SB2026021828 - Multiple vulnerabilities in Tenable Security Center

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026021828

SB2026021828 - Multiple vulnerabilities in Tenable Security Center

Published: February 18, 2026

Security Bulletin ID SB2026021828
Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 9% Medium 36% Low 55%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Expected behavior violation (CVE-ID: CVE-2025-54090)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in code that causes the "RewriteCond expr" to be always "true". A remote attacker can bypass implemented security restrictions that rely on regular expressions. 


2) Protection Mechanism Failure (CVE-ID: CVE-2025-13034)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey with the curl tool, curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor.

To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verifiation.


3) Unsynchronized access to shared data in a multithreaded context (CVE-ID: CVE-2025-14017)

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when performing multithreaded LDAPS transfers (LDAP over TLS) with libcurl. Changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. For example, disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well, leading to a MitM attacks against other websites.


4) Insufficiently protected credentials (CVE-ID: CVE-2025-14524)

The vulnerability allows an attacker to obtain bearer token,

The vulnerability exists due to an error when handling cross-protocol redirects. When an oauth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.


5) Improper Certificate Validation (CVE-ID: CVE-2025-14819)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the way libcurl handles TLS transfers when using the CURLSSLOPT_NO_PARTIALCHAIN option. A remote attacker can trick the library into re-using a CA store cached in memory for which the partial chain option was reversed, leading to store policy bypass and a potential MitM attack.


6) Improper validation of certificate with host mismatch (CVE-ID: CVE-2025-15079)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists during SSH-based transfers due to the library mistakenly accepts connections to hosts not present in the specified file if they were added as recognized in the libssh global knownhosts file. A remote attacker can perform a MitM attack.

Note, the vulnerability affects libcurl builds that use libssh backend instead of libssh2. 


7) Improper authentication (CVE-ID: CVE-2025-15224)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication. In such case the curl would wrongly still ask and authenticate using a locally running SSH agent.

Note, the vulnerability affects libcurl builds that use libssh backend instead of libssh2. 



8) Memory leak (CVE-ID: CVE-2025-14177)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in getimagesize. A remote attacker can force the application to leak memory and perform denial of service attack.


9) Heap-based buffer overflow (CVE-ID: CVE-2025-14178)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the array_merge() PPH function. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


10) NULL pointer dereference (CVE-ID: CVE-2025-14180)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within PDO implementation. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


11) OS Command Injection (CVE-ID: CVE-2026-2630)

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation. A remote user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.


Remediation

Install update from vendor's website.

References