In GitLab CE/EE versions 12.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 a low severity vulnerability CVE-2026-3553 was detected. This vulnerability allows an authenticated user to access confidential issue details under certain conditions, leading to sensitive information disclosure. This occurs due to incorrect authorization checks within the application’s issue tracking system. To address this issue, users should upgrade GitLab CE/EE to versions 18.10.8, 18.11.5, or 19.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-3553.
Read more Developer ToolsIn Jenkins versions 2.483 through 2.567 (inclusive), and LTS 2.492.1 through 2.555.2 (inclusive) a high severity vulnerability CVE-2026-53441 was detected. This vulnerability allows an authenticated attacker with Agent/Configure permission to execute malicious JavaScript in the context of another user’s browser, leading to a Stored Cross-Site Scripting (XSS) attack. This occurs because Jenkins fails to properly escape the user-provided description of a generic offline cause when set through the POST config.xml API. If a malicious description is provided, the injected payload will be executed when an administrator or another user views the affected node. To address this issue, users should upgrade Jenkins to a patched version to 2.568. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-53441.
In Plane versions prior to 1.3.1 a high severity vulnerability CVE-2026-46558 was detected. This vulnerability allows any authenticated attacker to bypass authorization controls, leading to unauthorized data access and modification. This occurs due to a cross-workspace asset authorization bypass flaw, which enables users to read, copy, delete, and overwrite assets belonging to other Plane workspaces. To address this issue, users should upgrade Plane to version 1.3.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-46558.
Read more Developer ToolsIn OneDev versions up to 15.0.5 a medium severity vulnerability CVE-2026-11440 was detected. This vulnerability allows a remote attacker to bypass intended access controls. This occurs due to improper authorization validation when manipulating the project.defaultBranch argument within the REST API endpoint /repositories/{projectId}/default-branch. To address this issue, users should upgrade OneDev to version 15.0.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-11440.
In Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier a medium severity vulnerability CVE-2026-53439 was detected. This vulnerability allows an attacker with Overall/Read permission to access sensitive user configuration data, leading to information disclosure. This occurs due to missing permission checks, which enable the attacker to determine other users’ configured timezones and enumerate the view names of other users’ “My Views”. To address this issue, users should upgrade Jenkins to a patched version 3.1.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-53439.
Read more Developer ToolsIn Prefect version 3.6.19 a high severity vulnerability CVE-2026-3514 was detected. This vulnerability allows an unauthenticated attacker to bypass authentication and gain unauthorized access to sensitive information, such as API keys and database credentials. This occurs due to the improper handling of URL path exemptions for health check probes. The authentication middleware incorrectly exempts any URL path ending with ‘health’ or ‘ready’ from authentication checks. An attacker can exploit this by creating resources (such as variables, flows, work pools, work queues, and deployments) with names ending in ‘health’ or ‘ready’ to access them without authentication. To address this issue, users should upgrade Prefect to version 3.6.22 or higher. For more details, visit https://avd.aquasec.com/nvd/2026/cve-2026-3514.
Read more Developer ToolsIn OneDev versions up to 15.0.5 a medium severity vulnerability CVE-2026-11439 was detected. This vulnerability allows a remote attacker to bypass intended access controls. This occurs due to improper authorization validation when manipulating the project.parentId argument within the Parent Project Handler for the /projects/ functionality. To address this issue, users should upgrade OneDev to version 15.0.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-11439.
In OneDev versions up to 15.0.5 a medium severity vulnerability CVE-2026-11438 was detected. This vulnerability allows a remote attacker to bypass intended access controls. This occurs due to improper authorization validation when manipulating the project.forkedFromId argument within the /projects functionality. To address this issue, users should upgrade OneDev to version 15.0.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-11438.
In Portainer Community Edition versions 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0 a high severity vulnerability CVE-2026-44848 was detected. This vulnerability allows a standard non-admin user with endpoint access to potentially achieve Remote Code Execution (RCE) on the host system. This occurs because the Docker plugin management endpoints (/plugins/*) lack proper authorization handler registration. As a result, standard users can bypass Resource Control access restrictions and directly call privileged operations, such as installing and enabling plugins, against the underlying Docker daemon. To address this issue, users should upgrade Portainer Community Edition to versions 2.33.8, 2.39.2, or 2.41.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44848.
Read more Developer Tools