Proactive Insights and Support For Open-Source Applications
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
Book a demo
Book a demo
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
  • Home
  • Knowledge Base
  • Newsflash

Our news and updates

All OSSpediaArticlesHow ToNewsflashCase Studies
Don't Miss out!
Join our newsletter for exclusive updates on open source innovations.

    Choose category
    • Communication
      • Communication
    • Communication and Collaboration
      • Utility
      • Communication and Collaboration
      • Communication
    • Specialized Software
      • Educational
      • Graphic Design
    • Business and Enterprise Solutions
      • Customer Service
      • Productivity
      • Supply Chain Management (SCM)
      • CRM
      • E-commerce
      • CMS
      • Marketing Automation
      • ERP
    • Project and Agile Management
      • Project Management
      • IT Business Management
    • Infrastructure and Network
      • CMS
      • Networking
      • Storage
      • Security
    • DevOps
      • DevOps
      • Mobile App Development
      • Backup and Recovery
      • Data Analytics
      • Web Development
      • Developer Stacks
      • Cloud Computing
      • Monitoring
      • Application Development
      • Developer Tools
    • Data Management and Analytics
      • Communication
      • Application Development
      • Analytics
      • Machine Learning
      • Database
      • Data Analytics
    1 Jun 2026 DevOps
    Portainer Community Edition: Credential Leakage via JWT in URL Query Parameter

    In Portainer Community Edition versions 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0 a high severity vulnerability CVE-2026-44883 was detected. This vulnerability allows an attacker to obtain full user privileges by harvesting leaked authentication tokens. This occurs because the authentication middleware accepts JWT bearer tokens passed as the “?token=<JWT>” URL query parameter on any authenticated API endpoint. Consequently, these sensitive tokens can be exposed in reverse-proxy access logs, browser history, or HTTP Referer headers. To address this issue, users should upgrade Portainer Community Edition to versions 2.33.8, 2.39.2, or 2.41.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44883.

    Read more
    Developer Tools
    1 Jun 2026 Data Management and Analytics
    MLflow: Server-Side Request Forgery (SSRF) via Webhook URL

    In MLflow versions prior to 3.9.0 a high severity vulnerability CVE-2026-2393 was detected. This vulnerability allows an authenticated attacker to perform a Server-Side Request Forgery (SSRF) attack, potentially leading to cloud credential theft, internal network access, and data exfiltration. This occurs because the application fails to validate, sanitize, or filter the user-controlled ‘url’ parameter in the webhook creation and delivery functions, allowing the backend server to be forced into sending HTTP POST requests to arbitrary internal or external destinations. To address this issue, users should upgrade MLflow to version 3.9.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2393.

    Read more
    Data Analytics
    1 Jun 2026 DevOps
    GitLab CE/EE: Unauthorized Access via Blocked Project Access Token

    In GitLab CE/EE versions 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 a medium severity vulnerability CVE-2026-9807 was detected. This vulnerability allows an attacker using a blocked Project Access Token to continue accessing private resources. This occurs due to incorrect authorization enforcement within the application under certain conditions. To address this issue, users should upgrade GitLab CE/EE to versions 18.10.7, 18.11.4, or 19.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-9807.

    Read more
    Developer Tools
    1 Jun 2026 Data Management and Analytics
    Kibana: Denial of Service (DoS) via Uncontrolled Resource Consumption

    In Kibana versions 8.0.0 up a medium severity vulnerability CVE-2026-49094 was detected. This vulnerability allows an authenticated user with viewer-level access to cause a Denial of Service (DoS), rendering the application unavailable to all users until it is manually recovered. This occurs due to uncontrolled resource consumption (excessive CPU and memory allocation) when a request containing an oversized input value is submitted to an analytics collections management endpoint. To address this issue, users should upgrade Kibana to version 8.19.16, 9.3.5, and 9.4.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-49094.

    Read more
    Data Analytics
    29 May 2026 DevOps
    Budibase: Authorization Bypass in Webhook Schema Endpoint

    In Budibase versions prior to 3.39.0 a high severity vulnerability CVE-2026-48151 was detected. This vulnerability allows an unauthenticated attacker to update the body schema for a known webhook and mutate the corresponding automation trigger output schema. This occurs because the generic authorization middleware improperly skips authorization for all paths matching /api/webhooks/schema, bypassing the intended restrictions for endpoints registered under builderRoutes. To address this issue, users should upgrade Budibase to version 3.39.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48151.

    Read more
    Application Development
    29 May 2026 DevOps
    GitLab CE/EE: Private Project Enumeration via Incorrect Authoriza

    In GitLab CE/EE versions 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 a medium severity vulnerability CVE-2026-6713 was detected. This vulnerability allows an unauthorized user to enumerate private projects under certain conditions. This occurs due to incorrect authorization checks within the application. To address this issue, users should upgrade GitLab CE/EE to versions 18.10.7, 18.11.4, or 19.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-6713.

    Read more
    Developer Tools
    29 May 2026 Business and Enterprise Solutions
    Joomla! Framework: Cross-Site Scripting (XSS) via Inadequate Content Filtering in checkAttribute

    In Joomla! Framework versions Versions 1.0.0 through 3.0.5 and versions 4.0.0through 4.0.1 a medium severity vulnerability CVE-2026-48903 was detected. This vulnerability allows an attacker to execute arbitrary malicious scripts (Cross-Site Scripting, XSS) in the context of the victim’s browser. This occurs due to inadequate content filtering within the checkAttribute methods, which affects various components. To address this issue, users should upgrade Joomla! Framework to version 5.4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48903.

    Read more
    CMS
    29 May 2026 Data Management and Analytics
    Kibana: Server-Side Request Forgery (SSRF) via Connector Allowlist Bypass

    In Kibana version 9.3.3 a medium severity vulnerability CVE-2026-49093 was detected. This vulnerability allows an authenticated user with connector management privileges to perform a Server-Side Request Forgery (SSRF) attack. This occurs because the application allows the user to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations that the egress controls were intended to block. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-49093.

    Read more
    Data Analytics
    29 May 2026 Specialized Software
    Moodle LMS: Cross-Site Scripting (XSS) via Course Search

    In Moodle LMS version 4.0 a medium severity vulnerability CVE-2022-50943 was detected. This vulnerability allows an unauthenticated attacker to execute arbitrary scripts in a user’s browser and potentially steal session cookies (Cross-Site Scripting). This occurs because malicious payloads can be injected through the unescaped “search” parameter in the course/search.php file. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-50943.

    Read more
    Educational
    Proactive Insights and Support For Open-Source Applications
    Contact us: Whatsapp
    Company
    • About Hossted
    • Data Processing Addendum
    Solutions
    • Applications
    • Support Plans
    • About Solution
    Resources
    • FAQ
    • Knowledge Base

    © HOSSTED 2026 All rights reserved

    • Privacy Policy
    • Terms and Conditions
    • Cookies Policy
    Cookie Settings

    We use cookies to measure marketing efforts and improve our services. Please review the cookie settings and confirm your choice.

    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    • Manage options
    • Manage services
    • Manage {vendor_count} vendors
    • Read more about these purposes
    View preferences
    • {title}
    • {title}
    • {title}