Proactive Insights and Support For Open-Source Applications
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
Book a demo
Book a demo
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
  • Home
  • Knowledge Base
  • Newsflash

Our news and updates

All OSSpediaArticlesHow ToNewsflashCase Studies
Don't Miss out!
Join our newsletter for exclusive updates on open source innovations.

    Choose category
    • Communication
      • Communication
    • Communication and Collaboration
      • Utility
      • Communication and Collaboration
      • Communication
    • Specialized Software
      • Educational
      • Graphic Design
    • Business and Enterprise Solutions
      • Customer Service
      • Productivity
      • Supply Chain Management (SCM)
      • CRM
      • E-commerce
      • CMS
      • Marketing Automation
      • ERP
    • Project and Agile Management
      • Project Management
      • IT Business Management
    • Infrastructure and Network
      • CMS
      • Networking
      • Storage
      • Security
    • DevOps
      • DevOps
      • Mobile App Development
      • Backup and Recovery
      • Data Analytics
      • Web Development
      • Developer Stacks
      • Cloud Computing
      • Monitoring
      • Application Development
      • Developer Tools
    • Data Management and Analytics
      • Communication
      • Application Development
      • Analytics
      • Machine Learning
      • Database
      • Data Analytics
    28 May 2026 DevOps
    NGINX: Heap Buffer Overflow and Potential RCE via ngx_http_rewrite_module

    In NGINX Plus and NGINX Open Source versions 0.6.27 through 0.9.7 and 1.0.0 through 1.30.0. a high severity vulnerability CVE-2026-42945 was detected. This vulnerability allows an unauthenticated attacker to cause a worker process restart (Denial of Service) and potentially execute arbitrary code if Address Space Layout Randomization (ASLR) is disabled or bypassed. This occurs due to a heap buffer overflow in the ngx_http_rewrite_module when a rewrite directive is followed by a rewrite, if, or set directive, and uses an unnamed PCRE capture (e.g., $1, $2) with a replacement string containing a question mark (?). To address this issue, users should upgrade NGINX to version 1.30.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-42945.

    Read more
    Application Development
    28 May 2026 DevOps
    GitLab CE/EE: CI Data Exposure via Incorrectly-Resolved Name or Reference

    In GitLab CE/EE versions 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 a medium severity vulnerability CVE-2026-8716 was detected. This vulnerability allows an authenticated user to access CI data from a different ref type than intended under certain conditions. This occurs due to the use of an incorrectly-resolved name or reference within the application. To address this issue, users should upgrade GitLab CE/EE to versions 18.10.7, 18.11.4, or 19.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-8716.

    Read more
    Developer Tools
    28 May 2026 DevOps
    Budibase: Server-Side Request Forgery (SSRF) via OAuth2 Token Endpoint

    In Budibase versions prior to 3.39.0 a high severity vulnerability CVE-2026-48153 was detected. This vulnerability allows an attacker to perform a Server-Side Request Forgery (SSRF) attack, potentially exposing internal hosts and cloud metadata. This occurs because the fetchToken function in the OAuth2 SDK makes a POST request to a builder-supplied URL without applying the standard blacklist.isBlacklisted check, allowing requests to arbitrary hosts without scheme or host restrictions. To address this issue, users should upgrade Budibase to version 3.39.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48153.

    Read more
    Application Development
    28 May 2026 Communication and Collaboration
    Twenty CRM: Remote Code Execution (RCE) via Chained SQL Injection

    In Twenty CRM versions 1.7.7 through 1.16.7 a critical severity vulnerability CVE-2026-46624 was detected. This vulnerability allows an authenticated user to execute arbitrary OS commands on the database server (Remote Code Execution) if the Postgres user is a superuser. This occurs due to a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack, where the timeZone field within the group_by query parameter in the REST API is directly interpolated into a raw SQL expression without any parameterization, validation, or escaping. There’s no fix available for this issue at the moment.. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-46624.

    Read more
    Communication
    28 May 2026 Data Management and Analytics
    pgAdmin 4: SQL Injection and OS Command Execution in Maintenance Tool

    In pgAdmin 4 versions prior to 9.15. a high severity vulnerability CVE-2026-7815 was detected. This vulnerability allows an authenticated user with tools_maintenance permissions to execute arbitrary SQL on the connected PostgreSQL server, which can be escalated to operating-system command execution on the database host. This occurs because four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) are concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command without proper sanitization and passed to psql. To address this issue, users should upgrade pgAdmin 4 to version 9.15 or above. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-7815.

    Read more
    Database
    27 May 2026 Data Management and Analytics
    vLLM: Denial of Service in OpenAI-compatible Serving Path

    In vLLM version 0.19.0 a medium severity vulnerability CVE-2026-9540 was detected. This vulnerability allows a remote attacker to cause a Denial of Service (DoS). This occurs due to a flaw in the OpenAI-compatible Serving Path component when processing certain manipulated data. An exploit for this issue is publicly available. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-9540.

    Read more
    Machine Learning
    27 May 2026 Infrastructure and Network
    Wazuh authd: Denial of Service via Heap Buffer Overflow

    In Wazuh authd versions prior to 4.14.4 a low severity vulnerability CVE-2026-32984 was detected. This vulnerability allows an attacker to cause a denial of service (DoS) condition. This occurs due to a heap buffer overflow when the authentication daemon processes specially crafted input, leading to memory corruption and malformed heap data. To address this issue, users should upgrade Wazuh to version 4.14.3 (or later). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-32984.

    Read more
    Security
    27 May 2026 Data Management and Analytics
    Prometheus: Cross-Site Scripting (XSS) in Legacy Web UI Histogram Heatmaps

    In Prometheus versions 2.49.0 to before 3.5.3 and 3.11.3 a low severity vulnerability CVE-2026-44903 was detected. This vulnerability allows an attacker who can inject crafted metrics to execute arbitrary JavaScript (XSS) in the browser of any user viewing the metric. This occurs in the legacy web UI (enabled via the –enable-feature=old-ui flag) because the histogram heatmap chart view fails to properly escape ‘le’ label values when inserting them into the HTML for use as axis tick mark labels. To address this issue, users should upgrade Prometheus to versions 3.5.3 or 3.11.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44903.

    Read more
    Data Analytics
    27 May 2026 Infrastructure and Network
    MinIO: Arbitrary File Read via Path Traversal in ReadMultiple Endpoint

    In MinIO versions RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z a medium severity vulnerability CVE-2026-42600 was detected. This vulnerability allows an attacker holding the cluster root JWT to read arbitrary files from outside the configured drive roots via a path traversal attack. This occurs because the ReadMultiple internode storage-REST endpoint improperly processes a msgpack-encoded POST request containing “../” sequences in the Bucket field, causing the server to open and return the contents of unintended files (bounded only by the MinIO process UID). To address this issue, users should upgrade MinIO to version RELEASE.2026-04-14T21-32-45Z. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-42600.

    Read more
    Storage
    Proactive Insights and Support For Open-Source Applications
    Contact us: Whatsapp
    Company
    • About Hossted
    • Data Processing Addendum
    Solutions
    • Applications
    • Support Plans
    • About Solution
    Resources
    • FAQ
    • Knowledge Base

    © HOSSTED 2026 All rights reserved

    • Privacy Policy
    • Terms and Conditions
    • Cookies Policy
    Cookie Settings

    We use cookies to measure marketing efforts and improve our services. Please review the cookie settings and confirm your choice.

    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    • Manage options
    • Manage services
    • Manage {vendor_count} vendors
    • Read more about these purposes
    View preferences
    • {title}
    • {title}
    • {title}