Proactive Insights and Support For Open-Source Applications
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
Book a demo
Book a demo
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
  • Home
  • Knowledge Base
  • Newsflash

Our news and updates

All OSSpediaArticlesHow ToNewsflashCase Studies
Don't Miss out!
Join our newsletter for exclusive updates on open source innovations.

    Choose category
    • Communication
      • Communication
    • Communication and Collaboration
      • Utility
      • Communication and Collaboration
      • Communication
    • Specialized Software
      • Educational
      • Graphic Design
    • Business and Enterprise Solutions
      • Customer Service
      • Productivity
      • Supply Chain Management (SCM)
      • CRM
      • E-commerce
      • CMS
      • Marketing Automation
      • ERP
    • Project and Agile Management
      • Project Management
      • IT Business Management
    • Infrastructure and Network
      • CMS
      • Networking
      • Storage
      • Security
    • DevOps
      • DevOps
      • Mobile App Development
      • Backup and Recovery
      • Data Analytics
      • Web Development
      • Developer Stacks
      • Cloud Computing
      • Monitoring
      • Application Development
      • Developer Tools
    • Data Management and Analytics
      • Communication
      • Application Development
      • Analytics
      • Machine Learning
      • Database
      • Data Analytics
    25 May 2026 Data Management and Analytics
    MLflow: Authentication Bypass via FastAPI Middleware

    In MLflow versions 3.9.0 and earlier a high severity vulnerability CVE-2026-2652 was detected. This vulnerability allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. This occurs due to an architectural mismatch between Flask and FastAPI authentication mechanisms, where the FastAPI permission middleware fails to enforce authentication on non-/gateway/ routes (such as the Job API and OpenTelemetry trace ingestion API) when the server is started with basic authentication enabled and served via uvicorn. To address this issue, users should upgrade MLflow to version 3.10.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2652.

    Read more
    Data Analytics
    25 May 2026 Communication and Collaboration
    Mattermost: Unauthorized File Access via Improper Ownership Validation in Boards API

    In Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, and 10.11.x <= 10.11.14 a medium severity vulnerability CVE-2026-3473 was detected. This vulnerability allows an authenticated user to access and download files belonging to other users or teams. This occurs due to improper file ownership validation and access control in the Boards API, where crafted requests using valid file IDs are processed without verifying the requester’s permissions. To address this issue, users should upgrade Mattermost to version 11.7.0 and higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-3473.

    Read more
    Communication
    22 May 2026 Data Management and Analytics
    MongoDB Server: Denial of Service (DoS) via Aggregation Operators CPU Exhaustion

    In MongoDB Server versions v7.0 prior to 7.0.34, v8.0 prior to 8.0.23, v8.2 prior to 8.2.9, and v8.3 prior to 8.3.2 a medium severity vulnerability CVE-2026-8202 was detected. This vulnerability allows an authenticated user with aggregation permissions to cause a Denial of Service (DoS) by pinning CPU utilization at 100% for an extended period. This occurs when a densely populated chars mask and a large input string are used in the MongoDB aggregation operators $trim, $ltrim, and $rtrim. To address this issue, users should upgrade MongoDB Server to versions 7.0.34, 8.0.23, 8.2.9, or 8.3.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-8202.

    Read more
    Database
    22 May 2026 DevOps
    GitLab EE: Improper Access Control Allowing Removal of Code Owner Approval Rules

    In GitLab EE versions 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 a medium severity vulnerability CVE-2026-6063 was detected. This vulnerability allows an authenticated user with developer-role permissions to remove code owner approval rules from merge requests under certain conditions due to improper access control. To address this issue, users should upgrade GitLab EE to versions 18.9.7, 18.10.6, or 18.11.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-6063.

