcast: https://isc.sans.edu/podcastdetail/9818

NVD References: https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed

CVE-2026-25755 - jsPDF prior to 4.2.0 allows an attacker to inject arbitrary PDF objects via the `addJS` method, potentially leading to execution of malicious actions or alteration of document structure.

Product: Parall jsPDF

CVSS Score: 8.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25755

ISC Podcast: https://isc.sans.edu/podcastdetail/9822

CVE-2026-22208 - OpenS100 has a remote code execution vulnerability due to an unrestricted Lua interpreter, allowing attackers to execute arbitrary commands with the privileges of the OpenS100 process.

Product: OpenCPN OpenS100

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22208

CVE-2025-70830 - Datart v1.0.0-rc.3 is vulnerable to a Server-Side Template Injection (SSTI) in the Freemarker template engine, allowing authenticated attackers to execute arbitrary code by injecting crafted syntax into the SQL script field.

Product: Datart Freemarker template engine

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70830

CVE-2026-23647 - Glory RBG-100 recycler systems using the ISPK-08 software component have hard-coded operating system credentials, allowing unauthorized remote access with elevated privileges.

Product: Glory RBG-100 recycler systems

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23647

CVE-2026-1670 - Honeywell CCTV Products are vulnerable to an unauthenticated API endpoint exposure, potentially enabling remote changes to the "forgot password" recovery email address.

Product: Honeywell CCTV Products

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1670

NVD References:

- https://www.cisa.gov/news-events/ics-advisories/icsa-26-048-04

- https://www.honeywell.com/us/en/contact/support

CVE-2026-1435 - Graylog Web Interface, version 2.2.3, has a vulnerability where session invalidation is not properly handled, allowing attackers to reuse stolen session tokens to gain unauthorized access.

Product: Graylog Web Interface

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1435

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-graylog

CVE-2025-65791 - ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function.

Product: ZoneMinder

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65791

CVE-2025-70998 - UTT HiPER 810 / nv810v4 router firmware v1.5.0-140603 has insecure default credentials for telnet, potentially enabling remote root access.

Product: UTT HiPER 810 / nv810v4 router firmware

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70998

CVE-2025-70141 - SourceCodester Customer Support System 1.0 has a flaw in ajax.php that allows unauthenticated remote attackers to execute administrative actions without proper authentication or authorization, leading to unauthorized data manipulation.

Product: Oretnom23 Customer Support System

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70141

CVE-2025-70146 - ProjectWorlds Online Time Table Generator 1.0 is vulnerable to missing authentication in multiple administrative action scripts, allowing remote attackers to perform unauthorized administrative operations via direct HTTP requests.

Product: Projectworlds Online Time Table Generator

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70146

CVE-2025-70149 & CVE-2025-70150 - Vulnerabilities in CodeAstro Membership Management System 1.0.

Product: CodeAstro Membership Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70149 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70150 (missing authorization)

CVE-2025-70152 - code-projects Community Project Scholars Tracking System 1.0 is vulnerable to SQL Injection in admin user management endpoints due to lack of authentication checks and direct concatenation of user-supplied parameters into SQL queries.

Product: Community Project Scholars Tracking System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70152

CVE-2026-0573 - GitHub Enterprise Server was vulnerable to an URL redirection flaw that could allow attackers to leak sensitive authorization tokens and potentially achieve remote code execution.

Product: Github Enterprise Server

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0573

CVE-2019-25360 - Aida64 Engineer 6.10.5200 is vulnerable to a buffer overflow in CSV logging, allowing attackers to execute malicious code via crafted payloads in a specially designed log file.

Product: Aida64 Engineer

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25360

CVE-2019-25361 - Ayukov NFTP client 1.71 is vulnerable to a buffer overflow in the SYST command, enabling remote attackers to execute arbitrary code via a specially crafted payload.

Product: Ayukov NFTP client 1.71

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25361

CVE-2019-25362 - WMV to AVI MPEG DVD WMV Convertor 4.6.1217 is vulnerable to a buffer overflow that allows attackers to execute arbitrary code by manipulating license fields.

Product: WMV to AVI MPEG DVD WMV Convertor

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25362

CVE-2019-25364 - MailCarrier 2.51 is vulnerable to a buffer overflow in the POP3 USER command, allowing remote attackers to execute arbitrary code.

