In Foreman versions 1.22.0 and higher a high severity vulnerability CVE-2025-9572 was detected. This vulnerability allows low-privileged users to bypass access controls in the GraphQL API, enabling them to access metadata beyond their assigned permissions and potentially leading to unauthorized information disclosure. To address this issue, users should upgrade Foreman to versions 3.16.2 or 3.17.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9572.
Read more IT Business ManagementIn FreeScout versions prior to 1.8.206 a critical severity vulnerability CVE-2026-27637 was detected. This vulnerability allows attackers to compute predictable authentication tokens using `MD5(user_id + created_at + APP_KEY)`, enabling full account takeover, including administrative accounts, without requiring a password. To address this issue, users should upgrade FreeScout to version 1.8.206 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27637.
Read more Customer ServiceIn FreeScout versions prior to 1.8.206 a critical severity vulnerability CVE-2026-27636 was detected. This vulnerability allows authenticated users to upload `.htaccess` files on Apache servers with `AllowOverride All`, bypassing file upload restrictions and enabling remote code execution. To address this issue, users should upgrade FreeScout to version 1.8.206 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27636.
Read more Customer ServiceIn Gogs versions prior to 0.14.2 a high severity vulnerability CVE-2026-26276 was detected. This vulnerability allows attackers to store malicious HTML or JavaScript payloads in a repository’s Milestone name, which can trigger a DOM-based Cross-Site Scripting (XSS) attack when another user selects that milestone on the New Issue page. To address this issue, users should upgrade Gogs to version 0.14.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26276.
Read more Developer ToolsIn Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a high severity vulnerability CVE-2026-26265 was detected. This vulnerability allows any user, including anonymous users, to retrieve private user field values from the directory by exploiting an IDOR in the `directory items` endpoint, bypassing visibility restrictions and potentially exposing sensitive information such as phone numbers or addresses. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26265.
Read more CommunicationIn Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a medium severity vulnerability CVE-2026-26207 was detected. This vulnerability allows any authenticated user to interact with policies on posts they do not have permission to view and to enumerate which posts have policies attached, due to missing access checks in the `discourse-policy` plugin. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26207.
Read more CommunicationIn Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a medium severity vulnerability CVE-2026-26078 was detected. This vulnerability allows an attacker to forge valid Patreon webhook signatures when the `patreon_webhook_secret` site setting is blank, enabling unauthorized creation, modification, or deletion of Patreon pledge data and triggering patron-to-group synchronization. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26078.
Read more CommunicationIn Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a medium severity vulnerability CVE-2026-26077 was detected. This vulnerability allows unauthenticated attackers to forge webhook payloads on several endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) when no authentication token is configured, potentially inflating user bounce scores and causing legitimate user emails to be disabled. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26077.
Read more CommunicationIn Dolibarr ERP/CRM version 10.0.1 a high severity vulnerability CVE-2019-25452 was detected. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries via the `elemid` POST parameter in the `viewcat.php` endpoint, potentially exposing sensitive database information through error-based or time-based blind SQL injection. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2019-25452.
Read more Communication