Security Vulnerabilities
Inappropriate implementation in Animation in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
CVSS Score
6.5
EPSS Score
0.0
Published
2026-02-11
Inappropriate implementation in PictureInPicture in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
CVSS Score
6.5
EPSS Score
0.0
Published
2026-02-11
A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary HTML, resulting in user interface redressing within the recipe view.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-02-11
A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-02-11
An issue was discovered in OpenSatKit 2.2.1. The DirName field in the telecommand is provided by the ground segment and must be treated as untrusted input. The program copies DirName into the local buffer DirWithSep using strcpy. The size of this buffer is OS_MAX_PATH_LEN. If the length of DirName is greater than or equal to OS_MAX_PATH_LEN, a stack buffer overflow occurs, overwriting adjacent stack memory. The path length check (FileUtil_AppendPathSep) is performed after the strcpy operation, meaning the validation occurs too late and cannot prevent the overflow.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-02-11
Directory traversal vulnerability in OpenSatKit 2.2.1 allows attackers to gain access to sensitive information or delete arbitrary files via crafted value to the FileUtil_GetFileInfo function.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-02-11
An issue was discovered in OpenSatKit 2.2.1. The EventErrStr buffer has a fixed size of 256 bytes. The code uses sprintf to format two filenames (Source1Filename and the string returned by FileUtil_FileStateStr) into this buffer without any length checking and without using bounded format specifiers such as %.*s. If the filename length approaches OS_MAX_PATH_LEN (commonly 64-256 bytes), the combined formatted string together with constant text can exceed 256 bytes, resulting in a stack buffer overflow. Such unsafe sprintf calls are scattered across multiple functions in file.c, including FILE_ConcatenateCmd() and ConcatenateFiles(), all of which fail to validate the output length.
CVSS Score
9.8
EPSS Score
0.001
Published
2026-02-11
Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users.
CVSS Score
6.4
EPSS Score
0.0
Published
2026-02-11
A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data.
We have already fixed the vulnerability in the following version:
File Station 5 5.5.6.5190 and later
CVSS Score
4.4
EPSS Score
0.0
Published
2026-02-11
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following version:
QuTS hero h5.3.2.3354 build 20251225 and later
CVSS Score
4.9
EPSS Score
0.001
Published
2026-02-11