In Discourse versions prior to 2025.12.2, 2026.1.1 and 2026.2.0 a low severity vulnerability CVE-2026-27151 was detected. This vulnerability allows TL4 users and category group moderators to move posts into topics in categories where they lack posting privileges because the move_posts action only checked can_move_posts? on the source topic and did not validate write permissions on the destination topic. To address this issue users must upgrade to Discourse versions 2025.12.2, 2026.1.1 or 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27151.
Read more CommunicationIn changedetection.io versions prior to 0.54.1 a medium severity vulnerability CVE-2026-27645 was detected. This vulnerability allows an attacker to perform Reflected Cross-Site Scripting (XSS) via the RSS single-watch endpoint, where the UUID path parameter is reflected in the HTTP response without HTML escaping, leading to execution of arbitrary JavaScript in the user’s browser. To address this issue, users should upgrade changedetection.io to version 0.54.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27645.
Read more MonitoringIn Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a low severity vulnerability CVE-2026-28227 was detected. This vulnerability allows TL4 users to bypass authorization checks and publish topics into staff-only categories using the `publish_to_category` topic timer. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-28227.
Read more CommunicationIn Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a low severity vulnerability CVE-2026-28219 was detected. This vulnerability allows authenticated users to bypass administrative restrictions and modify privileged topic attributes, enabling them to elevate a topic’s status to a site-wide notice or banner via manipulated PUT or POST requests. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-28219.
Read more CommunicationIn Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 a medium severity vulnerability CVE-2026-28218 was detected. This vulnerability allows any authenticated user to execute SQL queries in the Data Explorer plugin that have no explicit group assignments, including built-in system queries, due to fail-open access control. To address this issue, users should upgrade Discourse to versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-28218.
Read more CommunicationIn LibreNMS versions 25.12.0 and below a medium severity vulnerability CVE-2026-26987 was detected. This vulnerability allows attackers to perform Reflected Cross-Site Scripting (XSS) via the email field. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26987.
Read more MonitoringIn Penpot versions prior to 2.13.2 a high severity vulnerability CVE-2026-26202 was detected. This vulnerability allows an authenticated user with team edit permissions to read arbitrary files from the server via the `create-font-variant` RPC endpoint by supplying a local file path, potentially exposing sensitive system files, application secrets, database credentials, and private keys. To address this issue, users should upgrade Penpot to version 2.13.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26202.
Read more Graphic DesignIn Budibase Cloud versions prior to 3.30.4 a critical severity vulnerability CVE-2026-27702 was detected. This vulnerability allows any authenticated user to execute arbitrary JavaScript code on the server via unsafe `eval()` in view filter map functions, potentially exposing environment secrets, database credentials, and user data. Self-hosted Budibase deployments are not affected. To address this issue, users should upgrade Budibase Cloud to version 3.30.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27702.
Read more Application DevelopmentIn changedetection.io versions prior to 0.54.1 a medium severity vulnerability CVE-2026-27696 was detected. This vulnerability allows an authenticated user—or any user when no password is configured—to perform Server-Side Request Forgery (SSRF) via watch URLs, potentially exposing internal network resources and enabling data exfiltration. To address this issue, users should upgrade changedetection.io to version 0.54.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27696.
Read more Monitoring