In GitLab CE/EE versions from 18.6 up to but not including 18.6.4, 18.7 up to but not including 18.7.2, and 18.8 up to but not including 18.8.2 a high severity vulnerability CVE-2026-0723 was detected. This vulnerability allows an attacker with prior knowledge of a victim’s credential ID to bypass two-factor authentication by submitting forged device responses, due to an unchecked return value. To address this issue, users should upgrade GitLab to versions 18.6.4, 18.7.2, 18.8.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0723.
Read more Newsflash Developer Tools
In GitLab CE/EE versions from 17.7 up to but not including 18.6.4, 18.7 up to but not including 18.7.2, and 18.8 up to but not including 18.8.2 a high severity vulnerability CVE-2025-13928 was detected. This vulnerability allows unauthenticated attackers to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints. To address this issue, users should upgrade GitLab to versions 18.6.4, 18.7.2, 18.8.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13928.
Read more Newsflash Developer Tools
In GitLab CE/EE versions from 11.9 up to but not including 18.6.4, 18.7 up to but not including 18.7.2, and 18.8 up to but not including 18.8.2 a high severity vulnerability CVE-2025-13927 was detected. This vulnerability allows unauthenticated attackers to create a denial of service condition by sending crafted requests containing malformed authentication data, due to improper allocation of resources without limits or throttling. To address this issue, users should upgrade GitLab CE/EE to versions 18.6.4, 18.7.2, 18.8.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13927.
Read more Newsflash Developer Tools
In the Meta-box GalleryMeta plugin for WordPress versions up to and including 3.0.1 a medium severity vulnerability CVE-2026-1302 was detected. This vulnerability allows authenticated attackers with editor-level permissions or higher to inject arbitrary malicious scripts via the admin settings, leading to stored cross-site scripting (XSS) that executes whenever a user accesses the affected pages. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1302.
Read more CMS Newsflash
In the Responsive Header plugin for WordPress versions up to and including 1.0 a medium severity vulnerability CVE-2026-1300 was detected. This vulnerability allows authenticated attackers with administrator-level access or higher to inject arbitrary web scripts via multiple plugin settings parameters, which are stored and executed when users access affected pages, due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1300.
Read more CMS Newsflash
In the Postalicious plugin for WordPress versions up to and including 3.0.1 a medium severity vulnerability CVE-2026-1266 was detected. This vulnerability allows authenticated attackers with administrator-level permissions or higher to inject arbitrary web scripts via admin settings, which are stored and executed when users access affected pages, due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1266.
Read more CMS Newsflash
In the Administrative Shortcodes plugin for WordPress versions up to, and including, 0.3.4 a high severity vulnerability CVE-2026-1257 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server via the slug attribute of the get_template shortcode, due to insufficient path validation of user-supplied input passed to the get_template_part() function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1257.
Read more CMS Newsflash
In the LeadBI plugin for WordPress versions up to and including 1.7 a medium severity vulnerability CVE-2026-1189 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts via the form_id parameter of the leadbi_form shortcode, due to insufficient input sanitization and output escaping of user-supplied attributes. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1189.
Read more CMS Newsflash
In Moodle version 3.10.3 a high severity vulnerability CVE-2021-47857 was detected. This vulnerability allows attackers to inject malicious JavaScript into the calendar event subtitle (label) field, resulting in persistent cross-site scripting that executes arbitrary code when users view the affected event. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2021-47857.
Read more Educational Newsflash