In FreeScout versions prior to 1.8.206 a critical severity vulnerability CVE-2026-27637 was detected. This vulnerability allows attackers to compute predictable authentication tokens using `MD5(user_id + created_at + APP_KEY)`, enabling full account takeover, including administrative accounts, without requiring a password. To address this issue, users should upgrade FreeScout to version 1.8.206 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27637.
Read more Customer Service
In FreeScout versions prior to 1.8.206 a critical severity vulnerability CVE-2026-27636 was detected. This vulnerability allows authenticated users to upload `.htaccess` files on Apache servers with `AllowOverride All`, bypassing file upload restrictions and enabling remote code execution. To address this issue, users should upgrade FreeScout to version 1.8.206 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27636.
Read more Customer Service
In Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a high severity vulnerability CVE-2026-26265 was detected. This vulnerability allows any user, including anonymous users, to retrieve private user field values from the directory by exploiting an IDOR in the `directory items` endpoint, bypassing visibility restrictions and potentially exposing sensitive information such as phone numbers or addresses. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26265.
Read more Communication
In Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a medium severity vulnerability CVE-2026-26207 was detected. This vulnerability allows any authenticated user to interact with policies on posts they do not have permission to view and to enumerate which posts have policies attached, due to missing access checks in the `discourse-policy` plugin. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26207.
Read more Communication
In Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a medium severity vulnerability CVE-2026-26078 was detected. This vulnerability allows an attacker to forge valid Patreon webhook signatures when the `patreon_webhook_secret` site setting is blank, enabling unauthorized creation, modification, or deletion of Patreon pledge data and triggering patron-to-group synchronization. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26078.
Read more Communication
In Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a medium severity vulnerability CVE-2026-26077 was detected. This vulnerability allows unauthenticated attackers to forge webhook payloads on several endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) when no authentication token is configured, potentially inflating user bounce scores and causing legitimate user emails to be disabled. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26077.
Read more Communication
In Dolibarr ERP/CRM version 10.0.1 a high severity vulnerability CVE-2019-25452 was detected. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries via the `elemid` POST parameter in the `viewcat.php` endpoint, potentially exposing sensitive database information through error-based or time-based blind SQL injection. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2019-25452.
Read more Communication
In Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a medium severity vulnerability CVE-2026-27162 was detected. This vulnerability allows authenticated users to access posts that should be restricted, including whispers, because the `posts_nearby` endpoint returned all posts regardless of type without properly filtering by user permissions. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27162.
Read more Communication
In Discourse versions prior to 2025.12.2, 2026.1.1 and 2026.2.0 a low severity vulnerability CVE-2026-27150 was detected. This vulnerability allows any logged-in user to create bookmarks for query groups they do not have access to due to missing validate_before_create authorization in Data Explorer’s QueryGroupBookmarkable, enabling metadata disclosure via bookmark reminder notifications. To address this issue users must upgrade to Discourse versions 2025.12.2, 2026.1.1 or 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27150.
Read more Communication