Proactive Insights and Support For Open-Source Applications
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
Book a demo
Book a demo
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
  • Home
  • Knowledge Base
  • Newsflash

Our news and updates

All OSSpediaArticlesHow ToNewsflashCase Studies
Don't Miss out!
Join our newsletter for exclusive updates on open source innovations.

    Choose category
    • Communication
      • Communication
    • Communication and Collaboration
      • Utility
      • Communication and Collaboration
      • Communication
    • Specialized Software
      • Educational
      • Graphic Design
    • Business and Enterprise Solutions
      • Customer Service
      • Productivity
      • Supply Chain Management (SCM)
      • CRM
      • E-commerce
      • CMS
      • Marketing Automation
      • ERP
    • Project and Agile Management
      • Project Management
      • IT Business Management
    • Infrastructure and Network
      • CMS
      • Networking
      • Storage
      • Security
    • DevOps
      • DevOps
      • Mobile App Development
      • Backup and Recovery
      • Data Analytics
      • Web Development
      • Developer Stacks
      • Cloud Computing
      • Monitoring
      • Application Development
      • Developer Tools
    • Data Management and Analytics
      • Communication
      • Application Development
      • Analytics
      • Machine Learning
      • Database
      • Data Analytics
    5 Jun 2026 Infrastructure and Network
    authentik: Account Takeover via Source Connection Manipulation

    In authentik versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 a high severity vulnerability CVE-2026-49443 was detected. This vulnerability allows an attacker to log into any user’s account (Account Takeover). This occurs because an attacker who has the ability to change a source connection and possesses an account in one of the configured sources can exploit improper validation of the source connection to bypass authentication. To address this issue, users should upgrade authentik to versions 2025.12.6, 2026.2.4, or 2026.5.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-4944.

    Read more
    Security
    5 Jun 2026 DevOps
    Appsmith: Persistent Cross-Site Scripting (XSS) via SQL Autocomplete

    In Appsmith versions versions prior to 2.1 a medium severity vulnerability CVE-2026-7299 was detected. This vulnerability allows an authenticated user with Developer privileges to inject a persistent Cross-Site Scripting (XSS) payload, leading to arbitrary code execution in the sessions of other workspace members. This occurs because the SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML. An attacker can exploit this by creating malicious table or column names, which then trigger the payload when other users interact with the same datasource. To address this issue, users should upgrade Appsmith to version 2.1 and later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-7299.

    Read more
    Application Development
    5 Jun 2026 DevOps
    Portainer Community Edition: Remote Code Execution via Missing Authorization on Docker Plugin Endpoints

    In Portainer Community Edition versions 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0 a high severity vulnerability CVE-2026-44848 was detected. This vulnerability allows a standard non-admin user with endpoint access to potentially achieve Remote Code Execution (RCE) on the host system. This occurs because the Docker plugin management endpoints (/plugins/*) lack proper authorization handler registration. As a result, standard users can bypass Resource Control access restrictions and directly call privileged operations, such as installing and enabling plugins, against the underlying Docker daemon. To address this issue, users should upgrade Portainer Community Edition to versions 2.33.8, 2.39.2, or 2.41.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44848.

    Read more
    Developer Tools
    4 Jun 2026 DevOps
    Budibase: Server-Side Request Forgery (SSRF) Bypass via HTTP Redirect

    In Budibase versions prior to 3.38.1 a high severity vulnerability CVE-2026-45715 was detected. This vulnerability allows an authenticated attacker with Builder permissions to perform a Server-Side Request Forgery (SSRF) attack, potentially accessing internal services such as cloud metadata or internal databases. This occurs because the REST datasource integration follows HTTP redirects without re-checking the new destination against the IP blacklist, enabling an attacker to bypass restrictions by redirecting the request through an attacker-controlled server. To address this issue, users should upgrade Budibase to version 3.38.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-45715.

    Read more
    Application Development
    4 Jun 2026 Data Management and Analytics
    Grafana: Denial of Service (DoS) via Unbounded Memory Allocation in Plugin Resources

    In Grafana versions 6.7.0 through 11.6.13, 12.0.0 through 12.2.7, 12.3.0 through 12.3.5, 12.4.0 through 12.4.2, 13.0.0 a medium severity vulnerability CVE-2026-28383 was detected. This vulnerability allows an authenticated attacker to cause a Denial of Service (DoS) by triggering an out-of-memory condition. This occurs because the Grafana plugin resources endpoint reads the entire request body into memory without size limits, leading to unbounded memory allocation. To address this issue, users should upgrade Grafana to version 11.6.14+security-04, 12.2.8+security-04, 12.3.6+security-04, 12.4.3+security-02, 13.0.1+security-01. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-283833.

    Read more
    Database
    4 Jun 2026 Data Management and Analytics
    Kibana: Server-Side Request Forgery (SSRF) and Allowlist Bypass in Webhook Connector

    In Kibana versions up to and including 8.19.15, prior to 9.3.3, 9.2.8, up to and including 9.4.1 a high severity vulnerability CVE-2026-42398 was detected. This vulnerability allows an authenticated user with connector management privileges to perform a Server-Side Request Forgery (SSRF) attack and bypass operator-configured connection allowlists. This occurs because an attacker can configure a Webhook connector with a specially crafted target, forcing Kibana to issue outbound requests to destinations that were intended to be blocked by egress restriction controls. To address this issue, users should upgrade Kibana to version 9.2.8 or 9.3.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-42398.

    Read more
    Data Analytics
    4 Jun 2026 Data Management and Analytics
    SQLite: Denial of Service via Division by Zero in Query Planner

    In SQLite versions through 3.29.0 a medium severity vulnerability CVE-2019-16168 was detected. This vulnerability allows an attacker to cause a Denial of Service (DoS) by crashing a browser or any other application using the database. This occurs due to a severe division by zero error in the query planner (specifically within the whereLoopAddBtreeIndex function in sqlite3.c), which is triggered by missing validation of the sqlite_stat1 sz field. To address this issue, users should upgrade SQLite to version 3.29.0 and later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2019-16168.

    Read more
    Database
    3 Jun 2026 Infrastructure and Network
    authentik: Improper SAML Assertion Validation in Conditions Element

    In authentik versions prior to 2025.12.5 and 2026.2.3 a medium severity vulnerability CVE-2026-41577 was detected. This vulnerability allows an attacker to replay expired SAML assertions or use assertions intended for other service providers, potentially leading to unauthorized access. This occurs because the SAML source response processor (ResponseProcessor.parse()) fails to validate the Conditions element on assertions, improperly ignoring the NotBefore, NotOnOrAfter, and AudienceRestriction restrictions. To address this issue, users should upgrade authentik to versions 2025.12.5 or 2026.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-41577.

    Read more
    Security
    3 Jun 2026 Data Management and Analytics
    MariaDB Server: Denial of Service via caching_sha2_password Plugin

    In MariaDB Server versions before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2 a medium severity vulnerability CVE-2026-35549 was detected. This vulnerability allows an attacker to cause a Denial of Service (DoS) by crashing the server. This occurs because when the caching_sha2_password authentication plugin is enabled and in use, sending a specially crafted large packet triggers a crash due to the unsafe use of the alloca function for memory allocation within sha256_crypt_r. To address this issue, users should upgrade MariaDB Server to versions 11.4.10, 11.8.6, or 12.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-35549.

    Read more
    Database
    Proactive Insights and Support For Open-Source Applications
    Contact us: Whatsapp
    Company
    • About Hossted
    • Data Processing Addendum
    Solutions
    • Applications
    • Support Plans
    • About Solution
    Resources
    • FAQ
    • Knowledge Base

    © HOSSTED 2026 All rights reserved

    • Privacy Policy
    • Terms and Conditions
    • Cookies Policy
    Cookie Settings

    We use cookies to measure marketing efforts and improve our services. Please review the cookie settings and confirm your choice.

    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    • Manage options
    • Manage services
    • Manage {vendor_count} vendors
    • Read more about these purposes
    View preferences
    • {title}
    • {title}
    • {title}