Data Management and Analytics

In NocoDB versions prior to 0.301.0 a medium severity vulnerability CVE-2026-24768 was detected. This vulnerability allows attackers to perform unvalidated redirects via the `continueAfterSignIn` parameter in the login flow, potentially redirecting users to arbitrary external websites and enabling phishing attacks. To address this issue, users should upgrade NocoDB to version 0.301.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24768.

In NocoDB versions prior to 0.301.0 a medium severity vulnerability CVE-2026-24767 was detected. This vulnerability allows attackers to perform blind Server-Side Request Forgery (SSRF) via unvalidated `HEAD` requests in the `uploadViaURL` functionality, enabling limited outbound requests to arbitrary URLs before SSRF protections are enforced. To address this issue, users should upgrade NocoDB to version 0.301.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24767.

In Oracle MySQL Server Optimizer component versions 8.0.0 through 8.0.44, 8.4.0 through 8.4.7 and 9.0.0 through 9.5.0 a medium severity vulnerability CVE-2026-21968 was detected. This vulnerability allows a low-privileged attacker with network access to cause a hang or repeatedly crash the MySQL Server, resulting in a complete denial of service. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21968.

In Oracle MySQL Server Thread Pooling component versions 8.0.0 through 8.0.44, 8.4.0 through 8.4.7 and 9.0.0 through 9.5.0 a medium severity vulnerability CVE-2026-21964 was detected. This vulnerability allows a high-privileged attacker with network access to cause a complete denial of service by triggering a hang or repeated crashes of the MySQL Server. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21964.

In Oracle MySQL Server versions 9.0.0 through 9.5.0 a medium severity vulnerability CVE-2026-21952 was detected. This vulnerability allows a high-privileged attacker with network access to cause a hang or a repeatedly reproducible crash, resulting in a complete denial of service (DoS) of the MySQL Server due to an issue in the Server Parser component. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21952.

In Mattermost versions 10.11.x up to and including 10.11.8 and prior to 11.2.0 a low severity vulnerability CVE-2025-14822 was detected. This vulnerability allows authenticated attackers to trigger a denial of service by exhausting CPU resources through a single HTTP request containing a post with thousands of space-separated tokens, exploiting quadratic complexity in the model.ParseHashtags function. To address this issue, users should upgrade Mattermost to versions 10.11.9 or 11.2.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14822.

In Mattermost versions 10.11.x up to and including 10.11.8, 11.0.x up to and including 11.0.6, and 11.1.x up to and including 11.1.1 a medium severity vulnerability CVE-2025-14435 was detected. This vulnerability allows authenticated attackers to cause an application-level denial of service by triggering API errors that lead to unbounded component re-render loops, resulting in infinite re-renders and degraded application availability. To address this issue, users should upgrade Mattermost to versions 10.11.9, 11.1.2 or 11.0.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14435.

In Istio versions through 1.28.2 a medium severity vulnerability CVE-2026-23766 was detected. This vulnerability allows attackers to manipulate firewall behavior by injecting custom iptables rules through the traffic.sidecar.istio.io/excludeInterfaces annotation, potentially altering network traffic handling within a pod. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23766.

In vLLM versions from 0.6.4 to before 0.12.0 a medium severity vulnerability CVE-2026-22773 was detected. This vulnerability allows attackers to crash the vLLM inference engine by sending a specially crafted 1×1 pixel image to multimodal models using the Idefics3 vision implementation, triggering a tensor dimension mismatch and an unhandled runtime error that terminates the server. To address this issue, users should upgrade vLLM to version 0.12.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22773.