Security

In Wazuh versions 4.4.0 up to before 4.14.4 a critical severity vulnerability CVE-2026-30893 was detected. This vulnerability allows authenticated cluster peers to perform path traversal attacks in the decompress_files() routine, enabling arbitrary file write outside the intended directory and potential remote code execution by overwriting loaded modules. To address this issue, users should upgrade Wazuh to version 4.14.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-30893.

In Wazuh versions 4.0.0 up to before 4.14.4 a medium severity vulnerability CVE-2026-41499 was detected. This vulnerability allows attackers to trigger heap-based out-of-bounds writes in the parse_uname_string() function due to unsafe handling of empty strings, resulting in unsigned integer underflow and writes before allocated buffers that can corrupt heap metadata and lead to denial of service or potential code execution. To address this issue, users should upgrade Wazuh to version 4.14.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-41499.

In Wazuh versions 4.0.0 up to before 4.14.4 a medium severity vulnerability CVE-2026-26206 was detected. This vulnerability allows attackers to bypass API brute-force protection by exploiting a race condition in login attempt tracking, enabling more authentication attempts than intended through concurrent requests. To address this issue, users should upgrade Wazuh to version 4.14.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26206.

In Wazuh versions 1.0.0 up to before 4.14.4 a medium severity vulnerability CVE-2026-26204 was detected. This vulnerability allows attackers to cause denial of service or heap corruption by exploiting a heap-based buffer underflow in the GetAlertData function, resulting in an out-of-bounds write before the allocated buffer. To address this issue, users should upgrade Wazuh to version 4.14.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26204.

In Vaultwarden versions prior to 1.35.4 a high severity vulnerability CVE-2026-27803 was detected. This vulnerability allows users with the Manager role to perform collection management operations even when their `manage` permission is set to false, as long as they have access to the collection. To address this issue, users should upgrade Vaultwarden to version 1.35.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27803.

In PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16 and 14.21 a high severity vulnerability CVE-2026-2006 was detected. This vulnerability allows a database user to issue crafted queries that trigger a buffer overrun due to missing validation of multibyte character length in text manipulation functions, potentially leading to arbitrary code execution as the operating system user running the database. To address this issue, users should upgrade PostgreSQL to versions 18.2, 17.8, 16.12, 15.16, 14.21 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2006.

In PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16 and 14.21 a high severity vulnerability CVE-2026-2005 was detected. This vulnerability allows a ciphertext provider to trigger a heap buffer overflow in the pgcrypto extension, potentially leading to arbitrary code execution as the operating system user running the database. To address this issue, users should upgrade PostgreSQL to versions 18.2, 17.8, 16.12, 15.16, 14.21 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2005.

In PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16 and 14.21 a high severity vulnerability CVE-2026-2004 was detected. This vulnerability allows an object creator to execute arbitrary code as the operating system user running the database due to missing validation of input types in the intarray extension selectivity estimator function. To address this issue, users should upgrade PostgreSQL to versions 18.2, 17.8, 16.12, 15.16, 14.21 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2004.