Our news and updates

In Vaultwarden versions prior to 1.35.4 a high severity vulnerability CVE-2026-27803 was detected. This vulnerability allows users with the Manager role to perform collection management operations even when their `manage` permission is set to false, as long as they have access to the collection. To address this issue, users should upgrade Vaultwarden to version 1.35.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27803.

In ZITADEL versions 4.0.0-rc.1 to 4.7.0 a critical severity vulnerability CVE-2026-29067 was detected. This vulnerability allows attackers to manipulate the Forwarded or X-Forwarded-Host header used in the password reset mechanism of Login V2, potentially constructing malicious password reset URLs that could lead to account takeover. To address this issue, users should upgrade ZITADEL to version 4.7.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29067.

In Zabbix versions 6.0.0 up to 6.0.40, 7.0.0 up to 7.0.17, 7.4.0 up to 7.4.1 a high severity vulnerability was detected. This vulnerability allows authenticated users with the User role and template/host write permissions to create objects via the configuration.import API, potentially leading to unauthorized host creation and confidentiality loss. To address this issue, users should upgrade Zabbix to versions 6.0.41, 7.0.18 or 7.4.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23925.

In Istio versions prior to 1.29.1, 1.28.5, and 1.27.8 a high severity vulnerability CVE-2026-31837 was detected. This vulnerability allows attackers to access hardcoded default key material if the JWKS resolver becomes unavailable or the fetch fails, regardless of the use of the RequestAuthentication resource. To address this issue, users should upgrade Istio to versions 1.29.1, 1.28.5 or 1.27.8. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-31837.

In Kestra versions 1.1.10 and prior a medium severity vulnerability CVE-2026-29082 was detected. This vulnerability allows attackers to execute stored cross-site scripting (XSS) by injecting malicious Markdown (.md) content in the execution-file preview, which is rendered with markdown-it as HTML and injected via Vue’s v-html without sanitization. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29082.

In ZITADEL versions 4.0.0 to 4.12.0 a high severity vulnerability CVE-2026-29193 was detected. This vulnerability allows attackers to bypass login behavior and security policies in the Login V2 UI, enabling self-registration of new accounts or signing in with a password even if these options were disabled in their organization. To address this issue, users should upgrade ZITADEL to version 4.12.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29193.

In ZITADEL versions 4.0.0 to 4.11.1 a high severity vulnerability CVE-2026-29192 was detected. This vulnerability allows attackers to perform a stored cross-site scripting (XSS) attack via the Default URI Redirect in the Login V2 interface, potentially leading to account takeover. To address this issue, users should upgrade ZITADEL to version 4.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29192.

In ZITADEL versions 4.0.0 to 4.11.1 a critical severity vulnerability CVE-2026-29191 was detected. This vulnerability allows attackers to perform a cross-site scripting (XSS) attack in the /saml-post endpoint of the Login V2 interface, potentially enabling a 1-click account takeover. To address this issue, users should upgrade ZITADEL to version 4.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29191.