Proactive Insights and Support For Open-Source Applications
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
Book a demo
Book a demo
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
  • Home
  • Knowledge Base
  • Newsflash

Our news and updates

All OSSpediaArticlesHow ToNewsflashCase Studies
Don't Miss out!
Join our newsletter for exclusive updates on open source innovations.

    Choose category
    • Communication
      • Communication
    • Communication and Collaboration
      • Utility
      • Communication and Collaboration
      • Communication
    • Specialized Software
      • Educational
      • Graphic Design
    • Business and Enterprise Solutions
      • Customer Service
      • Productivity
      • Supply Chain Management (SCM)
      • CRM
      • E-commerce
      • CMS
      • Marketing Automation
      • ERP
    • Project and Agile Management
      • Project Management
      • IT Business Management
    • Infrastructure and Network
      • CMS
      • Networking
      • Storage
      • Security
    • DevOps
      • DevOps
      • Mobile App Development
      • Backup and Recovery
      • Data Analytics
      • Web Development
      • Developer Stacks
      • Cloud Computing
      • Monitoring
      • Application Development
      • Developer Tools
    • Data Management and Analytics
      • Communication
      • Application Development
      • Analytics
      • Machine Learning
      • Database
      • Data Analytics
    27 May 2026 Communication and Collaboration
    Mattermost: Information Disclosure via Improper API Data Sanitization

    In Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, and 10.11.x <= 10.11.14 a medium severity vulnerability CVE-2026-3636 was detected. This vulnerability allows a user without elevated permissions to obtain sensitive data regarding team members’ roles. This occurs because the application fails to properly sanitize team member data when it is returned via various team API endpoints. To address this issue, users should upgrade Mattermost to version Version 11.7.0 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-3636.

    Read more
    Communication
    26 May 2026 Data Management and Analytics
    pgAdmin 4: Stored XSS in Browser Tree and Explain Visualizer

    In pgAdmin 4 versions before 9.15 a medium severity vulnerability CVE-2026-7814 was detected. This vulnerability allows an attacker to execute Stored Cross-Site Scripting (XSS) attacks. This occurs because user-controlled PostgreSQL object names are unsafely assigned to DOM elements via innerHTML in the Browser Tree and Explain Visualizer modules, allowing attacker-supplied JavaScript to execute when a user navigates to or executes EXPLAIN over the malicious object. To address this issue, users should upgrade pgAdmin 4 to version 9.15. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-7814.

    Read more
    Database
    26 May 2026 Business and Enterprise Solutions
    Adobe Commerce: Security Feature Bypass / Arbitrary File System Write via Improper Input Validation

    In Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier a low severity vulnerability CVE-2026-34685 was detected. This vulnerability allows a high-privileged attacker to bypass security measures and gain unauthorized write access (potentially leading to arbitrary file system writes). This occurs due to improper input validation. Exploitation of this issue requires user interaction, meaning a victim must visit a maliciously crafted URL or interact with a compromised web page. To address this issue, users should upgrade Adobe Commerce to version 2.4.9 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-34685.

    Read more
    E-commerce
    26 May 2026 DevOps
    Plane: Sensitive Information Disclosure via ORM Field Reference Injection

    In Plane versions 1.3.0 and below a medium severity vulnerability CVE-2026-40102 was detected. This vulnerability allows an authenticated workspace member to extract sensitive data, including bcrypt password hashes, API tokens, and user email addresses. This occurs due to an Object-Relational Mapping (ORM) Field Reference Injection flaw in the SavedAnalyticEndpoint, where the user-controlled “segment” query parameter is passed directly to a Django F() expression without validation. By crafting a specific segment value, an attacker can traverse foreign-key relationships (e.g., workspace__owner__password) and have the referenced field values returned directly in the JSON response. To address this issue, users should upgrade Plane to version 1.3.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40102.

    Read more
    Developer Tools
    26 May 2026 Data Management and Analytics
    JupyterLab: Extension Manager API/GUI Policy Discrepancy

    In JupyterLab versions 4.0.0 through 4.5.6 a high severity vulnerability CVE-2026-42266 was detected. This vulnerability allows an attacker to install malicious third-party extensions via a POST request. This occurs because the allow-list for the PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced, allowing packages outside the default PyPI index to be installed. To address this issue, users should upgrade JupyterLab to version 4.5.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-42266.

    Read more
    Machine Learning
    26 May 2026 Business and Enterprise Solutions
    Joomla! Core: Incorrect Access Control in com_scheduler

    In Joomla! Core versions 4.1.0 through 5.4.5 a medium severity vulnerability CVE-2026-48900 was detected. This vulnerability allows low-privileged users to edit the task types of existing scheduler tasks due to an improper access control check in the com_scheduler component. To address this issue, users should upgrade Joomla! Core to version 5.4.6 (or later). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48900.

    Read more
    CMS
    25 May 2026 DevOps
    Drupal core: Cross-Site Scripting (XSS) via Improper Input Neutralization

    In Drupal core versions 8.0.0 before 10.5.9, 10.6.0 before 10.6.7, 11.0.0 before 11.2.11, and 11.3.0 before 11.3.7 a critical severity vulnerability CVE-2026-6365 was detected. This vulnerability allows an attacker to execute Cross-Site Scripting (XSS) attacks due to the improper neutralization of input during web page generation. To address this issue, users should upgrade Drupal core to versions 10.5.9, 10.6.7, 11.2.11, or 11.3.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-6365.

    Read more
    Application Development
    25 May 2026 Infrastructure and Network
    authentik: Confidential OAuth client_secret Exposure via API

    In authentik versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2 a high severity vulnerability CVE-2026-40166 was detected. This vulnerability allows authenticated non-admin users to retrieve the confidential OAuth client_secret of providers they have previously authenticated against. This occurs because the GET /api/v3/oauth2/access_tokens/ endpoint improperly includes a nested provider object containing the client_id and client_secret in its response, exposing sensitive information to low-privilege users. To address this issue, users should upgrade authentik to versions 2025.12.5 or 2026.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40166.

    Read more
    Security
    25 May 2026 Data Management and Analytics
    MongoDB Server: Post-Authentication Denial of Service (DoS) via Use-After-Free in JavaScript Engine

    In MongoDB Server versions v8.2 prior to 8.2.9 and v8.3 prior to 8.3.2 a high severity vulnerability CVE-2026-8336 was detected. This vulnerability allows an authenticated user to cause a post-authentication Denial of Service (DoS) by crashing the mongod process. This occurs due to a use-after-free error when the $_internalJsEmit function (which is not intended to be directly accessible) or the mapreduce command’s map function is invoked in a specific way, followed by subsequent use of the server-side JavaScript engine (e.g., through $where, $function, or mapreduce reduce stage). To address this issue, users should upgrade MongoDB Server to versions 8.2.9 or 8.3.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-8336.

    Read more
    Database
    Proactive Insights and Support For Open-Source Applications
    Contact us: Whatsapp
    Company
    • About Hossted
    • Data Processing Addendum
    Solutions
    • Applications
    • Support Plans
    • About Solution
    Resources
    • FAQ
    • Knowledge Base

    © HOSSTED 2026 All rights reserved

    • Privacy Policy
    • Terms and Conditions
    • Cookies Policy
    Cookie Settings

    We use cookies to measure marketing efforts and improve our services. Please review the cookie settings and confirm your choice.

    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    • Manage options
    • Manage services
    • Manage {vendor_count} vendors
    • Read more about these purposes
    View preferences
    • {title}
    • {title}
    • {title}