In changedetection.io versions prior to 0.54.4 a medium severity vulnerability CVE-2026-29038 was detected. This vulnerability allows attackers to execute reflected cross-site scripting (XSS) by injecting malicious JavaScript through the tag_uuid parameter in the /rss/tag/ endpoint, which is rendered without HTML escaping. To address this issue, users should upgrade changedetection.io to version 0.54.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29038.
Read more MonitoringIn Ghost versions 5.101.6 to 6.19.2 a high severity vulnerability CVE-2026-29784 was detected. This vulnerability allows attackers to exploit incomplete CSRF protections around the /session/verify endpoint, enabling the use of one-time codes (OTCs) in login sessions different from the requesting session. In some scenarios, this could have made it easier for phishers to take over a Ghost site. To address this issue, users should upgrade Ghost to version 6.19.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29784.
Read more CMSIn Budibase versions 3.31.5 and earlier a critical severity vulnerability CVE-2026-30240 was detected. This vulnerability allows an authenticated user with builder privileges to perform path traversal via the PWA ZIP processing endpoint (`POST /api/pwa/process-zip`), enabling reading of arbitrary files on the server, including `/proc/1/environ` containing JWT secrets, database credentials, encryption keys, and API tokens. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-30240.
Read more Application DevelopmentIn Budibase versions 3.24.0 and earlier a high severity vulnerability CVE-2026-25737 was detected. This vulnerability allows an attacker to bypass file extension restrictions enforced at the UI level and upload arbitrary malicious files to the server. Exploiting this vulnerability can lead to code execution or compromise of the platform. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25737.
Read more Application DevelopmentIn Budibase versions 3.32.3 and prior a high severity vulnerability CVE-2026-25045 was detected. This vulnerability allows a Creator-level user to bypass server-side RBAC checks in the `/api/global/users` endpoints, enabling actions such as promoting App Viewers to Tenant Admins, demoting Tenant Admins, or modifying the Owner’s account details and orders. Exploiting this vulnerability can lead to full tenant compromise. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25045.
Read more Application DevelopmentIn Budibase versions 3.23.22 and earlier a high severity vulnerability CVE-2026-25041 was detected. This vulnerability allows attackers to execute arbitrary shell commands because the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25041.
Read more Application DevelopmentIn Budibase versions 3.31.4 and earlier a critical severity vulnerability CVE-2026-31816 was detected. This vulnerability allows a completely unauthenticated remote attacker to bypass the `authorized()` middleware and access any server-side API endpoint by appending a webhook path pattern to the query string of a request, effectively skipping authentication, authorization, role checks, and CSRF protection. Currently, there is no fix versions for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-31816.
Read more Application DevelopmentIn @backstage/integration versions prior to 1.20.1 a low severity vulnerability CVE-2026-29185 was detected. This vulnerability allows attackers to include encoded path traversal sequences in SCM URLs, potentially causing integration functions to redirect requests to unintended SCM provider API endpoints using server-side integration credentials. To address this issue, users should upgrade @backstage/integration to version 1.20.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29185.
Read more Developer ToolsIn @backstage/plugin-scaffolder-backend versions prior to 3.1.4 a low severity vulnerability CVE-2026-29184 was detected. This vulnerability allows a malicious scaffolder template to bypass the log redaction mechanism and exfiltrate secrets provided during task execution through event logs. To address this issue, users should upgrade @backstage/plugin-scaffolder-backend to version 3.1.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29184.
Read more Developer Tools