In Gitea versions before 1.25.4 a critical severity vulnerability CVE-2026-20897 was detected. This vulnerability allows an authenticated user with write access to one repository to delete Git LFS locks belonging to other repositories, leading to unauthorized data modification and broken access control. This occurs due to an Insecure Direct Object Reference (IDOR) flaw, where the application does not properly validate repository ownership during the Git LFS lock deletion process. To address this issue, users should upgrade Gitea to a patched version 1.25.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-20897.
Read more Developer ToolsIn Backstage (@backstage/plugin-techdocs-node) versions prior to 1.13.11 and 1.14.1 a high severity vulnerability CVE-2026-25153 was detected. This vulnerability allows an attacker to execute arbitrary Python code on the TechDocs build server, leading to Remote Code Execution (RCE). This occurs when TechDocs is configured with runIn: local and a malicious actor modifies a repository’s mkdocs.yml file to include malicious MkDocs hooks. To address this issue, users should upgrade @backstage/plugin-techdocs-node to versions 1.13.11, 1.14.1, or later, which introduce an allowlist that strips unsupported configuration keys like hooks. Alternatively, users can mitigate the risk by configuring TechDocs with runIn: docker or using MkDocs versions prior to 1.4.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25153.
In GitBucket versions up to 4.46.1 a medium severity vulnerability CVE-2026-13540 was detected. This vulnerability allows a remote attacker to perform Server-Side Request Forgery (SSRF), potentially gaining unauthorized access to internal network resources. This occurs due to improper handling of the url argument within the Git.cloneRepository.setURI function in the src/main/scala/gitbucket/core/service/RepositoryCreationService.scala file. By supplying a maliciously crafted URL during repository cloning or creation, an attacker can coerce the server into making unintended network requests. A public exploit has been released, which heightens the risk of active attacks. To address this issue, users should apply the vendor-supplied patch (commit 487a9b980f56aa73b6a044b1e86a92eed5043215) or upgrade to a patched release 4.46.2 (or later). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-13540.
In Argo Workflows versions prior to 3.7.14 and 4.0.5 a high severity vulnerability CVE-2026-42296 was detected. This vulnerability allows an authenticated user with create Workflow permissions to bypass templateReferencing: Strict security boundaries, potentially leading to privilege escalation. This occurs due to an incomplete fix for CVE-2026-31892, which fails to restrict critical pod spec overrides. As a result, an attacker can gain host network access, switch service accounts, override pod security contexts, add tolerations to schedule on control-plane nodes, or enable ServiceAccount token mounting. While external Kubernetes controls (like PodSecurity admission or OPA/Gatekeeper) might mitigate some impacts, clusters relying solely on Argo’s Strict mode are fully exposed. To address this issue, users should upgrade Argo Workflows to versions 3.7.14, 4.0.5, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-42296.
In Gitea versions before 1.25.4 a critical severity vulnerability CVE-2026-20750 was detected. This vulnerability allows an authenticated user with project write access in one organization to modify projects belonging to a different organization, leading to unauthorized data modification and an authorization bypass. This occurs due to an Insecure Direct Object Reference (IDOR) flaw in organization project operations, where Gitea does not properly validate project ownership against the user’s permissions when a Project ID is supplied. To address this issue, users should upgrade Gitea to a patched version [укажите исправленную версию]. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-20750.
Read more Developer ToolsIn Gogs versions prior to 0.14.3 a high severity vulnerability CVE-2026-52812 was detected. This vulnerability allows an authenticated user with write access to one repository to access and download private Git LFS content from other repositories, leading to unauthorized cross-tenant information disclosure. This occurs because the Git LFS storage deduplicates content using only the Object ID (OID). The serveUpload function skips the upload process if a file with the claimed OID already exists on disk, and binds it to the user’s repository without verifying that the provided request body actually hashes to that OID. By claiming an OID that belongs to a private repository, an attacker can bypass authorization checks and download the original file bytes through their own repository’s download endpoint. To address this issue, users should upgrade Gogs to version 0.14.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-52812.
In GitLab EE versions 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 a medium severity vulnerability CVE-2026-5309 was detected. This vulnerability allows an authenticated user to read or modify another group’s virtual registry cleanup policy settings without proper authorization. This occurs due to an authorization bypass flaw involving a user-controlled key under certain conditions. To address this issue, users should upgrade GitLab EE to versions 18.11.6, 19.0.3, or 19.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-5309.
Read more Developer ToolsIn Gogs versions prior to 0.14.3 a medium severity vulnerability CVE-2026-52816 was detected. This vulnerability allows an unauthenticated attacker to inject malicious HTML or JavaScript, leading to Cross-Site Scripting (XSS). This occurs because the Jupyter Notebook (ipynb) sanitizer endpoint (POST /-/api/sanitize_ipynb) fails to properly restrict data: URIs. It uses a permissive policy (bluemonday.UGCPolicy() with p.AllowURLSchemes("data")) that allows all data URI schemes, including data:text/html. Additionally, the endpoint lacks authentication middleware, allowing any user to exploit it. To address this issue, users should upgrade Gogs to version 0.14.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-52816.
In GitLab EE versions 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 a low severity vulnerability CVE-2026-3176 was detected. This vulnerability allows an authenticated user with limited permissions to gain unauthorized access to project information. This occurs due to missing or insufficient authorization checks under certain conditions. To address this issue, users should upgrade GitLab EE to versions 18.11.6, 19.0.3, or 19.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-3176.
Read more Developer Tools