In GitLab CE/EE versions 12.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 a low severity vulnerability CVE-2026-3553 was detected. This vulnerability allows an authenticated user to access confidential issue details under certain conditions, leading to sensitive information disclosure. This occurs due to incorrect authorization checks within the application’s issue tracking system. To address this issue, users should upgrade GitLab CE/EE to versions 18.10.8, 18.11.5, or 19.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-3553.
Read more Developer ToolsIn Jenkins versions 2.483 through 2.567 (inclusive), and LTS 2.492.1 through 2.555.2 (inclusive) a high severity vulnerability CVE-2026-53441 was detected. This vulnerability allows an authenticated attacker with Agent/Configure permission to execute malicious JavaScript in the context of another user’s browser, leading to a Stored Cross-Site Scripting (XSS) attack. This occurs because Jenkins fails to properly escape the user-provided description of a generic offline cause when set through the POST config.xml API. If a malicious description is provided, the injected payload will be executed when an administrator or another user views the affected node. To address this issue, users should upgrade Jenkins to a patched version to 2.568. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-53441.
In OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 a medium severity vulnerability CVE-2026-40215 was detected. This vulnerability allows remote attackers to potentially cause a server crash (Denial of Service) or leak sensitive heap memory. This occurs due to a race condition triggered during TLS session promotion, which leads to a use-after-free vulnerability. To address this issue, users should upgrade OpenVPN to a patched version 2.6.20 or 2.7.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40215.
Read more CMSIn LiteLLM versions prior to 1.83.10 a high severity vulnerability CVE-2026-47102 was detected. This vulnerability allows an authenticated user, such as one with the org_admin role, to escalate their privileges and gain full administrative access to the platform. This occurs because the /user/update endpoint, while correctly restricting users to updating only their own account, fails to restrict which specific fields can be modified. As a result, an attacker can change their own user_role to proxy_admin, granting them unauthorized control over all users, teams, keys, models, and prompt history. To address this issue, users should upgrade LiteLLM to version 1.83.10. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-47102.
In Plane versions prior to 1.3.1 a high severity vulnerability CVE-2026-46558 was detected. This vulnerability allows any authenticated attacker to bypass authorization controls, leading to unauthorized data access and modification. This occurs due to a cross-workspace asset authorization bypass flaw, which enables users to read, copy, delete, and overwrite assets belonging to other Plane workspaces. To address this issue, users should upgrade Plane to version 1.3.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-46558.
Read more Developer ToolsIn RabbitMQ versions 3.7.0 to before 4.1.2 and 4.0.13 a medium severity vulnerability CVE-2026-44839 was detected. This vulnerability allows an attacker to execute malicious JavaScript in the context of a user’s browser, leading to a Stored Cross-Site Scripting (XSS) attack. This occurs because the RabbitMQ management UI fails to properly sanitize virtual host (vhost) names before rendering them. If an attacker has the permissions to create or modify a vhost, they can inject a malicious payload that will be executed when an administrator or another user accesses the management UI. To address this issue, users should upgrade RabbitMQ to versions 4.1.2 or 4.0.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44839.
Read more Application DevelopmentIn SQLite versions before 3.53.2 a high severity vulnerability CVE-2026-11824 was detected. This vulnerability allows an attacker to cause a Denial of Service (crash) or potentially execute arbitrary code. This occurs due to a heap-based buffer overflow in the FTS5 full-text search extension (specifically within the fts5ChunkIterate() function). By supplying a specially crafted database with malicious continuation page metadata (where the szLeaf value is smaller than 4), an attacker can trigger an integer underflow. This results in an inflated remaining byte count during FTS5 MATCH query processing, leading to the overflow of attacker-controlled data into the heap. This vulnerability affects applications compiled with the SQLITE_ENABLE_FTS5 flag. To address this issue, users should upgrade SQLite to version 3.53.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-11824.
In Umbraco CMS versions 14.0.0 to before 17.4.0 a medium severity vulnerability CVE-2026-46609 was detected. This vulnerability allows an authenticated attacker to inject arbitrary HTML or execute malicious JavaScript in the context of another user’s browser (Stored XSS / HTML Injection). This occurs because the Umbraco Backoffice confirmation dialog fails to properly apply output encoding to user-supplied data from an input field before rendering it. If an attacker injects a malicious payload, it will be executed or displayed when an administrator or another user triggers the affected confirmation dialog. To address this issue, users should upgrade Umbraco CMS to version 17.4.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-46609.
Read more CMSIn OneDev versions up to 15.0.5 a medium severity vulnerability CVE-2026-11440 was detected. This vulnerability allows a remote attacker to bypass intended access controls. This occurs due to improper authorization validation when manipulating the project.defaultBranch argument within the REST API endpoint /repositories/{projectId}/default-branch. To address this issue, users should upgrade OneDev to version 15.0.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-11440.