Monitoring

In Zabbix versions prior to 6.0.41, 7.0.18, and 7.4.2 a high severity vulnerability CVE-2026-23925 was detected. This vulnerability allows an authenticated low-privileged user to create unauthorized hosts, potentially leading to a loss of confidentiality. This occurs because a user with the basic “User” role and template/host write permissions can bypass standard role restrictions by utilizing the configuration.import API to create objects, an action that should normally be restricted for this role. To address this issue, users should upgrade Zabbix to version 7.4.2 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23925.

In Changedetection versions 0.54.9 and earlier a high severity vulnerability CVE-2026-41895 was detected. This vulnerability allows attackers to exploit an XML External Entity (XXE) flaw, potentially leading to sensitive information disclosure or Server-Side Request Forgery (SSRF). This occurs because the xpath_filter() function switches to XML mode for XML/RSS content and uses etree. XMLParser without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup before parsing untrusted XML bytes. To address this issue, users should upgrade Changedetection to version 0.54.10 and newer. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-41895.

In Alerta versions prior to 9.1.0 a medium severity vulnerability CVE-2026-34400 was detected. This vulnerability allows attackers to perform SQL injection via the query string search API (q=) due to unsafe interpolation of user-supplied input into SQL statements. To address this issue, users should upgrade Alerta to version 9.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-34400.

In changedetection.io versions prior to 0.54.7 a medium severity vulnerability CVE-2026-33981 was detected. This vulnerability allows attackers to disclose sensitive environment variables by exploiting the jq: and jqraw: include filters, which permit use of the jq env builtin to read and expose process environment variables. To address this issue, users should upgrade changedetection.io to version 0.54.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33981.

In Kestra versions 1.1.10 and prior a medium severity vulnerability CVE-2026-29082 was detected. This vulnerability allows attackers to execute stored cross-site scripting (XSS) by injecting malicious Markdown (.md) content in the execution-file preview, which is rendered with markdown-it as HTML and injected via Vue’s v-html without sanitization. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29082.

In changedetection.io versions prior to 0.54.4 a critical severity vulnerability CVE-2026-29065 was detected. This vulnerability allows attackers to overwrite arbitrary files via path traversal in the backup restore functionality by uploading crafted ZIP archives (Zip Slip). To address this issue, users should upgrade changedetection.io to version 0.54.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29065.

In changedetection.io versions prior to 0.54.4 a medium severity vulnerability CVE-2026-29039 was detected. This vulnerability allows attackers to read arbitrary files on the server by supplying malicious XPath expressions using the unparsed-text() function via the include_filters field. To address this issue, users should upgrade changedetection.io to version 0.54.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29039.

In changedetection.io versions prior to 0.54.4 a medium severity vulnerability CVE-2026-29038 was detected. This vulnerability allows attackers to execute reflected cross-site scripting (XSS) by injecting malicious JavaScript through the tag_uuid parameter in the /rss/tag/ endpoint, which is rendered without HTML escaping. To address this issue, users should upgrade changedetection.io to version 0.54.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29038.

In changedetection.io versions prior to 0.54.1 a medium severity vulnerability CVE-2026-27645 was detected. This vulnerability allows an attacker to perform Reflected Cross-Site Scripting (XSS) via the RSS single-watch endpoint, where the UUID path parameter is reflected in the HTTP response without HTML escaping, leading to execution of arbitrary JavaScript in the user’s browser. To address this issue, users should upgrade changedetection.io to version 0.54.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27645.