In Jenkins versions 2.442 through 2.554 and LTS versions 2.426.3 through 2.541.2 a high severity vulnerability CVE-2026-33002 was detected. This vulnerability allows attackers to bypass origin validation on the CLI WebSocket endpoint by exploiting DNS rebinding, due to origin checks relying on the Host or X-Forwarded-Host HTTP headers. To address this issue, users should upgrade Jenkins to versions beyond 2.554 or beyond LTS 2.541.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33002.
Read more Developer Tools
In Jenkins versions 2.554 and earlier, and LTS versions 2.541.2 and earlier a high severity vulnerability CVE-2026-33001 was detected. This vulnerability allows attackers with Item/Configure permissions to write arbitrary files on the filesystem by exploiting unsafe symbolic link handling during the extraction of .tar and .tar.gz archives. To address this issue, users should upgrade Jenkins to versions beyond 2.555 or beyond LTS 2.541.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33001.
Read more Developer Tools
In Kanboard versions prior to 1.2.51 a high severity vulnerability CVE-2026-33058 was detected. This vulnerability allows attackers with permission to add users to a project to perform SQL injection and dump the entire Kanboard database. To address this issue, users should upgrade Kanboard to version 1.2.51. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33058.
Read more Project Management
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a medium severity vulnerability CVE-2026-27491 was detected. This vulnerability allows non-staff users to issue official warnings to other users by exploiting a type coercion issue in a post actions API endpoint, bypassing intended staff-only restrictions. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27491.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a medium severity vulnerability CVE-2026-27570 was detected. This vulnerability allows attackers to execute stored cross-site scripting (XSS) by injecting malicious content into the conversation title, which is rendered without proper sanitization in the Shared AI Conversation onebox. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27570.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a medium severity vulnerability CVE-2026-27740 was detected. This vulnerability allows attackers to execute stored cross-site scripting (XSS) by injecting malicious payloads through AI-generated content, which is rendered without proper sanitization in the Review Queue interface. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27740.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a high severity vulnerability CVE-2026-27934 was detected. This vulnerability allows unauthorized users to access private topic titles and post excerpts through the user action API endpoint due to missing visibility checks, leading to information disclosure. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27934.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a medium severity vulnerability CVE-2026-27935 was detected. This vulnerability allows moderator users to access private topic metadata of admin users through an API endpoint, even when they do not have permission to view those topics. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27935.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a low severity vulnerability CVE-2026-28282 was detected. This vulnerability allows users with policy creation permissions to bypass restrictions and gain membership in private or restricted groups, potentially granting access to private topics intended only for those groups. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-28282.