In pgAdmin 4 versions 6.0 before 9.16 a critical severity vulnerability CVE-2026-12048 was detected. This vulnerability allows an attacker to execute arbitrary JavaScript or conduct highly deceptive phishing attacks via Stored Cross-Site Scripting (XSS). This occurs because untrusted text returned by a PostgreSQL server (such as error messages or execution plan nodes) is passed directly through html-react-parser without proper sanitization. By controlling a server or creating database objects with maliciously crafted names, an attacker can inject arbitrary HTML, such as malicious <iframe> tags. These iframes can fetch attacker-served scripts and redirect the victim’s top-level browser tab. To address this issue, users should upgrade pgAdmin 4 to version 9.16 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-12048.
In Discourse versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1 a medium severity vulnerability CVE-2026-44779 was detected. This vulnerability allows unauthorized access to sensitive information. This occurs because the bot debug endpoints inadvertently disclose whisper translation audit logs. To address this issue, users should upgrade Discourse to versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44779.
Read more Communication
In Rocket.Chat versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13 a high severity vulnerability CVE-2026-48929 was detected. This vulnerability allows an unauthenticated attacker to permanently delete any uploaded file by its ID. This occurs because calling the deleteFileMessage Meteor method via an unauthenticated DDP WebSocket connection causes Meteor.userId() to return null, which improperly skips the authorization check. The execution then falls through to unconditionally remove the file from storage and the database using FileUpload.getStore('Uploads').deleteById(fileID). Because file IDs are easily discoverable via public channel message payloads and download URLs, an attacker can target and destroy specific files. To address this issue, users should upgrade Rocket.Chat to versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, or 7.10.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48929.
In ChromaDB Python versions 0.4.17 or later a high severity vulnerability CVE-2026-45830 was detected. This vulnerability allows any authenticated user to arbitrarily read, write, update, or delete data in any tenant’s collection, leading to unauthorized cross-tenant data access. This occurs due to a lack of proper authorization validation across tenant boundaries, meaning users are not restricted to the tenant they actually belong to. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-45830.
Read more Database
In MongoDB versions Versions before 8.3.3, 8.2.10, 8.0.10, 7.0.35 a medium severity vulnerability CVE-2026-9748 was detected. This vulnerability allows a user to cause a mongod server crash, leading to a Denial of Service (DoS). This occurs because the $_internalConvertBucketIndexStats stage incorrectly uses PauseExecution as a mechanism to skip documents when an index stats conversion fails on non-timeseries input. However, PauseExecution is not a general-purpose skip signal; it is an internal TeeBuffer signal used solely by the $facet stage. When $_internalConvertBucketIndexStats is placed before $facet in a pipeline, the TeeBuffer receives this unexpected signal, triggers a hard invariant assertion, and crashes the server. To address this issue, users should upgrade MongoDB to a patched version 7.0.35 and later, 8.0.24 and later, 8.2.10 and later, 8.3.3 and later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-9748.
In pgAdmin 4 versions from 1.0.0 up to, but not including, 9.16.0. a medium severity vulnerability CVE-2026-12050 was detected. This vulnerability allows an authenticated user with a connected PostgreSQL session to execute arbitrary SQL statements. This occurs due to an SQL injection flaw in the named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}), where the user-supplied value field is interpolated directly into the SQL string instead of being passed as a bound parameter. While the injected SQL executes under the user’s existing database role and does not cross privilege boundaries, it bypasses application-layer restrictions, allowing SQL execution outside of the documented Query Tool interface. To address this issue, users should upgrade pgAdmin 4 to a patched version 9.16 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-12050.
In MariaDB Server versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1 a high severity vulnerability CVE-2026-44171 was detected. This vulnerability allows an attacker to create or overwrite files outside the intended target directory. This occurs due to a path traversal flaw in the mbstream utility, which fails to check for directory traversal sequences (like /../) when unpacking an archive. While a legitimate backup never contains such paths, an attacker can provide a specially crafted archive to exploit this issue and perform arbitrary file writes. To address this issue, users should upgrade MariaDB Server to versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, or 12.3.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44171.
In GitLab CE/EE versions 17.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 a medium severity vulnerability CVE-2026-1500 was detected. This vulnerability allows an authenticated user to cause a Denial of Service (DoS) condition. This occurs due to uncontrolled resource consumption when the application processes a specially crafted file upload. To address this issue, users should upgrade GitLab CE/EE to versions 18.10.8, 18.11.5, or 19.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1500.
Read more Developer Tools
In Discourse versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1 a high severity vulnerability CVE-2026-44786 was detected. This vulnerability allows an unauthorized user, specifically a MessageBus subscriber who does not have chat enabled, to receive real-time chat message payloads, leading to information disclosure. This occurs because chat events for public category channels are published to the MessageBus without proper permission scoping. To address this issue, users should upgrade Discourse to versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44786.
Read more Communication