Product: Mailcarrier

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25364

CVE-2019-25365 - ChaosPro 2.0 has a buffer overflow vulnerability in its configuration file path handling, allowing attackers to execute arbitrary code via a crafted configuration file on Windows XP systems.

Product: ChaosPro

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25365

CVE-2026-27174, CVE-2026-27175, & CVE-2026-27180 - Multiple vulnerabilities in MajorDoMo

Product: MajorDoMo

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27174 (code injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27175 (OS command injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27180 (download of code without integrity check)

CVE-2026-25548 - InvoicePlane is vulnerable to a critical Remote Code Execution flaw through a chained LFI and Log Poisoning attack in versions 1.7.0, allowing authenticated administrators to execute system commands by manipulating the `public_invoice_template` setting with poisoned log files, with a patch available in version 1.7.1.

Product: InvoicePlane

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25548

CVE-2026-2686 - SECCN Dingcheng G10 3.1.0.181203 is vulnerable to os command injection via the User argument in /cgi-bin/session_login.cgi, allowing for remote attacks following a public disclosure of the exploit.

Product: SECCN Dingcheng G10

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2686

CVE-2026-25242 - Gogs, an open source self-hosted Git service, has unauthenticated file upload endpoints in versions 0.13.4 and below, potentially enabling remote users to abuse the instance as a public file host or deliver malware.

Product: Gogs

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25242

CVE-2025-12107 - A third-party Velocity template engine in WSO2 Identity Server version 5.11.0 allows a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution and unauthorized access to sensitive information.

Product: WSO2 Identity Server version 5.11.0

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12107

NVD References: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4517/

CVE-2025-13590 - Authenticated arbitrary file upload vulnerability in multiple WSO2 products allows a malicious actor to perform Remote Code Execution by uploading a specially crafted payload.

Product: WSO2 API Control Plane; WSO2 API Manager; WSO2 Traffic Manager; WSO2 Universal Gateway

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13590

NVD References: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/

CVE-2025-15559 - NesterSoft WorkTime allows unauthenticated attackers to inject OS commands through the server API endpoint, giving them the ability to execute arbitrary commands on the server as NT Authority\SYSTEM.

Product: NesterSoft WorkTime

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-15559

CVE-2025-8350 - BiEticaret CMS is vulnerable to authentication bypass and HTTP response splitting, allowing for execution after redirect and missing authentication for critical functions.

Product: Inrove Software and Internet Services BiEticaret CMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8350

CVE-2025-9953 - DATABASE Software Training Consulting Ltd. Databank Accreditation Software allows unauthorized users to bypass authorization controls via SQL Injection in primary keys up to 19022026.

Product: Software Training Consulting Ltd. Databank Accreditation Software

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9953

CVE-2025-55853 - SoftVision webPDF before 10.0.2 is vulnerable to SSRF due to lack of protocol validation in the PDF converter function, allowing for potential internal port scanning and LFI attacks.

Product: SoftVision webPDF

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55853

CVE-2025-71243 - The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 is vulnerable to critical Remote Code Execution (RCE), allowing attackers to execute arbitrary code on the server, prompting users to update to version 5.11.1 or later immediately.

Product: SPIP Saisies pour formulaire

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-71243

CVE-2025-69674 - CDATA FD614GS3-R850 V3.2.7_P161006 (Build.0333.250211) is susceptible to buffer overflow, enabling remote attackers to execute arbitrary code through specific parameters.

Product: CDATA FD614GS3-R850

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69674

CVE-2026-24834 - Kata Containers, an open source project for lightweight VMs, had a vulnerability in Cloud Hypervisor allowing a user to achieve arbitrary code execution as root in the Guest micro VM.

Product: Kata Containers

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24834

CVE-2026-26030 - Semantic Kernel, Microsoft's Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4 related to the `InMemoryVectorStore` filter, which can be mitigated by updating to version `python-1.39.4` or higher and avoiding the use of `InMemoryVectorStore` for production purposes.

Product: Microsoft Semantic Kernel Python SDK

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26030

CVE-2026-26339 - Hyland Alfresco Transformation Service is vulnerable to argument injection, enabling unauthenticated attackers to execute remote code via the document processing functionality.

Product: Hyland Alfresco Transformation Service

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26339

CVE-2025-67304 & CVE-2025-67305 - Vulnerabilities in Ruckus Network Director (RND)

Product: Ruckus Network Director (RND)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67304 (hard-coded credentials)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67305 (hard-coded cryptographic key)

CVE-2026-27476 - RustFly 2.0.0 is vulnerable to command injection via hex-encoded payloads sent through UDP port 5005, allowing attackers to execute system commands and gain control of the target system.

