In changedetection.io versions prior to 0.54.4 a critical severity vulnerability CVE-2026-29065 was detected. This vulnerability allows attackers to overwrite arbitrary files via path traversal in the backup restore functionality by uploading crafted ZIP archives (Zip Slip). To address this issue, users should upgrade changedetection.io to version 0.54.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29065.
Read more Monitoring
In changedetection.io versions prior to 0.54.4 a medium severity vulnerability CVE-2026-29039 was detected. This vulnerability allows attackers to read arbitrary files on the server by supplying malicious XPath expressions using the unparsed-text() function via the include_filters field. To address this issue, users should upgrade changedetection.io to version 0.54.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29039.
Read more Monitoring
In changedetection.io versions prior to 0.54.4 a medium severity vulnerability CVE-2026-29038 was detected. This vulnerability allows attackers to execute reflected cross-site scripting (XSS) by injecting malicious JavaScript through the tag_uuid parameter in the /rss/tag/ endpoint, which is rendered without HTML escaping. To address this issue, users should upgrade changedetection.io to version 0.54.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29038.
Read more Monitoring
In Ghost versions 5.101.6 to 6.19.2 a high severity vulnerability CVE-2026-29784 was detected. This vulnerability allows attackers to exploit incomplete CSRF protections around the /session/verify endpoint, enabling the use of one-time codes (OTCs) in login sessions different from the requesting session. In some scenarios, this could have made it easier for phishers to take over a Ghost site. To address this issue, users should upgrade Ghost to version 6.19.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29784.
Read more CMS
In Budibase versions 3.31.5 and earlier a critical severity vulnerability CVE-2026-30240 was detected. This vulnerability allows an authenticated user with builder privileges to perform path traversal via the PWA ZIP processing endpoint (`POST /api/pwa/process-zip`), enabling reading of arbitrary files on the server, including `/proc/1/environ` containing JWT secrets, database credentials, encryption keys, and API tokens. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-30240.
Read more Application Development
In Budibase versions 3.24.0 and earlier a high severity vulnerability CVE-2026-25737 was detected. This vulnerability allows an attacker to bypass file extension restrictions enforced at the UI level and upload arbitrary malicious files to the server. Exploiting this vulnerability can lead to code execution or compromise of the platform. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25737.
Read more Application Development
In Budibase versions 3.32.3 and prior a high severity vulnerability CVE-2026-25045 was detected. This vulnerability allows a Creator-level user to bypass server-side RBAC checks in the `/api/global/users` endpoints, enabling actions such as promoting App Viewers to Tenant Admins, demoting Tenant Admins, or modifying the Owner’s account details and orders. Exploiting this vulnerability can lead to full tenant compromise. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25045.
Read more Application Development
In Budibase versions 3.23.22 and earlier a high severity vulnerability CVE-2026-25041 was detected. This vulnerability allows attackers to execute arbitrary shell commands because the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25041.
Read more Application Development
In Budibase versions 3.31.4 and earlier a critical severity vulnerability CVE-2026-31816 was detected. This vulnerability allows a completely unauthenticated remote attacker to bypass the `authorized()` middleware and access any server-side API endpoint by appending a webhook path pattern to the query string of a request, effectively skipping authentication, authorization, role checks, and CSRF protection. Currently, there is no fix versions for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-31816.
Read more Application Development