CVSS: 5.1EPSS: %CPEs: -EXPL: 0CVE-2025-40697 – Reflected Cross-Site Scripting (XSS) in Lewe WebMeasure
https://notcve.org/view.php?id=CVE-2025-40697
19 Feb 2026 — Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMeasure, which allows remote attackers to execute arbitrary code through the 'page' parameter. • https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-lewe-webmeasure • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2026-25006 – WordPress XStore theme <= 9.6.4 - Arbitrary Shortcode Execution vulnerability
https://notcve.org/view.php?id=CVE-2026-25006
19 Feb 2026 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through <= 9.6.4. • https://patchstack.com/database/Wordpress/Theme/xstore/vulnerability/wordpress-xstore-theme-9-6-4-arbitrary-shortcode-execution-vulnerability? • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2026-22422 – WordPress Everest Forms plugin <= 3.4.1 - Arbitrary Shortcode Execution vulnerability
https://notcve.org/view.php?id=CVE-2026-22422
19 Feb 2026 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through <= 3.4.1. • https://patchstack.com/database/Wordpress/Plugin/everest-forms/vulnerability/wordpress-everest-forms-plugin-3-4-1-arbitrary-shortcode-execution-vulnerability? • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 10.0EPSS: %CPEs: 3EXPL: 0CVE-2026-2731 – Unauthenticated RCE in Dynamicweb 9 and Dynamicweb 8
https://notcve.org/view.php?id=CVE-2026-2731
19 Feb 2026 — Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests • https://doc.dynamicweb.dev/documentation/fundamentals/dw10release/security-reports.html#january-19th-2026---unauthenticated-rce-dynamicweb-9-and-dynamicweb-8 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: %CPEs: -EXPL: 0CVE-2025-15586
https://notcve.org/view.php?id=CVE-2025-15586
19 Feb 2026 — OGP-Website installs prior git commit 52f865a4fba763594453068acf8fa9e3fc38d663 are affected by a type juggling flaw which if exploited can result in authentication bypass without knowledge of the victim account's password. • https://projectblack.io/blog/vibe-hacking-open-game-panel-rce/#vul-01-type-juggling-authentication-bypass • CWE-287: Improper Authentication •
CVSS: 6.7EPSS: %CPEs: 1EXPL: 0CVE-2025-15585
https://notcve.org/view.php?id=CVE-2025-15585
18 Feb 2026 — Fileflows versions before 25.05.2 are affected by an authenticated SQL injection vulnerability in the library-file search function. • https://projectblack.io/blog/fileflows-sql-injection-by-decompiling-net-code/#exploitation • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.3EPSS: %CPEs: 1EXPL: 0CVE-2026-25926 – Notepad++ has an Untrusted Search Path
https://notcve.org/view.php?id=CVE-2026-25926
18 Feb 2026 — Notepad++ is a free and open-source source code editor. ... This may allow execution of a malicious explorer.exe if an attacker can control the process working directory. Under certain conditions, this could lead to arbitrary code execution in the context of the running application. • https://github.com/notepad-plus-plus/notepad-plus-plus/releases/tag/v8.9.2 • CWE-426: Untrusted Search Path •
CVSS: 9.1EPSS: %CPEs: 1EXPL: 0CVE-2026-25548 – InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoning
https://notcve.org/view.php?id=CVE-2026-25548
18 Feb 2026 — A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. • https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-117: Improper Output Neutralization for Logs •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 1CVE-2019-25365 – ChaosPro 2.0 - Buffer Overflow
https://notcve.org/view.php?id=CVE-2019-25365
18 Feb 2026 — ChaosPro 2.0 contains a buffer overflow vulnerability in the configuration file path handling that allows attackers to execute arbitrary code by overwriting the Structured Exception Handler. Attackers can craft a malicious configuration file with carefully constructed payload to overwrite memory and gain remote code execution on vulnerable Windows XP systems. • http://www.chaospro.de • CWE-121: Stack-based Buffer Overflow •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 1CVE-2019-25364 – Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow
https://notcve.org/view.php?id=CVE-2019-25364
18 Feb 2026 — MailCarrier 2.51 contains a buffer overflow vulnerability in the POP3 USER command that allows remote attackers to execute arbitrary code. • https://www.exploit-db.com/exploits/47554 • CWE-121: Stack-based Buffer Overflow •