Product: RustFly 2.0.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27476

CVE-2026-27002 - OpenClaw's Docker tool sandbox prior to version 2026.2.15 is vulnerable to configuration injection issues that could allow for dangerous Docker options to be applied, enabling container escape or host data access.

Product: OpenClaw

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27002

CVE-2026-26064 & CVE-2026-26065 - Path Traversal vulnerabilities in Calibre versions 9.2.1 and below.

Product: Calibre ebook manager

CVSS Score: 8.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26064

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26065

ISC Podcast: https://isc.sans.edu/podcastdetail/9822

CVE-2026-26980 - Ghost is vulnerable to unauthenticated attackers performing arbitrary reads from the database in versions 3.24.0 through 6.19.0, fixed in version 6.19.1.

Product: Ghost

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26980

CVE-2026-26988 - LibreNMS is vulnerable to SQL Injection in versions 25.12.0 and below through the ajax_table.php endpoint, allowing attackers to execute arbitrary SQL commands and potentially access or manipulate the database.

Product: LibreNMS

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26988

CVE-2025-10970 - Talentics by Kolay Software Inc. is susceptible to Blind SQL Injection via improper neutralization of special elements in SQL commands up to version 20022026.

Product: Kolay Software Inc. Talentics

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10970

CVE-2025-70831 - Vulnerabilities in Smanga 3.2.7.

Product: Smanga 3.2.7

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70831 (OS command injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70833 (authentication bypass)

CVE-2026-25715 - Jinan USR IOT Technology Limited (PUSR) USR-W610 allows for blank administrator credentials to be set, enabling unauthorized users to gain full control without authentication.

Product: Jinan USR IOT Technology Limited (PUSR) USR-W610

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25715

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03

CVE-2026-26722 - Key Systems Inc Global Facilities Management Software v.20230721a is vulnerable to privilege escalation via the PIN component of the login functionality.

Product: Key Systems Inc Global Facilities Management Software

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26722

CVE-2026-26725 - Edu Business Solutions Print Shop Pro WebDesk v.18.34 is vulnerable to a remote privilege escalation exploit via the AccessID parameter.

Product: Edu Business Solutions Print Shop Pro WebDesk

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26725

CVE-2026-26747 - Monica 4.1.2 is vulnerable to Host Header Poisoning due to mishandling of the HTTP Host header, allowing attackers to poison password reset links.

Product: Monica 4.1.2

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26747

CVE-2021-35402 - PROLiNK PRC2402M 20190909 before 2021-06-13 allows live_api.cgi?page=satellite_list OS command injection via shell metacharacters in the ip parameter (for satellite_status).

Product: PROLiNK PRC2402M

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-35402

CVE-2026-25896 - Fast-xml-parser prior to version 5.3.5 allows attackers to shadow built-in XML entities with arbitrary values, leading to XSS due to improper handling of dots in DOCTYPE entity names.

Product: fast-xml-parser

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25896

CVE-2019-25441 - Thesystem 1.0 has a command injection vulnerability that lets unauthenticated attackers run arbitrary system commands by sending malicious input to the run_command endpoint.

Product: Thesystem 1.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25441

CVE-2026-2038 & CVE-2026-2039 - GFI Archiver authentication bypass vulnerabilities

Product: GFI Archiver

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2038

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2039

NVD References:

- https://www.zerodayinitiative.com/advisories/ZDI-26-075/

- https://www.zerodayinitiative.com/advisories/ZDI-26-077/

CVE-2026-27194 - D-Tale versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint, allowing attackers to run malicious code on the server if hosted publicly.

Product: D-Tale

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27194

CVE-2026-27197 - Sentry versions 21.12.0 through 26.1.0 are vulnerable to an attack that allows an attacker to take over user accounts through a malicious SAML Identity Provider on the same instance, fixed in version 26.2.0, with a workaround of enabling user account-based two-factor authentication.

Product: Sentry

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27197

CVE-2026-27211 - Cloud Hypervisor is vulnerable to arbitrary host file exfiltration through virtio-block devices backed by raw images, allowing a malicious guest to access sensitive host paths.

