Proactive Insights and Support For Open-Source Applications
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
Book a demo
Book a demo
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
  • Home
  • Knowledge Base
  • Newsflash

Our news and updates

All OSSpediaArticlesHow ToNewsflashCase Studies
Don't Miss out!
Join our newsletter for exclusive updates on open source innovations.

    Choose category
    • Communication
      • Communication
    • Communication and Collaboration
      • Utility
      • Communication and Collaboration
      • Communication
    • Specialized Software
      • Educational
      • Graphic Design
    • Business and Enterprise Solutions
      • Customer Service
      • Productivity
      • Supply Chain Management (SCM)
      • CRM
      • E-commerce
      • CMS
      • Marketing Automation
      • ERP
    • Project and Agile Management
      • Project Management
      • IT Business Management
    • Infrastructure and Network
      • CMS
      • Networking
      • Storage
      • Security
    • DevOps
      • DevOps
      • Mobile App Development
      • Backup and Recovery
      • Data Analytics
      • Web Development
      • Developer Stacks
      • Cloud Computing
      • Monitoring
      • Application Development
      • Developer Tools
    • Data Management and Analytics
      • Communication
      • Application Development
      • Analytics
      • Machine Learning
      • Database
      • Data Analytics
    6 Jul 2026 Business and Enterprise Solutions
    WordPress: Authentication bypass in Time Capsule Plugin via IWP_JSON_PREFIX header

    In WordPress versions 1.21.16 a high severity vulnerability CVE-2020-37255 was detected. This vulnerability allows unauthenticated attackers to obtain valid administrator session cookies and access the WordPress dashboard without credentials. To address this issue, users should upgrade plugin to version beyond 1.2.4.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2020-37255.

    Read more
    CMS
    6 Jul 2026 DevOps
    PHP: Authentication Bypass via Social Media Login in Ultimate Addons for Beaver Builder

    In PHP versions 1.2.4.1 a critical severity vulnerability CVE-2019-25763 was detected. This vulnerability allows attackers to bypass authentication by submitting a crafted POST request to admin-ajax.php with the uabb-lf-google-submit action to obtain session cookies and authenticate as an administrator. To address this issue, users should upgrade PHP to version 1.2.4.1 (ideally 1.2.5 or higher). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2019-25763.

    Read more
    Web Development
    6 Jul 2026 DevOps
    Helm: Signature Verification Bypass via Missing Provenance File in Plugins

    In Helm versions 4.0.0 to before 4.1.4 a high severity vulnerability CVE-2026-35205 was detected. This vulnerability allows an attacker to bypass plugin signature verification, potentially leading to the installation of untrusted or malicious code. This occurs because the Helm plugin verification mechanism “fails open” when a provenance (.prov) file is missing, even if signature verification is explicitly required by the user’s configuration. By deliberately omitting the .prov file, a malicious actor can force Helm to successfully install an unsigned plugin without raising a security error. To address this issue, users should upgrade Helm to version 4.1.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-35205.

    Read more
    Developer Tools
    2 Jul 2026 Data Management and Analytics
    Elasticsearch: Denial of Service via Unrestricted Resource Allocation in Machine Learning

    In Elasticsearch versions up to 8.19.16/9.3.5/9.4.2 a medium severity vulnerability CVE-2026-56149 was detected. This vulnerability allows an authenticated user with elevated privileges to cause a Denial of Service (DoS) by rendering the affected node unavailable. This occurs due to an Allocation of Resources Without Limits or Throttling (CWE-770) flaw in the processing of machine learning requests. By submitting a specially crafted machine learning request, an attacker can trigger excessive memory allocation (CAPEC-130), leading to resource exhaustion and the subsequent unavailability of the Elasticsearch node. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-56149.

    Read more
    Data Analytics
    2 Jul 2026 Data Management and Analytics
    Docling: Information Disclosure and DoS via Unsafe XML Parsing in METS-GBS Backend

    In Docling versions 2.45.0 to before 2.91.0 a medium severity vulnerability CVE-2026-44018 was detected. This vulnerability allows an attacker to read sensitive files, exhaust system resources, or cause application crashes, leading to unauthorized information disclosure and Denial of Service (DoS). This occurs due to unsafe archive extraction and a lack of security controls during XML parsing in the METS-GBS backend. By crafting a malicious METS-GBS archive and exploiting the input document format detection mechanisms (such as via XML External Entity (XXE) injection or archive bombs), an attacker can compromise the parsing process. To address this issue, users should upgrade Docling to version 2.91.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44018.

