Our news and updates

In OpenProject versions 16.6.1 and below a low severity vulnerability CVE-2026-22602 was detected. This vulnerability allows a low‑privileged logged-in user to enumerate and view the full names of other users due to predictable sequential user IDs, both via the web interface and the API. To address this issue, users should upgrade OpenProject to version 16.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22602.

In Kibana versions 7.x, from 8.0.0 up to and including 8.19.9, from 9.0.0 up to and including 9.1.9, 9.2.0 up to and including 9.2.3 a high severity vulnerability CVE-2026-0543 was detected. This vulnerability allows authenticated attackers with sufficient view-level privileges to trigger excessive memory allocation by supplying a specially crafted email address parameter to the Email Connector, resulting in a denial of service and complete service unavailability until a manual restart is performed. To address this issue, users should upgrade Kibana to versions 8.19.10, 9.1.10 or 9.2.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0543.

In Kibana versions from 8.15.0 up to and including 8.19.9, from 9.0.0 up to and including 9.1.9, 9.2.0 up to and including 9.2.3 a high severity vulnerability CVE-2026-0532 was detected. This vulnerability allows authenticated attackers with privileges to create or modify connectors to trigger server-side request forgery and arbitrary file disclosure by supplying a specially crafted credentials JSON payload in the Google Gemini connector configuration, leading to unauthorized network requests and file reads due to insufficient input validation. To address this issue, users should upgrade Kibana to versions 8.19.10, 9.1.10 or 9.2.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0532.

In Kibana Fleet versions from 7.10.0 up to and including 7.17.29, from 8.0.0 up to and including 8.19.9, from 9.0.0 up to and including 9.1.9 and from 9.2.0 up to and including 9.2.3 a medium severity vulnerability CVE-2026-0531 was detected. This vulnerability allows authenticated attackers with low-level (viewer-equivalent) privileges to trigger excessive memory consumption by sending a specially crafted bulk retrieval request, causing redundant database operations that can crash the server and result in denial of service for all users. To address this issue, users should upgrade Kibana to versions 8.19.10, 9.1.10 or 9.2.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0531.

In Kibana Fleet versions from 7.10.0 up to and including 7.17.29, 8.0.0 up to and including 8.19.9, from 9.0.0 up to and including 9.1.9 and from 9.2.0 up to and including 9.2.3 a medium severity vulnerability CVE-2026-0530 was detected. This vulnerability allows attackers to trigger excessive resource consumption by sending a specially crafted request that causes redundant processing operations, eventually leading to service degradation or complete unavailability. To address this issue, users should upgrade Kibana to versions 8.19.10, 9.1.10 or 9.2.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0530.

In the Short Link plugin for WordPress versions up to and including 1.0 a medium severity vulnerability CVE-2026-0813 was detected. This vulnerability allows authenticated attackers with administrator-level access or higher to inject arbitrary JavaScript into pages via the short_link_post_title and short_link_page_title parameters, which will execute when a user visits the affected page. To address this issue, users should upgrade to a patched or the latest available version of the plugin. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0813.

In Metabase versions prior to 55.13, 56.3 and 57.1 a low severity vulnerability CVE-2026-22805 was detected. This vulnerability allows attackers to access internal or local network addresses by abusing the channel test endpoint in self-hosted Metabase instances that permit users to create subscriptions, potentially exposing colocated unsecured internal resources. To address this issue, users should upgrade Metabase to versions 55.13, 56.3, 57.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22805.

In the Quiz Maker plugin for WordPress versions before 6.7.0.89 a low severity vulnerability CVE-2025-14579 was detected. This vulnerability allows attackers with high-privilege roles, such as administrators, to perform stored cross-site scripting (XSS) attacks due to insufficient sanitization and escaping of plugin settings, even when the unfiltered_html capability is disabled (for example, in multisite environments). To address this issue, users should upgrade the Quiz Maker plugin to version 6.7.0.89 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14579.

In the WP Duplicate Page plugin for WordPress versions up to and including 1.8 a medium severity vulnerability CVE-2025-14001 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to duplicate arbitrary posts, pages, and WooCommerce HPOS orders due to missing capability checks in the duplicateBulkHandle and duplicateBulkHandleHPOS functions, even when their role is explicitly excluded in the plugin’s Allowed User Roles settings. To address this issue, users should upgrade the WP Duplicate Page plugin to version 1.8.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14001.