Product: Cloud Hypervisor

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27211

CVE-2026-27471 - ERP had a vulnerability in certain versions which allowed for unauthorized document access, but has been fixed in newer versions.

Product: ERP

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27471

CVE-2026-27574 - OneUptime exposes a critical security flaw in versions 9.5.13 and below, allowing any anonymous user to easily achieve full cluster compromise in about 30 seconds.

Product: OneUptime

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27574

CVE-2026-2588 - Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems due to a casting error in Sodium.xs.

Product: Crypt::NaCl::Sodium

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2588

CVE-2026-24494 - Order Up Online Ordering System 1.0 is vulnerable to SQL Injection through the /api/integrations/getintegrations endpoint, allowing unauthorized access to sensitive database data.

Product: Order Up Online Ordering System 1.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24494

CVE-2026-23552 - Apache Camel's Camel-Keycloak KeycloakSecurityPolicy component is vulnerable to Cross-Realm Token Acceptance Bypass, where JWT tokens from one realm can bypass the policy configured for a different realm, impacting tenant isolation.

Product: Apache Camel-Keycloak

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23552

NVD References: https://camel.apache.org/security/CVE-2026-23552.html

CVE-2025-70043 - Ayms node-To master has an improper certificate validation issue that disables TLS/SSL certificate validation.

Product: Ayms node-To master

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70043

CVE-2026-23693 - ElementsKit Lite (elementskit-lite) WordPress plugin versions prior to 3.7.9 allow unauthenticated attackers to abuse the /wp-json/elementskit/v1/widget/mailchimp/subscribe endpoint as an open proxy to trigger unauthorized Mailchimp API calls and manipulate subscription data.

Product: ElementsKit ElementsKit Lite

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23693

CVE-2024-58041 - Smolder versions through 1.51 for Perl rely on the insecure rand() function for cryptographic functions.

Product: Smolder versions through 1.51 for Perl

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-58041

CVE-2025-13942 - Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0 is vulnerable to command injection through UPnP SOAP requests.

Product: Zyxel EX3510-B0 firmware

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13942

NVD References: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026

CVE-2026-26198 - Ormar is vulnerable to SQL injection when performing aggregate queries in versions 0.9.9 through 0.22.0, allowing unauthorized users to read the entire database contents by injecting a subquery as the column parameter.

Product: Ormar async mini ORM for Python

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26198

CVE-2025-40538 through CVE-2025-40541 - Multiple vulnerabilities in SolarWinds Serv-U is vulnerable to a broken access control issue that allows a attacker to create a system admin user and execute arbitrary code with domain admin privileges.

Product: Solarwinds Serv-U

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40538 (broken access control vulnerability)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40539 (type confusion vulnerability)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40540 (type confusion vulnerability)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40541 (Insecure Direct Object Reference (IDOR) vulnerability)

NVD References: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40538

NVD References: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40539

NVD References: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40540

NVD References: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40541

CVE-2026-27208 - bleon-ethical/api-gateway-deploy version 1.0.0 is vulnerable to an attack chain involving OS Command Injection and Privilege Escalation, enabling an attacker to execute arbitrary commands with root privileges and potentially escape the container and make unauthorized infrastructure alterations, fixed in version 1.0.1 with input sanitization, user enforcement, and security quality gates.

Product: bleon-ethical api-gateway-deploy

CVSS Score: 9.2

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27208

CVE-2026-27507 & CVE-2026-27515 - Vulnerabilities in Binardat 10G08-0800GSM network switch firmware.

Product: Binardat 10G08-0800GSM network switch firmware

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27507 (hard-coded administrative credentials)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27515 (use of insufficiently random values)

CVE-2026-21410 - Vulnerabilities in InSAT MasterSCADA BUK-TS.

Product: InSAT MasterSCADA BUK-TS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21410 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22553 (OS command injection)

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-01

CVE-2026-27593 - Statmatic has a vulnerability in its password reset feature that allows an attacker to reset a user's password if the user clicks on a malicious reset link.

Product: Statmatic Laravel-powered content management system (CMS)

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27593

CVE-2026-24849 - OpenEMR version prior to 7.0.4 allows authenticated users to read arbitrary files from the server filesystem, posing a risk to sensitive data.

Product: OpenEMR

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24849

CVE-2026-27614 - Bugsink allows for JavaScript injection by unauthenticated attackers prior to version 2.0.13, potentially allowing privilege escalation upon administrator UI interaction.

