In Backstage and the @backstage/backend-defaults package versions prior to 0.12.2, 0.13.2, 0.14.1, and 0.15.0 a low severity vulnerability CVE-2026-24048 was detected. This vulnerability allows attackers who control an allowed external host to perform Server-Side Request Forgery (SSRF) by abusing automatic HTTP redirect handling in the FetchUrlReader component, enabling access to internal or sensitive URLs that are not explicitly allowlisted. To address this issue, users should upgrade @backstage/backend-defaults to versions 0.12.2, 0.13.2, 0.14.1, 0.15.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24048.
Read more Newsflash DevOps Developer Tools
In Backstage using the @backstage/backend-plugin-api package versions prior to 0.1.17 a medium severity vulnerability CVE-2026-24047 was detected. This vulnerability allows attackers to bypass path traversal protections by abusing improperly validated symlink chains or dangling symlinks in the resolveSafeChildPath utility, potentially enabling file operations to access or modify files outside of intended directories. To address this issue, users should upgrade @backstage/backend-plugin-api to version 0.1.17 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24047.
Read more Newsflash Developer Tools
In Backstage versions prior to @backstage/backend-defaults 0.12.2, 0.13.2, 0.14.1, and 0.15.0; @backstage/plugin-scaffolder-backend 2.2.2, 3.0.2, and 3.1.1; and @backstage/plugin-scaffolder-node 0.11.2 and 0.12.3 a high severity vulnerability CVE-2026-24046 was detected. This vulnerability allows attackers with permission to create or execute Scaffolder templates to exploit symlink-based path traversal issues to read arbitrary files, delete files outside the workspace, or write files to unintended locations via vulnerable Scaffolder actions and archive extraction utilities. To address this issue, users should upgrade @backstage/backend-defaults to versions 0.12.2, 0.13.2, 0.14.1, 0.15.0, @backstage/plugin-scaffolder-backend to versions 2.2.2, 3.0.2, 3.1.1 and @backstage/plugin-scaffolder-node to versions 0.11.2 or 0.12.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24046.
Read more Newsflash Developer Tools
In GitLab CE/EE versions from 17.1 before 18.6.4, 18.7 before 18.7.2 and 18.8 before 18.8.2 a medium severity vulnerability CVE-2025-13335 was detected. This vulnerability allows an authenticated attacker to cause a denial of service by configuring malformed Wiki documents that bypass cycle detection and trigger an infinite loop with an unreachable exit condition. To address this issue, users should upgrade GitLab to versions 18.6.4, 18.7.2, 18.8.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13335.
Read more Newsflash Developer Tools
In Oracle MySQL Server InnoDB component versions 8.0.0 through 8.0.44, 8.4.0 through 8.4.7 and 9.0.0 through 9.5.0 a medium severity vulnerability CVE-2026-21936 was detected. This vulnerability allows a high-privileged attacker with network access to cause a hang or repeatedly crash the MySQL Server, resulting in a complete denial of service. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21936.
Read more Newsflash
In Oracle MySQL Server Optimizer component versions 8.0.0 through 8.0.44, 8.4.0 through 8.4.7 and 9.0.0 through 9.5.0 a medium severity vulnerability CVE-2026-21968 was detected. This vulnerability allows a low-privileged attacker with network access to cause a hang or repeatedly crash the MySQL Server, resulting in a complete denial of service. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21968.
Read more Newsflash Database
In Oracle MySQL Server Thread Pooling component versions 8.0.0 through 8.0.44, 8.4.0 through 8.4.7 and 9.0.0 through 9.5.0 a medium severity vulnerability CVE-2026-21964 was detected. This vulnerability allows a high-privileged attacker with network access to cause a complete denial of service by triggering a hang or repeated crashes of the MySQL Server. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21964.
Read more Newsflash Database
In Oracle MySQL Server versions 9.0.0 through 9.5.0 a medium severity vulnerability CVE-2026-21952 was detected. This vulnerability allows a high-privileged attacker with network access to cause a hang or a repeatedly reproducible crash, resulting in a complete denial of service (DoS) of the MySQL Server due to an issue in the Server Parser component. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21952.
Read more Newsflash Database
In the WP Hello Bar plugin for WordPress versions up to and including 1.02 a medium severity vulnerability CVE-2026-1042 was detected. This vulnerability allows authenticated attackers with administrator-level access and above to inject arbitrary web scripts through the digit_one and digit_two parameters due to insufficient input sanitization and output escaping, resulting in stored cross-site scripting that executes when users access affected pages. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1042.
Read more CMS Newsflash