In GeoServer DB2 DataStore Extension versions prior to 2.27.0 a high severity vulnerability CVE-2025-27511 was detected. This vulnerability allows an authenticated administrator to achieve Remote Code Execution (RCE) on the server. This occurs because the extension is vulnerable to a JNDI injection attack when processing a specially crafted DB2 JDBC URL. To address this issue, users should upgrade the GeoServer DB2 DataStore Extension to version 2.27.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27511.
Read more DatabaseIn vLLM versions 0.10.2 to before 0.13.0 a high severity vulnerability CVE-2026-56340 was detected. This vulnerability allows an attacker to cause a Denial of Service (DoS) through crashes or resource exhaustion, with the potential for out-of-bounds memory corruption. This occurs because the multimodal embeddings processing lacks proper sparse tensor validation. When the prompt-embeds feature is enabled, an attacker can submit crafted embedding requests with malformed (negative or out-of-bounds) tensor indices. Because PyTorch disables sparse tensor invariant checks by default, these malicious tensors bypass validation. This flaw is a continuation of CVE-2025-62164, where the initial fix only disabled the feature by default instead of addressing the root cause. To address this issue, users should upgrade vLLM to version 0.13.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-56340.
In NocoDB versions prior to 2026.05.1 a medium severity vulnerability CVE-2026-53928 was detected. This vulnerability allows an attacker in possession of a stolen refresh token to maintain unauthorized access by minting new JSON Web Tokens (JWTs), even after the victim has completed a password recovery flow. This occurs because the passwordForgot process fails to delete the user’s active refresh tokens—unlike standard password change or reset flows—leaving them valid for exchange. To address this issue, users should upgrade NocoDB to version 2026.05.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-53928.
In MongoDB Server versions 8.3.0 through 8.3.3, 8.2.0 through 8.2.10, 8.0.0 through 8.0.25, 7.0.0 through 7.0.36, 6.0.0 through 6.0.28, 5.0.0 through 5.0.33, 4.4.0 through 4.4.30 a high severity vulnerability CVE-2026-11933 was detected. This vulnerability allows an authenticated user with read privileges to cause a Denial of Service (DoS) or disclose sensitive information from the mongod process memory. This occurs due to a Use-After-Free (UAF) flaw in the server-side JavaScript engine when converting BSON documents to JavaScript arrays. By executing server-side JavaScript (for example, via the $where or $function operators), an attacker can trigger the server to access memory that has already been freed. To address this issue, users should upgrade MongoDB Server to a patched version 8.3.x, 8.2.11, or 8.0.26 (or later), 7.0.37 (or later). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-11933.
In MariaDB Server versions 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1 a medium severity vulnerability CVE-2026-44169 was detected. This vulnerability allows an authenticated user to gain unauthorized visibility into stored routine definitions, leading to information disclosure. This occurs because if a user is granted EXECUTE access to a stored routine via a role, the system improperly permits them to see the routine’s definition, even if they lack the explicitly required SHOW CREATE ROUTINE privilege. To address this issue, users should upgrade MariaDB Server to versions 11.4.11, 11.8.7, or 12.3.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44169.
In NocoDB versions prior to 2026.05.1 a medium severity vulnerability CVE-2026-53930 was detected. This vulnerability allows an attacker to perform Server-Side Request Forgery (SSRF), probe internal HTTP destinations, and abuse URI schemes (such as file: or ftp:). This occurs because the base-migration endpoint accepts a caller-supplied URL that the migration worker dereferences without enforcing proper protocol or destination restrictions. To address this issue, users should upgrade NocoDB to version 2026.05.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-53930.
In pgAdmin 4 versions 1.0 before 9.16 a high severity vulnerability CVE-2026-12044 was detected. This vulnerability allows an authenticated user to execute arbitrary SQL statements, and potentially achieve OS command execution if connected as a highly privileged role (e.g., a superuser using COPY ... TO/FROM PROGRAM). This occurs due to an SQL injection flaw across various dialog templates (such as Domains, Foreign Tables, Languages, and Event Triggers) that render COMMENT ON ... IS '<description>'. The Jinja templates interpolate user-supplied descriptions directly inside single-quoted SQL literals instead of safely passing them through the qtLiteral escape filter, allowing an attacker to break out of the literal using an apostrophe. While the injected SQL runs under the user’s existing database role and does not cross privilege boundaries, it bypasses application-layer restrictions placed on the Query Tool interface. To address this issue, users should upgrade pgAdmin 4 to version 9.16 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-12044.
In GeoServer versions prior to 2.26.4 and prior to 2.27.3 a high severity vulnerability CVE-2025-52465 was detected. This vulnerability allows an authenticated administrator to create files containing the master password in plaintext anywhere on the server’s file system. This occurs because the Master Password Dump web page fails to properly sanitize user input, allowing the submission of arbitrary absolute file paths. Installations where the web interface is disabled or removed are not affected. To address this issue, users should upgrade GeoServer to versions 2.26.4 or 2.27.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-52465.
Read more DatabaseIn vLLM versions 0.18.0 to before 0.20.0 a medium severity vulnerability CVE-2026-44223 was detected. This vulnerability allows an attacker to cause a Denial of Service (DoS) condition by crashing the server. This occurs because the extract_hidden_states speculative decoding proposer returns a tensor with an incorrect shape after the first decode step when a request in the batch includes sampling penalty parameters (such as repetition_penalty). This shape mismatch triggers a RuntimeError that immediately crashes the EngineCore process. To address this issue, users should upgrade vLLM to version 0.20.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44223.