Proactive Insights and Support For Open-Source Applications
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
Book a demo
Book a demo
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
  • Home
  • Knowledge Base
  • Newsflash

Our news and updates

All OSSpediaArticlesHow ToNewsflashCase Studies
Don't Miss out!
Join our newsletter for exclusive updates on open source innovations.

    Choose category
    • Communication
      • Communication
    • Communication and Collaboration
      • Utility
      • Communication and Collaboration
      • Communication
    • Specialized Software
      • Educational
      • Graphic Design
    • Business and Enterprise Solutions
      • Customer Service
      • Productivity
      • Supply Chain Management (SCM)
      • CRM
      • E-commerce
      • CMS
      • Marketing Automation
      • ERP
    • Project and Agile Management
      • Project Management
      • IT Business Management
    • Infrastructure and Network
      • CMS
      • Networking
      • Storage
      • Security
    • DevOps
      • DevOps
      • Mobile App Development
      • Backup and Recovery
      • Data Analytics
      • Web Development
      • Developer Stacks
      • Cloud Computing
      • Monitoring
      • Application Development
      • Developer Tools
    • Data Management and Analytics
      • Communication
      • Application Development
      • Analytics
      • Machine Learning
      • Database
      • Data Analytics
    9 Jun 2026 Data Management and Analytics
    Weaviate: Authorization Bypass in Static API Key Handler

    In Weaviate versions up to 1.37.7 a medium severity vulnerability CVE-2026-11500 was detected. This vulnerability allows a remote attacker to bypass intended access controls and gain unauthorized access. This occurs due to improper validation of the StaticApiKey argument within the validateConfig function of the Static API Key Handler (internal/usecases/auth/authentication/apikey/client.go). Although the attack complexity is high and exploitability is considered difficult, a public exploit is available. To address this issue, users should apply the patch (commit 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0) or upgrade Weaviate to version 1.38.0-rc.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-11500.

    Read more
    Database
    9 Jun 2026 Business and Enterprise Solutions
    OpenVPN: Denial of Service (DoS) via tls-crypt-v2 Key Extraction Flaw

    In OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 a medium severity vulnerability CVE-2026-35058 was detected. This vulnerability allows an authenticated attacker to cause a Denial of Service (DoS) by crashing the application. This occurs due to improper validation of packet length during the tls-crypt-v2 key extraction process. By sending a specially crafted packet, an attacker can trigger a fatal assertion, which leads to the termination of the service. To address this issue, users should upgrade OpenVPN to a patched version 2.6.20 and 2.7.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-35058.

    Read more
    CMS
    8 Jun 2026 DevOps
    Zabbix: Unauthorized Host Creation via configuration.import API

    In Zabbix versions prior to 6.0.41, 7.0.18, and 7.4.2 a high severity vulnerability CVE-2026-23925 was detected. This vulnerability allows an authenticated low-privileged user to create unauthorized hosts, potentially leading to a loss of confidentiality. This occurs because a user with the basic “User” role and template/host write permissions can bypass standard role restrictions by utilizing the configuration.import API to create objects, an action that should normally be restricted for this role. To address this issue, users should upgrade Zabbix to version 7.4.2 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23925.

    Read more
    Monitoring
    8 Jun 2026 DevOps
    OneDev: Improper Authorization via Forked Project ID

    In OneDev versions up to 15.0.5 a medium severity vulnerability CVE-2026-11438 was detected. This vulnerability allows a remote attacker to bypass intended access controls. This occurs due to improper authorization validation when manipulating the project.forkedFromId argument within the /projects functionality. To address this issue, users should upgrade OneDev to version 15.0.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-11438.

    Read more
    Developer Tools
    8 Jun 2026 DevOps
    Django: Unencrypted Email Transmission after STARTTLS Failure

    In Django versions 6.0 before 6.0.6 and 5.2 before 5.2.15 a low severity vulnerability CVE-2026-7666 was detected. This vulnerability allows an on-path network attacker to intercept and read email content in cleartext. This occurs because the django.core.mail.backends.smtp.EmailBackend fails to prevent the reuse of a partially-initialized connection after a failed STARTTLS handshake when the fail_silently parameter is set to True. To address this issue, users should upgrade Django to versions 6.0.6 or 5.2.15. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-7666.