Product: Bugsink self-hosted error tracking tool

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27614

CVE-2026-27626 - OliveTin allows for unauthenticated remote code execution through two separate vectors, including injecting shell metacharacters via a `password`-typed argument and bypassing type safety checks with webhook-extracted JSON values.

Product: OliveTin

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27626

CVE-2026-27822 - RustFS Console in versions prior to 1.0.0-alpha.83 is vulnerable to Stored Cross-Site Scripting (XSS) that can lead to full system compromise.

Product: RustFS Console

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27822

CVE-2026-27597 - Enclave allowed for remote code execution due to security boundary escape prior to version 2.11.1.

Product: Enclave

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27597

CVE-2026-27637 - FreeScout allows for full account takeover due to a predictable authentication token vulnerability.

Product: FreeScout

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27637

CVE-2026-27641 - Flask-Reuploaded allows remote attackers to achieve arbitrary file write and remote code execution through SSTI, patched in version 1.5.0 with workarounds available.

Product: Flask-Reuploaded

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27641

CVE-2026-25903 - Apache NiFi 1.1.0 through 2.7.2 is vulnerable to missing authorization when updating configuration properties on extension components with specific Required Permissions based on the Restricted annotation.

Product: Apache NiFi

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25903

ISC Podcast: https://isc.sans.edu/podcastdetail/9814

NVD References: https://lists.apache.org/thread/jf6bkt9sk6xvshy8xyxv3vtlxd340345

CVE-2025-65715 - Visual Studio Code Extensions Code Runner v0.12.2 is vulnerable to code execution by attackers via a crafted workspace in the code-runner.executorMap setting.

Product: Visual Studio Code Extensions Code Runner

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65715

ISC Podcast: https://isc.sans.edu/podcastdetail/9818

CVE-2025-65716 - Visual Studio Code Extensions Markdown Preview Enhanced v0.8.18 is vulnerable to arbitrary code execution through uploading a crafted .Md file.

Product: Visual Studio Code Markdown Preview Enhanced

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65716

ISC Podcast: https://isc.sans.edu/podcastdetail/9818

CVE-2025-65717 - Visual Studio Code Extensions Live Server v5.7.9 allows attackers to steal files through manipulated user interaction with HTML pages.

Product: Visual Studio Code Live Server

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65717

ISC Podcast: https://isc.sans.edu/podcastdetail/9818

CVE-2026-1937 - The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation, allowing authenticated attackers with Shop Manager-level access and above to update arbitrary options and potentially gain administrative user access.

Product: YayMail WooCommerce Email Customizer plugin

Active Installations: 50,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1937

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/5a17ded3-340d-494f-be7e-2550dab360bc?source=cve

CVE-2025-12882 - The Clasifico Listing plugin for WordPress allows unauthenticated attackers to gain elevated privileges through privilege escalation.

Product: WordPress Clasifico Listing plugin

Active Installations: Unknown.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12882

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/70fb90f0-1ca4-41fe-8638-cdd05747adae?source=cve

CVE-2025-13563 - The Lizza LMS Pro plugin for WordPress allows unauthenticated attackers to gain administrator access by exploiting a Privilege Escalation vulnerability.

Product: Lizza LMS Pro plugin for WordPress

Active Installations: Unknown. Update to version 1.0.4, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13563

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b113f475-3133-4ea3-9152-03bb84d79307?source=cve

CVE-2025-13851 - The Buyent Classified plugin for WordPress (bundled with Buyent theme) up to version 1.0.7 allows unauthenticated attackers to register administrator accounts via the REST API endpoint, leading to privilege escalation.

Product: Buyent Classified plugin for WordPress

Active Installations: Unknown.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13851

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/f3e618cf-dd77-45a7-ab57-5732fd329883?source=cve

CVE-2026-1405 - The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to 1.0.5, allowing unauthenticated attackers to potentially achieve remote code execution.

Product: WordPress Slider Future plugin

Active Installations: This plugin has been closed as of February 17, 2026 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1405

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/34b52ca2-c05f-49b7-846f-a67136d7d379?source=cve

CVE-2026-1994 - The s2Member plugin for WordPress allows for privilege escalation through account takeover, potentially granting unauthorized users access to administrator accounts.

Product: WordPress s2Member plugin

Active Installations: 9,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1994

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/6c31cf92-26b7-484d-8c93-ce241d655d07?source=cve