Total
368 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-26975 | 1 Music-assistant | 1 Server | 2026-02-20 | 8.8 High |
| Music Assistant is an open-source media library manager that integrates streaming services with connected speakers. Versions 2.6.3 and below allow unauthenticated network-adjacent attackers to execute arbitrary code on affected installations. The music/playlists/update API allows users to bypass the .m3u extension enforcement and write files anywhere on the filesystem, which is exacerbated by the container running as root. This can be exploited to achieve Remote Code Execution by writing a malicious .pth file to the Python site-packages directory, which will execute arbitrary commands when Python loads. This issue has been fixed in version 2.7.0. | ||||
| CVE-2026-25628 | 1 Qdrant | 1 Qdrant | 2026-02-19 | 8.6 High |
| Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_file path. Minimal privileges are required (read-only access). This vulnerability is fixed in 1.16.0. | ||||
| CVE-2025-61879 | 1 Infoblox | 1 Nios | 2026-02-19 | 7.7 High |
| In Infoblox NIOS through 9.0.7, a High-Privileged User Can Trigger an Arbitrary File Write via the Account Creation Mechanism. | ||||
| CVE-2026-25636 | 2 Calibre-ebook, Kovidgoyal | 2 Calibre, Calibre | 2026-02-17 | 8.2 High |
| calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0. | ||||
| CVE-2026-25964 | 2 Tandoor, Tandoorrecipes | 2 Recipes, Recipes | 2026-02-17 | 4.9 Medium |
| Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the server. This vulnerability stems from a lack of input validation in the file_path parameter and insufficient checks in the Local storage backend, enabling an attacker to bypass storage directory restrictions and access sensitive system files (e.g., /etc/passwd) or application configuration files (e.g., settings.py), potentially leading to full system compromise. This vulnerability is fixed in 2.5.1. | ||||
| CVE-2026-2604 | 1 Gnome | 1 Evolution-data-server | 2026-02-17 | 5.6 Medium |
| No description is available for this CVE. | ||||
| CVE-2026-0965 | 1 Libssh | 1 Libssh | 2026-02-16 | N/A |
| No description is available for this CVE. | ||||
| CVE-2025-24054 | 1 Microsoft | 23 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 20 more | 2026-02-13 | 6.5 Medium |
| External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-21377 | 1 Microsoft | 24 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 21 more | 2026-02-13 | 6.5 Medium |
| NTLM Hash Disclosure Spoofing Vulnerability | ||||
| CVE-2025-24996 | 1 Microsoft | 23 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 20 more | 2026-02-13 | 6.5 Medium |
| External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-29819 | 1 Microsoft | 2 Azure Portal Windows Admin Center, Windows Admin Center | 2026-02-13 | 6.2 Medium |
| External control of file name or path in Azure Portal Windows Admin Center allows an unauthorized attacker to disclose information locally. | ||||
| CVE-2025-26684 | 1 Microsoft | 1 Defender For Endpoint | 2026-02-13 | 6.7 Medium |
| External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-49760 | 1 Microsoft | 19 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 16 more | 2026-02-13 | 3.5 Low |
| External control of file name or path in Windows Storage allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2025-53769 | 1 Microsoft | 1 Windows Security App | 2026-02-13 | 5.5 Medium |
| External control of file name or path in Windows Security App allows an authorized attacker to perform spoofing locally. | ||||
| CVE-2025-54162 | 2 Qnap, Qnap Systems | 2 File Station, File Station 5 | 2026-02-12 | 4.9 Medium |
| A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5068 and later | ||||
| CVE-2025-69621 | 1 Android-tools | 1 Comic Book Reader | 2026-02-11 | 6.5 Medium |
| An arbitrary file overwrite vulnerability in the file import process of Comic Book Reader v1.0.95 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information. | ||||
| CVE-2024-38049 | 1 Microsoft | 23 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 20 more | 2026-02-10 | 6.6 Medium |
| Windows Distributed Transaction Coordinator Remote Code Execution Vulnerability | ||||
| CVE-2025-62842 | 2 Qnap, Qnap Systems Inc. | 2 Hybrid Backup Sync, Hbs 3 Hybrid Backup Sync | 2026-02-05 | 7.8 High |
| An external control of file name or path vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read or modify files or directories. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 26.2.0.938 and later | ||||
| CVE-2020-37078 | 1 I-doit | 1 I-doit | 2026-02-04 | 8.8 High |
| i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from the server's filesystem. | ||||
| CVE-2026-23835 | 1 Lobehub | 1 Lobe Chat | 2026-02-04 | N/A |
| LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in `Knowledge Base > File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a `1 GB` file while reporting it as `10 MB`, or falsely declaring a `10 MB` file as a `1 GB` file. By manipulating the size value provided in the client upload request, it is possible to bypass the monthly upload quota enforced by the server and continuously upload files beyond the intended storage and traffic limits. This abuse can result in a discrepancy between actual resource consumption and billing calculations, causing direct financial impact to the service operator. Additionally, exhaustion of storage or related resources may lead to degraded service availability, including failed uploads, delayed content delivery, or temporary suspension of upload functionality for legitimate users. A single malicious user can also negatively affect other users or projects sharing the same subscription plan, effectively causing an indirect denial of service (DoS). Furthermore, excessive and unaccounted-for uploads can distort monitoring metrics and overload downstream systems such as backup processes, malware scanning, and media processing pipelines, ultimately undermining overall operational stability and service reliability. Version 1.143.3 contains a patch for the issue. | ||||