    Read more
    Developer Tools
    22 May 2026 DevOps
    GitBucket: Unauthenticated Remote Code Execution

    In GitBucket version 4.23.1 a critical severity vulnerability CVE-2018-25332 was detected. This vulnerability allows an unauthenticated attacker to execute arbitrary commands remotely (RCE). This occurs due to weak secret token generation and insecure file upload functionality. An attacker can brute-force the Blowfish encryption key, upload a malicious JAR plugin via the git-lfs endpoint, and execute system commands through an exposed exploit endpoint. To address this issue, users should upgrade GitBucket to version [укажите исправленную версию]. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2018-25332.

    Read more
    Developer Tools
    22 May 2026 Communication and Collaboration
    Mattermost Plugins: Subscription Access Bypass via Namespace Prefix Collision

    In Mattermost Plugins versions <= 11.5, 11.1.5, 10.13.11, and 11.3.4.0 a medium severity vulnerability CVE-2026-6342 was detected. This vulnerability allows plugin users to create subscriptions to groups that were not whitelisted. This occurs because the system fails to appropriately check for valid namespaces, allowing attackers to bypass restrictions by creating groups that share the same prefix as a whitelisted group. There's no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-6342.

    Read more
    Communication
    21 May 2026 Infrastructure and Network
    authentik: Authentication Bypass via SAML NameID XML Comment Injection

    In authentik versions 2025.12.4 and prior, and 2026.2.0-rc1 through 2026.2.2 a high severity vulnerability CVE-2026-40165 was detected. This vulnerability allows an attacker to bypass authentication and gain unauthorized access to other user accounts. This occurs because an attacker can inject an XML comment into the SAML NameID value, causing authentik to truncate the identifier to the portion before the comment. The issue can be exploited if the attacker has an account on a SAML Source with XML Signing enabled and the ability to modify their NameID value. To address this issue, users should upgrade authentik to versions 2025.12.5 or 2026.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40165.

    Read more
    Security
    21 May 2026 DevOps
    Argo Workflows: TemplateReferencing Strict Mode Bypass

    In Argo Workflows versions prior to 3.7.14 and 4.0.5 a high severity vulnerability CVE-2026-42296 was detected. This vulnerability, which is an incomplete fix for CVE-2026-31892, allows users with “create Workflow” permissions to bypass the template Referencing Strict mode. By exploiting this, attackers can gain host network access, switch service accounts, override pod security contexts, add tolerations to schedule on control-plane nodes, or enable service account token mounting. Environments relying solely on Argo’s Strict mode without additional Kubernetes-level controls (like PodSecurity admission) are fully exposed. To address this issue, users should upgrade Argo Workflows to versions 3.7.14 or 4.0.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-42296.

    Read more
    Developer Tools
    21 May 2026 Data Management and Analytics
    CKAN: CSRF Protection Bypass via Anonymous Requests

    In CKAN versions prior to 2.10.10 and 2.11.5 a medium severity vulnerability CVE-2026-41255 was detected. This vulnerability allows an attacker to bypass Cross-Site Request Forgery (CSRF) protections. This occurs because accessing views via tokens or unauthenticated requests globally marks the endpoint as not requiring CSRF protection for the lifetime of the server process (e.g., a single worker of uWSGI), exposing subsequent authenticated requests to CSRF attacks. To address this issue, users should upgrade CKAN to versions 2.10.10 or 2.11.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-41255.

    Read more
    Data Analytics
    Proactive Insights and Support For Open-Source Applications
    Contact us: Whatsapp
    Company
    • About Hossted
    • Data Processing Addendum
    Solutions
    • Applications
    • Support Plans
    • About Solution
    Resources
    • FAQ
    • Knowledge Base

    © HOSSTED 2026 All rights reserved

    • Privacy Policy
    • Terms and Conditions
    • Cookies Policy
    Cookie Settings

    We use cookies to measure marketing efforts and improve our services. Please review the cookie settings and confirm your choice.

    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    • Manage options
    • Manage services
    • Manage {vendor_count} vendors
    • Read more about these purposes
    View preferences
    • {title}
    • {title}
    • {title}