    Read more
    Data Analytics
    2 Jul 2026 Data Management and Analytics
    ChromaDB: Remote Code Execution via Malicious Model Repository

    In ChromaDB versions 0.4.17 and later a high severity vulnerability CVE-2026-45833 was detected. This vulnerability allows an authenticated attacker with UPDATE_COLLECTION permissions to execute arbitrary code on the server, leading to Remote Code Execution (RCE). This occurs due to a code injection flaw when the application handles model repositories. By sending a malicious model repository to the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} endpoint and setting the trust_remote_code parameter to true, an attacker can trick the system into executing their malicious payload.There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-45833.

    Read more
    Database
    2 Jul 2026 DevOps
    Appsmith: Remote Code Execution via Exposed Supervisord XML-RPC Interface

    In Appsmith versions prior to 2.1 a high severity vulnerability CVE-2026-50189 was detected. This vulnerability allows an authenticated administrator to execute arbitrary OS commands inside the Docker container, leading to Remote Code Execution (RCE). This occurs because the bundled supervisord exposes an XML-RPC interface that is reachable from outside the container via a Caddy reverse-proxy route at /supervisor/*. Additionally, the required authentication password (APPSMITH_SUPERVISOR_PASSWORD) is inadvertently exposed via the GET /api/v1/admin/env endpoint. By combining these issues, an attacker can retrieve the password, authenticate, and send maliciously crafted XML-RPC calls (such as twiddler.addProgramToGroup) to execute commands on the underlying system. To address this issue, users should upgrade Appsmith to version 2.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-50189.

    Read more
    Application Development
    2 Jul 2026 DevOps
    Argo Workflows: Information Disclosure via Unauthorized Template Access

    In Argo Workflows versions prior to 3.7.11 and 4.0.2 a high severity vulnerability CVE-2026-28229 was detected. This vulnerability allows an unauthenticated or improperly authenticated attacker to retrieve sensitive template content, including embedded Secret manifests, leading to unauthorized information disclosure. This occurs because the Workflow templates endpoints fail to properly validate authorization tokens. Specifically, an attacker can bypass authentication by sending a request with a dummy token, such as Authorization: Bearer nothing, to access WorkflowTemplates and ClusterWorkflowTemplates. To address this issue, users should upgrade Argo Workflows to versions 3.7.11, 4.0.2, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-28229.

    Read more
    Application Development
    1 Jul 2026 DevOps
    Budibase: Unauthenticated NoSQL Injection via Published App Query Templates

    In Budibase versions prior to 3.39.12 a critical severity vulnerability CVE-2026-54350 was detected. This vulnerability allows an unauthenticated attacker to read or modify all documents within the backing databases (such as MongoDB, CouchDB, Elasticsearch, or DynamoDB). This occurs due to a NoSQL operator injection flaw when processing published-app query templates. The application fails to properly escape JSON metacharacters (such as quotes and braces) when substituting user-controlled parameters into the raw JSON query body. By injecting these characters, an attacker can manipulate the parsed JSON object to include NoSQL operators (e.g., $exists: true), overriding the intended filters and expanding the query scope to the entire collection. Furthermore, endpoints associated with PUBLIC queries do not enforce CSRF protection or require an active session. To address this issue, users should upgrade Budibase to version 3.39.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-54350.

    Read more
    Application Development
    Proactive Insights and Support For Open-Source Applications
    Contact us: Whatsapp
    Company
    • About Hossted
    • Data Processing Addendum
    Solutions
    • Applications
    • Support Plans
    • About Solution
    Resources
    • FAQ
    • Knowledge Base

    © HOSSTED 2026 All rights reserved

    • Privacy Policy
    • Terms and Conditions
    • Cookies Policy
    Cookie Settings

    We use cookies to measure marketing efforts and improve our services. Please review the cookie settings and confirm your choice.

    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    • Manage options
    • Manage services
    • Manage {vendor_count} vendors
    • Read more about these purposes
    View preferences
    • {title}
    • {title}
    • {title}