In Gogs versions 0.13.4 and prior a critical severity vulnerability CVE-2026-25242 was detected. This vulnerability allows unauthenticated attackers to upload arbitrary files to the server via exposed attachment upload endpoints when the RequireSigninView setting is disabled, potentially leading to disk exhaustion, malware hosting, or abuse of the instance as a public file host. To address this issue, users should upgrade Gogs to version 0.14.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25242.
Read more Developer Tools
In Gogs versions 0.13.4 and prior a high severity vulnerability CVE-2026-25232 was detected. This vulnerability allows authenticated attackers with write permissions to delete protected branches, including the default branch, via a direct POST request to the web interface, bypassing branch protection mechanisms and enabling privilege escalation to perform administrative-level operations. To address this issue, users should upgrade Gogs to version 0.14.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25232.
Read more Developer Tools
In Gogs versions 0.13.4 and below a high severity vulnerability CVE-2026-25229 was detected. This vulnerability allows authenticated users with write access to one repository to modify labels belonging to other repositories due to improper repository ownership validation in the Web UI label update endpoint. To address this issue, users should upgrade Gogs to version 0.14.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25229.
Read more Developer Tools
In Kanboard versions prior to 1.2.50 a medium severity vulnerability CVE-2026-25531 was identified. This vulnerability allows an authenticated user to duplicate tasks into projects they do not have access to because the TaskCreationController::duplicateProjects() endpoint does not properly validate user permissions for target projects. To address this issue, users should upgrade Kanboard to version 1.2.50. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25531.
Read more Project Management
In authentik versions prior to 2025.8.6, 2025.10.4 and 2025.12.4 a high severity vulnerability CVE-2026-25922 was identified. This vulnerability allows an attacker to inject a malicious SAML assertion when using a SAML Source with the “Verify Assertion Signature” option enabled but “Verify Response Signature” disabled, or when the Encryption Certificate is not configured under Advanced Protocol settings. To address this issue, users should upgrade Authentik to versions 2025.8.6, 2025.10.4, 2025.12.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25922.
Read more Security
In authentik versions prior to 2025.10.4 and 2025.12.4 a high severity vulnerability CVE-2026-25748 was identified. This vulnerability allows an attacker to bypass authentication by using a malformed cookie when forward authentication is enabled in the authentik Proxy Provider, particularly when used with Traefik or Caddy as a reverse proxy. Exploiting this issue prevents the setting of authentik-specific X-Authentik-* headers, potentially granting unauthorized access. To address this issue, users should upgrade authentik to versions 2025.10.4, 2025.12.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25748.
Read more Security
In authentik versions from 2021.3.1 up to but not including 2025.8.6, 2025.10.4 and 2025.12.4 a critical severity vulnerability CVE-2026-25227 was identified. This vulnerability allows a user with delegated permissions—specifically “Can view * Property Mapping” or “Can view Expression Policy”—to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview property mappings or policies. To address this issue, users should upgrade authentik to versions 2025.8.6, 2025.10.4, 2025.12.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25227.
Read more Security
In GitHub Copilot versions 1.0.0 before 1.5.63 a high severity vulnerability CVE-2026-21516 was identified. This vulnerability allows an unauthorized attacker to execute arbitrary code over a network due to improper neutralization of special elements used in a command (command injection). Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21516.
Read more Developer Tools
In GitLab CE/EE versions 18.6 up to but not including 18.6.6, 18.7 up to but not including 18.7.4, and 18.8 up to but not including 18.8.4 a medium severity vulnerability CVE-2026-1282 was detected. This vulnerability allows authenticated attackers to inject malicious content into project label titles due to improper neutralization of script-related HTML tags, potentially leading to cross-site scripting (XSS). To address this issue, users should upgrade GitLab CE/EE to versions 18.6.6, 18.7.4, 18.8.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1282.
Read more Developer Tools