In Kanboard versions prior to 1.2.50 a medium severity vulnerability CVE-2026-24885 was detected. This vulnerability allows attackers to perform Cross-Site Request Forgery (CSRF) against the `changeUserRole` action in the `ProjectPermissionController` due to improper enforcement of the `application/json` Content-Type, potentially enabling unauthorized modification of project user roles if an authenticated administrator visits a malicious site. To address this issue, users should upgrade Kanboard to version 1.2.50 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24885.
Read more Project Management
In Gogs versions up to and including 0.13.3 a high severity vulnerability CVE-2026-24135 was detected. This vulnerability allows authenticated users with write access to a repository’s wiki to exploit a path traversal issue in the `updateWikiPage` function by manipulating the `old_title` parameter, enabling deletion of arbitrary files on the server. To address this issue, users should upgrade Gogs to versions 0.13.4, 0.14.0+dev, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24135.
Read more Developer Tools
In Gogs versions up to and including 0.13.3 a high severity vulnerability CVE-2026-23633 was detected. This vulnerability allows attackers to exploit a path traversal issue in Git hook editing, enabling arbitrary file read and write operations on the server. To address this issue, users should upgrade Gogs to versions 0.13.4, 0.14.0+dev, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23633.
Read more Developer Tools
In Gogs versions up to and including 0.13.3 a medium severity vulnerability CVE-2026-23632 was detected. This vulnerability allows attackers with read-only repository permissions to modify repository contents due to missing write permission enforcement in the `PUT /repos/:owner/:repo/contents/*` endpoint, resulting in unauthorized commit creation and git push execution. To address this issue, users should upgrade Gogs to versions 0.13.4, 0.14.0+dev, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23632.
Read more Developer Tools
In Gogs versions up to and including 0.13.3 a medium severity vulnerability CVE-2026-22592 was detected. This vulnerability allows authenticated users to trigger a denial-of-service condition by deleting a repository file prior to synchronization, causing the application to crash. To address this issue, users should upgrade Gogs to versions 0.13.4, 0.14.0+dev, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22592.
Read more Developer Tools
In WP FOFT Loader plugin for WordPress versions up to and including 2.1.39 a high severity vulnerability CVE-2026-1756 was detected. This vulnerability allows authenticated attackers with Author-level access or higher to upload arbitrary files due to improper file type validation in the `WP_FOFT_Loader_Mimes::file_and_ext` function, potentially enabling remote code execution on the affected site. To address this issue, users should upgrade WP FOFT Loader plugin to version 2.1.40 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1756.
Read more CMS
In NGINX OSS and NGINX Plusfrom versions 1.3.0 before 1.29.5 a medium severity vulnerability CVE-2026-1642 was detected when configured to proxy to upstream TLS servers. This vulnerability allows an attacker with a man-in-the-middle (MITM) position on the upstream server side, under certain conditions, to inject plain text data into responses from the proxied upstream server. To address this issue, users should upgrade to version 1.28.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1642.
Read more Application Development
In pgAdmin 4 versions before 9.11 a high severity vulnerability CVE-2026-1707 was detected. This vulnerability allows attackers with access to the pgAdmin web interface to bypass restore restrictions by disclosing and abusing the `\restrict` key during a restore operation from PLAIN-format dump files, resulting in arbitrary command execution on the pgAdmin host. To address this issue, users should upgrade pgAdmin 4 to version 9.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1707.
Read more Database
In WaveSurfer-WP plugin for WordPress versions up to and including 2.8.3 a high severity vulnerability CVE-2026-1909 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts via the plugin’s audio shortcode `src` attribute, potentially executing scripts whenever a user accesses the affected page. To address this issue, users should upgrade WaveSurfer-WP plugin to version 2.8.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1909.
Read more CMS