CVSS: 8.1EPSS: %CPEs: 5EXPL: 0CVE-2026-22719 – VMware Aria Operations command injection vulnerability
https://notcve.org/view.php?id=CVE-2026-22719
25 Feb 2026 — A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 •
CVSS: 7.4EPSS: %CPEs: 1EXPL: 0CVE-2026-23627 – OpenEMR has SQL Injection in Immunization Search/Report
https://notcve.org/view.php?id=CVE-2026-23627
25 Feb 2026 — Prior to version 8.0.0, an SQL injection vulnerability in the Immunization module allows any authenticated user to execute arbitrary SQL queries, leading to complete database compromise, PHI exfiltration, credential theft, and potential remote code execution. • https://github.com/openemr/openemr/commit/cbf4ea4345b14a6c8362201e30c74ffb0949cdb1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.6EPSS: %CPEs: 1EXPL: 0CVE-2026-27794 – LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution
https://notcve.org/view.php?id=CVE-2026-27794
25 Feb 2026 — Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. • https://github.com/langchain-ai/langgraph/commit/f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2026-1311 – Worry Proof Backup <= 0.2.4 - Authenticated (Subscriber+) Path Traversal via Backup Upload
https://notcve.org/view.php?id=CVE-2026-1311
25 Feb 2026 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload a malicious ZIP archive with path traversal sequences to write arbitrary files anywhere on the server, including executable PHP files. This can lead to remote code execution. • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.9EPSS: %CPEs: 1EXPL: 0CVE-2026-27727 – mchange-commons-java: Remote Code Execution via JNDI Reference Resolution
https://notcve.org/view.php?id=CVE-2026-27727
25 Feb 2026 — mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. ... However, since mchange-commons... • https://github.com/swaldman/mchange-commons-java/security/advisories/GHSA-m2cm-222f-qw44 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.9EPSS: %CPEs: 1EXPL: 0CVE-2026-27702 – Budibase Vulnerable to Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud)
https://notcve.org/view.php?id=CVE-2026-27702
25 Feb 2026 — Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. • https://github.com/Budibase/budibase/commit/348659810cf930dda5f669e782706594c547115d • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2026-27701 – LiveCodes vulnerable to JavaScript Injection via untrusted PR title in i18n-update-pull workflow
https://notcve.org/view.php?id=CVE-2026-27701
25 Feb 2026 — LiveCode is an open-source, client-side code playground. ... An attacker who opens a PR with a crafted title can inject arbitrary JavaScript that executes with the privileges of the CI bot token (`CI_APP_ID` / `CI_APP_PRIVATE_KEY`), enabling exfiltration of repository secrets and unauthorized GitHub API operations. • https://github.com/live-codes/livecodes/commit/e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2026-25785
https://notcve.org/view.php?id=CVE-2026-25785
25 Feb 2026 — Path traversal vulnerability exists in Lanscope Endpoint Manager (On-Premises) Sub-Manager Server Ver.9.4.7.3 and earlier, which may allow an attacker to tamper with arbitrary files and execute arbitrary code on the affected system. • https://jvn.jp/en/jp/JVN79096585 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-27597 – @enclave-vm/core is vulnerable to Sandbox Escape
https://notcve.org/view.php?id=CVE-2026-27597
25 Feb 2026 — Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by `@enclave-vm/core`, which can be used to achieve remote code execution (RCE). The issue has been fixed in version 2.11.1. • https://github.com/agentfront/enclave/commit/09afbebe4cb6d0586c1145aa71ffabd2103932db • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-27641 – Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection
https://notcve.org/view.php?id=CVE-2026-27641
25 Feb 2026 — A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). • https://github.com/jugmac00/flask-reuploaded/commit/d64c6b2f71cb73734fc38baa0e3e156926361288 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •