In Kubernetes (all versions) a medium severity vulnerability CVE-2020-8554 was detected. This vulnerability allows an attacker to intercept traffic intended for specific IP addresses, resulting in a Man-in-the-Middle (MitM) attack. This occurs because the Kubernetes API server allows users who can create a ClusterIP service to freely set the spec.externalIPs field. Additionally, an attacker with privileged access to patch the status of a LoadBalancer service can set the status.loadBalancer.ingress.ip field to achieve a similar effect. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2020-8554.
Read more Developer ToolsIn Budibase versions prior to 3.39.0 a high severity vulnerability CVE-2026-48152 was detected. This vulnerability allows an authenticated attacker with basic permissions to exfiltrate stored REST datasource authentication credentials. This occurs because the single-datasource routes are improperly guarded by generic table permissions rather than specific builder/admin roles. A Basic user can update a REST datasource’s base URL (config.url) while maintaining the original redacted authentication secrets. When a saved query is subsequently executed, the application sends the stored authorization headers to the newly set, attacker-controlled URL, leading to credential disclosure. To address this issue, users should upgrade Budibase to version 3.39.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48152.
Read more Application DevelopmentIn Portainer Community Edition versions 2.33.0 to before 2.33.8 and 2.39.1 a medium severity vulnerability CVE-2026-44884 was detected. This vulnerability allows any authenticated user to read the file content of any custom template, potentially exposing sensitive environment-specific values such as connection strings, API tokens, or registry credentials. This occurs due to missing authorization checks in the Custom Template file endpoint (GET /api/custom_templates/{id}/file), enabling users to bypass Resource Control access restrictions by enumerating sequential integer IDs. To address this issue, users should upgrade Portainer Community Edition to versions 2.33.8 or 2.39.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44884.
Read more Developer ToolsIn GitLab EE versions 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 a high severity vulnerability CVE-2026-4868 was detected. This vulnerability allows an authenticated user to cause specific Duo AI workflows to run under another user’s identity. This occurs due to an authorization bypass caused by improper user identity resolution when triggering Duo AI workflow runners. To address this issue, users should upgrade GitLab EE to versions 18.10.7, 18.11.4, or 19.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-4868.
Read more Developer ToolsIn Joomla! Core versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 a high severity vulnerability CVE-2026-48901 was detected. This vulnerability may allow attackers to bypass intended security filters. This occurs because the InputFilter::getInstance() method improperly omits a security-sensitive parameter when constructing the instance cache key. As a result, an incorrectly configured filter object might be retrieved from the cache and reused in a different context, potentially leading to inadequate content filtering and subsequent security issues. To address this issue, users should upgrade Joomla! Core to version 5.4.6 or 6.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48901.
Read more CMSIn Portainer Community Edition versions 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0 a high severity vulnerability CVE-2026-44881 was detected. This vulnerability allows an authenticated user with rights to create or update a Git-backed stack to read arbitrary files on the host filesystem that are accessible to the Portainer process. This occurs because Portainer clones Git repositories using a library that translates symlink entries into real OS symlinks without adequate validation. When the stack entry point (such as docker-compose.yml) is a symlink pointing to an arbitrary path, the API endpoint reading this file transparently follows the symlink and returns the target file’s contents in the HTTP response. To address this issue, users should upgrade Portainer Community Edition to versions 2.33.8, 2.39.2, or 2.41.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44881.
Read more Developer ToolsIn Ghost versions 3.24.0 through 6.19.0 a critical severity vulnerability CVE-2026-26980 was detected. This vulnerability allows an unauthenticated attacker to perform arbitrary reads from the database. This occurs due to a SQL Injection flaw within the Content API. A public exploit for this issue is currently available. To address this issue, users should upgrade Ghost to version 6.19.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26980.
Read more CMSIn pgAdmin 4 versions before 9.15 a high severity vulnerability CVE-2026-7816 was detected. This vulnerability allows an authenticated user to achieve arbitrary operating-system command execution on the pgAdmin server or perform arbitrary file writes. This occurs because user-supplied input (including the query, format, on_error, and log_verbosity fields) is interpolated directly into a psql \copy metacommand template without proper sanitization. An attacker can exploit this by injecting strings like “) TO PROGRAM ‘cmd'” to break out of the intended \copy (…) context. To address this issue, users should upgrade pgAdmin 4 to version 9.15. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-7816.
Read more DatabaseIn PrivateTunnel versions prior to 3.0 and OpenVPN Connect versions prior to 3.1 on Windows a medium severity vulnerability CVE-2014-5455 was detected. This vulnerability allows a local user to gain elevated privileges. This occurs due to an unquoted Windows search path vulnerability in the ptservice service, which enables an attacker to execute arbitrary code by placing a specially crafted program.exe file in the %SYSTEMDRIVE% folder. To address this issue, users should upgrade PrivateTunnel to version 3.0 and OpenVPN Connect to version 3.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2014-5455.
Read more CMS