Our news and updates

In Kanboard versions 1.2.48 and below a medium severity vulnerability CVE-2026-21879 was detected. This vulnerability allows attackers to perform open redirect attacks by abusing protocol-relative URLs (e.g., //evil.com) that bypass URL validation, redirecting authenticated users to attacker-controlled websites. To address this issue, users should upgrade Kanboard to version 1.2.49. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21879.

In OpenLDAP LMDB mdb_load versions 2.6.10 and prior a high severity vulnerability CVE-2026-22185 was detected. This vulnerability allows local attackers to trigger a heap buffer underflow in the readline() function by supplying malformed input, resulting in an out-of-bounds read of heap memory. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22185.

In the Page Keys plugin for WordPress versions up to and including 1.3.3 a medium severity vulnerability CVE-2025-15000 was detected. This vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts via the page_key parameter due to insufficient input sanitization and output escaping, resulting in stored cross-site scripting (XSS). Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-15000.

In Directus versions before 10.13.0 a medium severity vulnerability CVE-2024-39896 was detected. This vulnerability allows attackers to enumerate existing SSO users in the instance by triggering specific error messages when combining SSO providers with local authentication. To address this issue, users should upgrade to version 10.13.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-39896.

In Directus versions before 10.11.2 a high severity vulnerability CVE-2024-36128 was detected. This vulnerability allows attackers to cause a denial of service by providing a non-numeric length value to the random string generation utility, breaking the ability to generate random strings and affecting session refresh functionality. To address this issue, users should upgrade to version 10.11.2 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-36128.

In Directus versions before 10.12.0 a medium severity vulnerability CVE-2024-39895 was detected. This vulnerability allows attackers to perform a denial of service (DoS) attack by sending GraphQL queries with duplicated fields, causing excessive resource consumption and impacting legitimate users. To address this issue, users should upgrade to version 10.12.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-39895.

In WP Job Portal WordPress plugin versions up to and including 2.2.4 a medium severity vulnerability CVE-2024-12132 was detected. This vulnerability allows authenticated attackers with Subscriber-level access or higher to create jobs for companies they are not affiliated with due to missing validation on a user-controlled key. To address this issue, users should upgrade to a version 2.2.5 or above. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12132.

In wp-enable-svg WordPress plugin through version 0.7 a medium severity vulnerability CVE-2024-11184 was detected. This vulnerability allows authors and higher-privileged users to upload SVG files containing malicious scripts due to insufficient sanitization during file uploads. No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11184.

In goodlayers-core WordPress plugin before version 2.0.10 a medium severity vulnerability CVE-2024-11357 was detected. This vulnerability allows users with the contributor role or higher to perform Stored Cross-Site Scripting (XSS) attacks by exploiting unsanitized and unescaped settings. To address this issue, users should upgrade to version 2.0.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11357.