In Dolibarr ERP/CRM version 3.8.3 a low severity vulnerability CVE-2016-1912 was detected. This vulnerability allows remote authenticated users to inject arbitrary web script or HTML via the lastname, firstname, email, job, or signature parameters to htdocs/user/card.php, leading to Cross-Site Scripting (XSS). To address this issue, users should upgrade Dolibarr ERP/CRM to versions 3.8.3 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2016-1912.
Read more ERPIn Dolibarr versions prior to 23.0.0 a critical severity vulnerability CVE-2026-23500 was detected. This vulnerability allows authenticated administrators to inject arbitrary OS commands and achieve remote code execution (RCE) as the web server user by manipulating the MAIN_ODT_AS_PDF configuration constant during the ODT to PDF conversion process. To address this issue, users should upgrade Dolibarr to version 23.0.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23500.
Read more ERPIn Helpy version 2.8.0 a medium severity vulnerability CVE-2026-40229 was detected. This vulnerability allows attackers to perform stored cross-site scripting (XSS) by injecting arbitrary HTML into the account name field, which is then rendered unescaped in post author displays across public forum threads, admin ticket views, and HTML notification emails. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40229.
Read more Customer ServiceIn Helpy version 2.8.0 a medium severity vulnerability CVE-2026-40230 was detected. This vulnerability allows authenticated attackers with admin or agent editor privileges to inject and persist arbitrary HTML or JavaScript in the knowledge base document body field, which is then executed during rendering due to improper sanitization. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40230.
Read more Customer ServiceIn FreeScout versions prior to 1.8.213 a medium severity vulnerability CVE-2026-40565 was detected. This vulnerability allows attackers to inject arbitrary HTML attributes by sending emails with specially crafted plain-text URLs containing unescaped double-quote characters, which are improperly converted into HTML anchor tags. To address this issue, users should upgrade FreeScout to version 1.8.213. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40565.
Read more Customer ServiceIn FreeScout versions prior to 1.8.213 a critical severity vulnerability CVE-2026-40498 was detected. This vulnerability allows unauthenticated attackers to access restricted diagnostic and system tools using an exposed static MD5 hash, leading to sensitive information disclosure (such as full path and process IDs) and resource exhaustion (DoS) through the repeated triggering of background tasks. To address this issue, users should upgrade FreeScout to version 1.8.213. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40498.
Read more Customer ServiceIn Dolibarr ERP/CRM versions prior to 23.0.2 a high vulnerability CVE-2026-22666 allows authenticated administrators to achieve remote code execution through the dol_eval_standard() function. The function fails to properly enforce forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax, allowing attackers to inject malicious payloads via computed extrafields or other evaluation paths. To address this issue, users should upgrade Dolibarr to version 23.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22666.
Read more ERPIn BookStack versions up to 26.03 a medium severity vulnerability CVE-2026-5484 was detected. This vulnerability allows attackers to exploit improper access controls in the chapterToMarkdown function of the Chapter Export Handler by manipulating the pagesargument, potentially enabling unauthorized data access. To address this issue, users should upgrade BookStack to version 26.03.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-5484.
Read more CMSIn Download Monitor plugin for WordPress versions up to and including 5.1.7 a high severity vulnerability CVE-2026-3124 was detected. An Insecure Direct Object Reference in the executePayment() function allows unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between PayPal transaction tokens and local orders, enabling theft of paid digital goods. To address this issue, users should upgrade Download Monitor plugin to version to version 5.1.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-3124.
Read more CMS