    Read more
    Application Development
    8 Jun 2026 Communication and Collaboration
    Discourse: Information Disclosure via Outdated Cached AI Summaries

    In Discourse versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1 a medium severity vulnerability CVE-2026-32244 was detected. This vulnerability allows anonymous and unprivileged users to view removed content, leading to information disclosure. This occurs because the platform caches outdated AI-generated summaries which are not adequately purged when the original content is deleted. Consequently, users who lack the permissions to regenerate summaries can still access the leaked information through the stale cache. To address this issue, users should upgrade Discourse to versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1. As a temporary workaround, administrators can restrict summary generation by tightening the allowed groups on the summarization Personas. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-32244.

    Read more
    Communication
    8 Jun 2026 Data Management and Analytics
    MLflow: Artifact Overwrite and Arbitrary Code Execution via Multipart Upload Endpoints

    In MLflow versions up to 3.10.1.dev0 a critical severity vulnerability CVE-2026-2651 was detected. This vulnerability allows an attacker to overwrite artifacts belonging to other users, potentially leading to model supply chain poisoning and arbitrary code execution when compromised models are loaded. This occurs because the authorization logic fails to enforce resource-level permission checks for multipart upload (MPU) endpoints (/mlflow-artifacts/mpu/*) when the –serve-artifacts mode is enabled, enabling unauthorized cross-user writes. To address this issue, users should upgrade MLflow to version 3.10.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2651.

    Read more
    Data Analytics
    5 Jun 2026 Data Management and Analytics
    MLflow: Credential Exfiltration via Environment Variable Resolution in AI Gateway

    In MLflow versions prior to 3.11.0 a critical severity vulnerability CVE-2026-4035 was detected. This vulnerability allows an attacker to exfiltrate sensitive server-side environment credentials, such as AWS access keys, to an attacker-controlled endpoint. This occurs because the api_key field in AI Gateway secrets incorrectly resolves environment variable references (e.g., $ENV_VAR) against the MLflow server’s environment during runtime. The resolved secrets are then sent in provider authentication headers to a configured upstream api_base. This can be exploited by unauthenticated users in default deployments or low-privileged users in basic-auth deployments, potentially leading to artifact poisoning and cross-boundary code execution. To address this issue, users should upgrade MLflow to version 3.11.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-4035.

    Read more
    Data Analytics
    5 Jun 2026 DevOps
    Django: Cookie Context Spoofing via Salt Namespace Collision

    In Django versions 6.0 before 6.0.6 and 5.2 before 5.2.15 a low severity vulnerability CVE-2026-6873 was detected. This vulnerability allows a remote attacker to use a signed cookie in a context different from the one where it was originally signed. This occurs because the django.http.HttpRequest.get_signed_cookie function uses a non-injective salt derivation method that simply concatenates the cookie name and the salt argument. An attacker can exploit this by utilizing distinct (name, salt) pairs that produce the exact same string concatenation. To address this issue, users should upgrade Django to versions 6.0.6 or 5.2.15. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-6873.

    Read more
    Application Development
    Proactive Insights and Support For Open-Source Applications
    Contact us: Whatsapp
    Company
    • About Hossted
    • Data Processing Addendum
    Solutions
    • Applications
    • Support Plans
    • About Solution
    Resources
    • FAQ
    • Knowledge Base

    © HOSSTED 2026 All rights reserved

    • Privacy Policy
    • Terms and Conditions
    • Cookies Policy
    Cookie Settings

    We use cookies to measure marketing efforts and improve our services. Please review the cookie settings and confirm your choice.

    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    • Manage options
    • Manage services
    • Manage {vendor_count} vendors
    • Read more about these purposes
    View preferences
    • {title}
    • {title}
    • {title}