Data Management and Analytics

In Graylog version 2.2.3 a medium severity vulnerability CVE-2026-1438 was detected. This vulnerability allows attackers to inject and execute arbitrary JavaScript code in a victim’s browser via a reflected Cross-Site Scripting (XSS) flaw in the Web Interface console due to improper sanitization and escaping of URL segments in the ‘/system/nodes/’ endpoint. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1438.

In Graylog version 2.2.3, a medium severity vulnerability CVE-2026-1437 was detected. This vulnerability allows attackers to inject and execute arbitrary JavaScript code in a victim’s browser via a reflected Cross-Site Scripting (XSS) flaw in the Web Interface console due to improper sanitization and escaping of URL segments in the ‘/system/authentication/users/edit/’ endpoint. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1437.

In Graylog version 2.2.3 a high severity vulnerability CVE-2026-1436 was detected. This vulnerability allows authenticated users to access other users’ profiles without proper authorization due to an Insecure Direct Object Reference (IDOR) flaw in the API when modifying the user ID in the URL. Exploitation of this issue may expose sensitive information such as names, email addresses, internal identifiers, and last activity. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1436.

In Graylog version 2.2.3 a critical severity vulnerability CVE-2026-1435 was detected. This vulnerability allows an attacker to reuse previously issued session identifiers because the application does not properly invalidate old sessions after new logins. Exploitation of this issue may enable unauthorized access to the application, allowing interaction with the API or web interface and potential compromise of affected accounts. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1435.

In PostgreSQL versions 18.0 and 18.1 a high severity vulnerability CVE-2026-2007 was detected. This vulnerability allows a database user to trigger a heap buffer overflow via a crafted input string in the pg_trgm extension, which may lead to privilege escalation or other unintended impacts due to improper memory handling. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2007.

In Qdrant versions 1.9.3 through before 1.16.0 a high severity vulnerability CVE-2026-25628 was detected. This vulnerability allows attackers with minimal (read-only) privileges to append data to arbitrary files via the `/logger` endpoint by controlling the `on_disk.log_file` path, potentially leading to further system compromise. To address this issue, users should upgrade Qdrant to version 1.16.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25628.

In pgAdmin 4 versions before 9.11 a high severity vulnerability CVE-2026-1707 was detected. This vulnerability allows attackers with access to the pgAdmin web interface to bypass restore restrictions by disclosing and abusing the `\restrict` key during a restore operation from PLAIN-format dump files, resulting in arbitrary command execution on the pgAdmin host. To address this issue, users should upgrade pgAdmin 4 to version 9.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1707.

In NocoDB versions prior to 0.301.0 a medium severity vulnerability CVE-2026-24766 was detected. This vulnerability allows authenticated users with org-level-creator permissions to exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until the server is restarted, resulting in a denial of service. To address this issue, users should upgrade NocoDB to version 0.301.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24766.

In NocoDB versions prior to 0.301.0 a high severity vulnerability CVE-2026-24769 was detected. This vulnerability allows authenticated attackers to upload malicious SVG files containing embedded JavaScript, which are later executed in the browsers of users who view the attachment, potentially leading to account compromise, data exfiltration, and unauthorized actions. To address this issue, users should upgrade NocoDB to version 0.301.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24769.