In Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a low severity vulnerability CVE-2026-28227 was detected. This vulnerability allows TL4 users to bypass authorization checks and publish topics into staff-only categories using the `publish_to_category` topic timer. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-28227.
Read more Communication
In Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a low severity vulnerability CVE-2026-28219 was detected. This vulnerability allows authenticated users to bypass administrative restrictions and modify privileged topic attributes, enabling them to elevate a topic’s status to a site-wide notice or banner via manipulated PUT or POST requests. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-28219.
Read more Communication
In Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a medium severity vulnerability CVE-2026-28218 was detected. This vulnerability allows any authenticated user to execute SQL queries in the Data Explorer plugin that have no explicit group assignments, including built-in system queries, due to fail-open access control. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-28218.
Read more Communication
In changedetection.io versions prior to 0.54.1 a medium severity vulnerability CVE-2026-27696 was detected. This vulnerability allows an authenticated user—or any user when no password is configured—to perform Server-Side Request Forgery (SSRF) via watch URLs, potentially exposing internal network resources and enabling data exfiltration. To address this issue, users should upgrade changedetection.io to version 0.54.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27696.
Read more Monitoring
In LibreNMS versions 25.12.0 and below a critical severity vulnerability CVE-2026-26988 was detected. This vulnerability allows authenticated attackers to perform SQL Injection via the ajax_table.php endpoint by manipulating the IPv6 address prefix, potentially leading to unauthorized data access or database manipulation. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26988.
Read more Monitoring
In LibreNMS versions 25.12.0 and below a medium severity vulnerability CVE-2026-26987 was detected. This vulnerability allows attackers to perform Reflected Cross-Site Scripting (XSS) via the email field. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26987.
Read more Monitoring
In Penpot versions prior to 2.13.2 a high severity vulnerability CVE-2026-26202 was detected. This vulnerability allows an authenticated user with team edit permissions to read arbitrary files from the server via the `create-font-variant` RPC endpoint by supplying a local file path, potentially exposing sensitive system files, application secrets, database credentials, and private keys. To address this issue, users should upgrade Penpot to version 2.13.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26202.
Read more Graphic Design
In Budibase Cloud versions prior to 3.30.4 a critical severity vulnerability CVE-2026-27702 was detected. This vulnerability allows any authenticated user to execute arbitrary JavaScript code on the server via unsafe `eval()` in view filter map functions, potentially exposing environment secrets, database credentials, and user data. Self-hosted Budibase deployments are not affected. To address this issue, users should upgrade Budibase Cloud to version 3.30.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27702.
Read more Application Development
In Jenkins versions 2.483 through 2.550, and LTS versions 2.492.1 through 2.541.1 a high severity vulnerability CVE-2026-27099 was detected. This vulnerability allows attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts through the “Mark temporarily offline” offline cause description, which is not properly escaped before being stored and displayed. To address this issue, users should upgrade Jenkins to versions 2.551 or 2.541.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27099.
Read more Developer Tools