Proactive Insights and Support For Open-Source Applications
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
Book a demo
Book a demo
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
  • Home
  • Knowledge Base
  • Newsflash

Our news and updates

All OSSpediaArticlesHow ToNewsflashCase Studies
Don't Miss out!
Join our newsletter for exclusive updates on open source innovations.

    Choose category
    • Communication
      • Communication
    • Communication and Collaboration
      • Utility
      • Communication and Collaboration
      • Communication
    • Specialized Software
      • Educational
      • Graphic Design
    • Business and Enterprise Solutions
      • Customer Service
      • Productivity
      • Supply Chain Management (SCM)
      • CRM
      • E-commerce
      • CMS
      • Marketing Automation
      • ERP
    • Project and Agile Management
      • Project Management
      • IT Business Management
    • Infrastructure and Network
      • CMS
      • Networking
      • Storage
      • Security
    • DevOps
      • DevOps
      • Mobile App Development
      • Backup and Recovery
      • Data Analytics
      • Web Development
      • Developer Stacks
      • Cloud Computing
      • Monitoring
      • Application Development
      • Developer Tools
    • Data Management and Analytics
      • Communication
      • Application Development
      • Analytics
      • Machine Learning
      • Database
      • Data Analytics
    8 Jul 2026 Data Management and Analytics
    Supabase: Credential Validation Endpoint Callable with Public Key Enables Password Spraying

    In Supabase versions before 12.128.2 a medium severity vulnerability CVE-2026-56234 was detected. This vulnerability allows attackers to call the POST /functions/v1/private/validate_password_compliance endpoint using only the public Supabase key, leveraging CORS wildcard origin allowance and lack of rate limiting to perform password spraying and credential stuffing to compromise user accounts. To address this issue, users should upgrade Capgo to version 12.128.2 or later.. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-56234.

    Read more
    Data Analytics
    8 Jul 2026 DevOps
    Plane: Security Control Bypass via Plaintext API Keys in PostgREST/RLS Plane

    In Plane versions before 12.128.2 a high severity vulnerability CVE-2026-56243 was detected. This vulnerability allows attackers to bypass organization-level hashed API key enforcement by sending plaintext API keys in the capgkey header to the PostgREST/RLS plane to access protected resources. To address this issue, users should upgrade Plane to version 12.128.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-56243.

    Read more
    Developer Tools
    7 Jul 2026 DevOps
    Kestra: Weak Password Hashing Leading to Privilege Escalation

    In Kestra versions prior to 1.3.24 a high severity vulnerability CVE-2026-55069 was detected. This vulnerability allows an attacker who has gained read access to the database to recover the administrator password offline, potentially leading to vertical privilege escalation. This occurs because the BasicAuth authentication component uses the SHA-512 hashing algorithm, which has a high computation speed and lacks the necessary work factors to deter rapid brute-force or dictionary attacks. If the password is successfully cracked in a Kubernetes deployment, the attacker can further compromise the system by reading the cluster ServiceAccount Token and all Kubernetes Secrets. To address this issue, users should upgrade Kestra to version 1.3.24 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-55069.

    Read more
    Monitoring
    7 Jul 2026 Business and Enterprise Solutions
    Ghost CMS: Arbitrary File Upload and RCE (Disputed)

    In Ghost CMS version 4.42.0 a high severity vulnerability CVE-2022-28397 was reported. This vulnerability reportedly allows an attacker to execute arbitrary code (RCE) via a maliciously crafted file uploaded through the file upload module. However, it should be noted that the vendor disputes this vulnerability, stating that according to Ghost’s security documentation, files can only be uploaded and published by strictly trusted users, and this functionality is intentional. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-28397.

    Read more
    CMS
    7 Jul 2026 DevOps
    Django: SQL Injection via QuerySet.order_by and FilteredRelation

    In Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28 (with earlier unsupported versions potentially affected) a high severity vulnerability CVE-2026-1312 was detected. This vulnerability allows an attacker to execute unauthorized database queries, potentially leading to data exfiltration or modification via SQL Injection (SQLi). This occurs due to a flaw in how .QuerySet.order_by() handles column aliases containing periods when the exact same alias is utilized within FilteredRelation using dictionary expansion. By supplying a specially crafted dictionary, an attacker can manipulate the generated SQL query structure. To address this issue, users should upgrade Django to versions 6.0.2, 5.2.11, 4.2.28, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1312.

    Read more
    Application Development
    7 Jul 2026 Data Management and Analytics
    Elasticsearch: Denial of Service via Uncontrolled Resource Consumption in Bulk Requests

    In Elasticsearch versions including 7.0.0 and before 7.17.24, including 8.0.0 and before 8.15.0 a medium severity vulnerability CVE-2026-49090 was detected. This vulnerability allows an authenticated user to cause a Denial of Service (DoS) by rendering the affected node unable to process requests. This occurs due to an Uncontrolled Resource Consumption (CWE-400) flaw when processing bulk requests. By submitting a specially crafted bulk request, an attacker can trigger sustained high CPU consumption via excessive resource allocation (CAPEC-130), effectively exhausting server resources. To address this issue, users should upgrade Elasticsearch to a patched version 7.17.24 or later, 8.15.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-49090.

    Read more
    Data Analytics
    7 Jul 2026 Business and Enterprise Solutions
    Dolibarr: PHP Code Injection via Website Module Bypass

    In Dolibarr ERP & CRM versions up to and including 22.0.4 a high severity vulnerability CVE-2026-31018 was detected. This vulnerability allows an authenticated user with restricted privileges (limited to HTML/JavaScript editing) to inject and execute arbitrary PHP code, potentially leading to Remote Code Execution (RCE) and privilege escalation. This occurs due to the inconsistent application of PHP code detection and permission enforcement within the Website module. During website page creation, certain input parameters remain unprotected, allowing an attacker to bypass intended restrictions and supply malicious PHP payloads. To address this issue, users should upgrade Dolibarr to a patched version 23.0.0 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-31018.

    Read more
    ERP
    6 Jul 2026 Business and Enterprise Solutions
    Joomla: Arbitrary File Upload in SP Page Builder Leading to PHP Code Execution

    In Joomla versions before 6.6.2 a critical severity vulnerability CVE-2026-48908 was detected. This vulnerability allows unauthenticated users to upload arbitrary files, resulting in the upload and execution of PHP code. To address this issue, users should upgrade Joomla to version 6.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48908.

    Read more
    CMS
    6 Jul 2026 Business and Enterprise Solutions
    Joomla: Arbitrary File Upload in iCagenda Extension Leading to Remote Code Execution

    In Joomla versions 3.2.1 through 3.9.14, versions 4.0.0 through 4.0.7 a critical severity vulnerability CVE-2026-48939 was detected. This vulnerability allows attackers to upload arbitrary files via the iCagenda file attachment feature, enabling PHP code upload and remote code execution. To address this issue, users should upgrade Joomla to version 3.9.15 and 4.0.8 (or later). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48939.

    Read more
    CMS
    Proactive Insights and Support For Open-Source Applications
    Contact us: Whatsapp
    Company
    • About Hossted
    • Data Processing Addendum
    Solutions
    • Applications
    • Support Plans
    • About Solution
    Resources
    • FAQ
    • Knowledge Base

    © HOSSTED 2026 All rights reserved

    • Privacy Policy
    • Terms and Conditions
    • Cookies Policy
    Cookie Settings

    We use cookies to measure marketing efforts and improve our services. Please review the cookie settings and confirm your choice.

    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    • Manage options
    • Manage services
    • Manage {vendor_count} vendors
    • Read more about these purposes
    View preferences
    • {title}
    • {title}
    • {title}