In Download Monitor plugin for WordPress versions up to and including 5.1.7 a high severity vulnerability CVE-2026-3124 was detected. An Insecure Direct Object Reference in the executePayment() function allows unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between PayPal transaction tokens and local orders, enabling theft of paid digital goods. To address this issue, users should upgrade Download Monitor plugin to version to version 5.1.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-3124.
Read more CMSIn PHP versions 1.0 a low severity vulnerability CVE-2026-5106 was detected. A flaw in the admin update file /admin/update_fst.php allows an unknown function-level issue that could be exploited to manipulate exam form submissions. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-5106.
Read more Web DevelopmentIn MLflow version 3.8.0 a critical severity vulnerability CVE-2025-15379 was detected. This vulnerability allows attackers to execute arbitrary commands by supplying a malicious model artifact, as dependency specifications from the python_env.yaml file are unsafely interpolated into shell commands in the _install_model_dependencies_to_env() function when using env_manager=LOCAL. To address this issue, users should upgrade MLflow to version 3.8.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-15379.
Read more Data AnalyticsIn Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, and 10.11.x <= 10.11.10 a medium severity vulnerability CVE-2026-2457 was detected. This vulnerability allows authenticated attackers to spoof permalink embeds and impersonate other users by submitting crafted metadata through the post update API endpoint due to insufficient sanitization of client-supplied input. To address this issue, users should upgrade Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2457.
Read more CommunicationIn Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, and 10.11.x <= 10.11.10 a medium severity vulnerability CVE-2026-2456 was detected. This vulnerability allows authenticated attackers to cause server memory exhaustion and denial of service (DoS) by leveraging a malicious integration server that returns excessively large responses from integration action endpoints. To address this issue, users should upgrade Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2456.
Read more CommunicationIn Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, and 10.11.x <= 10.11.10 a medium severity vulnerability CVE-2026-2455 was detected. This vulnerability allows attackers to perform server-side request forgery (SSRF) attacks against internal services by exploiting improper canonicalization of IPv4-mapped IPv6 addresses during reserved IP validation. To address this issue, users should upgrade Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2455.
Read more CommunicationIn Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, and 10.11.x <= 10.11.10 a high severity vulnerability CVE-2026-2454 was detected. This vulnerability allows a malicious user to cause server out-of-memory (OOM) errors and crash the server by sending corrupted Msgpack frames within WebSocket messages to the Calls plugin due to improper handling of incorrectly reported array lengths. To address this issue, users should upgrade Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2454.
Read more CommunicationIn Mattermost versions 10.11.x <= 10.11.10 a medium severity vulnerability CVE-2026-1629 was detected. This vulnerability allows a user to continue viewing private channel content via previously cached permalink previews even after losing channel access, due to failure to invalidate cached preview data. To address this issue, users should upgrade Mattermost to versions 11.4.0 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1629.
Read more CommunicationIn Appsmith versions prior to 1.98 a medium severity vulnerability CVE-2026-34411 was detected. This vulnerability allows unauthenticated attackers to access sensitive instance management API endpoints, such as `/api/v1/consolidated-api/view` and `/api/v1/tenants/current`, to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains, which can be used for reconnaissance and targeted attacks. To address this issue, users should upgrade Appsmith to version 1.98 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-34411.
Read more Application Development