In MLflow versions before v3.7.0 a critical severity vulnerability CVE-2025-15036 was detected. A path traversal flaw in the extract_archive_to_dir function allows crafted tar archives to write files outside the intended extraction directory by using malicious member paths. To address this issue, users should update MLflow to versions v3.7.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-15036.
Read more Data Analytics
In Download Monitor plugin for WordPress versions up to and including 5.1.7 a high severity vulnerability CVE-2026-3124 was detected. An Insecure Direct Object Reference in the executePayment() function allows unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between PayPal transaction tokens and local orders, enabling theft of paid digital goods. To address this issue, users should upgrade Download Monitor plugin to version to version 5.1.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-3124.
Read more CMS
In PHP versions 1.0 a low severity vulnerability CVE-2026-5106 was detected. A flaw in the admin update file /admin/update_fst.php allows an unknown function-level issue that could be exploited to manipulate exam form submissions. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-5106.
Read more Web Development
In MLflow version 3.8.0 a critical severity vulnerability CVE-2025-15379 was detected. This vulnerability allows attackers to execute arbitrary commands by supplying a malicious model artifact, as dependency specifications from the python_env.yaml file are unsafely interpolated into shell commands in the _install_model_dependencies_to_env() function when using env_manager=LOCAL. To address this issue, users should upgrade MLflow to version 3.8.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-15379.
Read more Data Analytics
In Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, and 10.11.x <= 10.11.10 a high severity vulnerability CVE-2026-2454 was detected. This vulnerability allows a malicious user to cause server out-of-memory (OOM) errors and crash the server by sending corrupted Msgpack frames within WebSocket messages to the Calls plugin due to improper handling of incorrectly reported array lengths. To address this issue, users should upgrade Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2454.
Read more Communication
In Mattermost versions 10.11.x <= 10.11.10 a medium severity vulnerability CVE-2026-1629 was detected. This vulnerability allows a user to continue viewing private channel content via previously cached permalink previews even after losing channel access, due to failure to invalidate cached preview data. To address this issue, users should upgrade Mattermost to versions 11.4.0 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1629.
Read more Communication
In Appsmith versions prior to 1.98 a medium severity vulnerability CVE-2026-34411 was detected. This vulnerability allows unauthenticated attackers to access sensitive instance management API endpoints, such as `/api/v1/consolidated-api/view` and `/api/v1/tenants/current`, to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains, which can be used for reconnaissance and targeted attacks. To address this issue, users should upgrade Appsmith to version 1.98 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-34411.
Read more Application Development
In Dolibarr versions 22.0.4 and prior a medium severity vulnerability CVE-2026-34036 was detected. This vulnerability allows an authenticated user with no specific privileges to read arbitrary non-PHP files on the server (e.g., .env, .htaccess, configuration backups, logs) by exploiting a Local File Inclusion (LFI) flaw in the `/core/ajax/selectobject.php` endpoint via the `objectdesc` parameter and a fail-open logic in the `restrictedArea()` access control function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-34036.
Read more ERP
In Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, and 10.11.x <= 10.11.10 a medium severity vulnerability CVE-2026-2457 was detected. This vulnerability allows authenticated attackers to spoof permalink embeds and impersonate other users by submitting crafted metadata through the post update API endpoint due to insufficient sanitization of client-supplied input. To address this issue, users should upgrade Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2457.
Read more Communication