In Weaviate versions up to 1.37.7 a medium severity vulnerability CVE-2026-11500 was detected. This vulnerability allows a remote attacker to bypass intended access controls and gain unauthorized access. This occurs due to improper validation of the StaticApiKey argument within the validateConfig function of the Static API Key Handler (internal/usecases/auth/authentication/apikey/client.go). Although the attack complexity is high and exploitability is considered difficult, a public exploit is available. To address this issue, users should apply the patch (commit 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0) or upgrade Weaviate to version 1.38.0-rc.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-11500.
Read more DatabaseIn OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 a medium severity vulnerability CVE-2026-35058 was detected. This vulnerability allows an authenticated attacker to cause a Denial of Service (DoS) by crashing the application. This occurs due to improper validation of packet length during the tls-crypt-v2 key extraction process. By sending a specially crafted packet, an attacker can trigger a fatal assertion, which leads to the termination of the service. To address this issue, users should upgrade OpenVPN to a patched version 2.6.20 and 2.7.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-35058.
Read more CMSIn Zabbix versions prior to 6.0.41, 7.0.18, and 7.4.2 a high severity vulnerability CVE-2026-23925 was detected. This vulnerability allows an authenticated low-privileged user to create unauthorized hosts, potentially leading to a loss of confidentiality. This occurs because a user with the basic “User” role and template/host write permissions can bypass standard role restrictions by utilizing the configuration.import API to create objects, an action that should normally be restricted for this role. To address this issue, users should upgrade Zabbix to version 7.4.2 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23925.
Read more MonitoringIn OneDev versions up to 15.0.5 a medium severity vulnerability CVE-2026-11438 was detected. This vulnerability allows a remote attacker to bypass intended access controls. This occurs due to improper authorization validation when manipulating the project.forkedFromId argument within the /projects functionality. To address this issue, users should upgrade OneDev to version 15.0.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-11438.
In Django versions 6.0 before 6.0.6 and 5.2 before 5.2.15 a low severity vulnerability CVE-2026-7666 was detected. This vulnerability allows an on-path network attacker to intercept and read email content in cleartext. This occurs because the django.core.mail.backends.smtp.EmailBackend fails to prevent the reuse of a partially-initialized connection after a failed STARTTLS handshake when the fail_silently parameter is set to True. To address this issue, users should upgrade Django to versions 6.0.6 or 5.2.15. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-7666.
In Discourse versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1 a medium severity vulnerability CVE-2026-32244 was detected. This vulnerability allows anonymous and unprivileged users to view removed content, leading to information disclosure. This occurs because the platform caches outdated AI-generated summaries which are not adequately purged when the original content is deleted. Consequently, users who lack the permissions to regenerate summaries can still access the leaked information through the stale cache. To address this issue, users should upgrade Discourse to versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1. As a temporary workaround, administrators can restrict summary generation by tightening the allowed groups on the summarization Personas. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-32244.
Read more CommunicationIn MLflow versions up to 3.10.1.dev0 a critical severity vulnerability CVE-2026-2651 was detected. This vulnerability allows an attacker to overwrite artifacts belonging to other users, potentially leading to model supply chain poisoning and arbitrary code execution when compromised models are loaded. This occurs because the authorization logic fails to enforce resource-level permission checks for multipart upload (MPU) endpoints (/mlflow-artifacts/mpu/*) when the –serve-artifacts mode is enabled, enabling unauthorized cross-user writes. To address this issue, users should upgrade MLflow to version 3.10.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2651.
Read more Data AnalyticsIn MLflow versions prior to 3.11.0 a critical severity vulnerability CVE-2026-4035 was detected. This vulnerability allows an attacker to exfiltrate sensitive server-side environment credentials, such as AWS access keys, to an attacker-controlled endpoint. This occurs because the api_key field in AI Gateway secrets incorrectly resolves environment variable references (e.g., $ENV_VAR) against the MLflow server’s environment during runtime. The resolved secrets are then sent in provider authentication headers to a configured upstream api_base. This can be exploited by unauthenticated users in default deployments or low-privileged users in basic-auth deployments, potentially leading to artifact poisoning and cross-boundary code execution. To address this issue, users should upgrade MLflow to version 3.11.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-4035.
Read more Data AnalyticsIn Django versions 6.0 before 6.0.6 and 5.2 before 5.2.15 a low severity vulnerability CVE-2026-6873 was detected. This vulnerability allows a remote attacker to use a signed cookie in a context different from the one where it was originally signed. This occurs because the django.http.HttpRequest.get_signed_cookie function uses a non-injective salt derivation method that simply concatenates the cookie name and the salt argument. An attacker can exploit this by utilizing distinct (name, salt) pairs that produce the exact same string concatenation. To address this issue, users should upgrade Django to versions 6.0.6 or 5.2.15. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-6873.
Read more Application Development