Proactive Insights and Support For Open-Source Applications
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
Book a demo
Book a demo
  • Applications
  • Platform
  • Support
  • Resources
    • 2025 OSS Research
    • FAQ
    • Newsflash
    • OSSpedia
    • How-to Guides
    • Case Studies
    • Articles
  • Company
    • About Us
    • The OSS in Hossted
  • Contact
  • Home
  • Knowledge Base
  • Newsflash

Our news and updates

All OSSpediaArticlesHow ToNewsflashCase Studies
Don't Miss out!
Join our newsletter for exclusive updates on open source innovations.

    Choose category
    • Communication
      • Communication
    • Communication and Collaboration
      • Utility
      • Communication and Collaboration
      • Communication
    • Specialized Software
      • Educational
      • Graphic Design
    • Business and Enterprise Solutions
      • Customer Service
      • Productivity
      • Supply Chain Management (SCM)
      • CRM
      • E-commerce
      • CMS
      • Marketing Automation
      • ERP
    • Project and Agile Management
      • Project Management
      • IT Business Management
    • Infrastructure and Network
      • CMS
      • Networking
      • Storage
      • Security
    • DevOps
      • DevOps
      • Mobile App Development
      • Backup and Recovery
      • Data Analytics
      • Web Development
      • Developer Stacks
      • Cloud Computing
      • Monitoring
      • Application Development
      • Developer Tools
    • Data Management and Analytics
      • Communication
      • Application Development
      • Analytics
      • Machine Learning
      • Database
      • Data Analytics
    29 Jun 2026 DevOps
    Appsmith: Reverse Proxy Takeover via SSRF on Unauthenticated Caddy Admin API

    In Appsmith versions prior to 2.1 a critical severity vulnerability CVE-2026-55454 was detected. This vulnerability allows an authenticated low-privileged user to fully replace the live Caddy configuration and take over the reverse proxy. This occurs because the bundled Caddy reverse-proxy’s admin API lacks authentication by default and is bound to 0.0.0.0:2019 inside the container. By leveraging a Server-Side Request Forgery (SSRF) vulnerability or the Appsmith server process itself, an attacker can issue administrative requests (such as POST /load) against this internal listener. To address this issue, users should upgrade Appsmith to version 2.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-55454.

    Read more
    Application Development
    29 Jun 2026 DevOps
    Gitea: Cross-Organization Authorization Bypass via IDOR in Projects

    In Gitea versions before 1.25.4 a critical severity vulnerability CVE-2026-20750 was detected. This vulnerability allows an authenticated user with project write access in one organization to modify projects belonging to a different organization, leading to unauthorized data modification and an authorization bypass. This occurs due to an Insecure Direct Object Reference (IDOR) flaw in organization project operations, where Gitea does not properly validate project ownership against the user’s permissions when a Project ID is supplied. To address this issue, users should upgrade Gitea to a patched version [укажите исправленную версию]. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-20750.

    Read more
    Developer Tools
    29 Jun 2026 Data Management and Analytics
    Docling: Path Traversal via LaTeX Commands

    In Docling versions 2.73.0 to before 2.91.0 a medium severity vulnerability CVE-2026-44022 was detected. This vulnerability allows an attacker to read arbitrary files from the local file system, potentially exposing configuration files, credentials, and other sensitive data. This occurs due to a path traversal flaw in the LaTeX backend’s handling of the \includegraphics, \input, and \include commands, which lacked proper path containment validation. By crafting a malicious LaTeX document with directory traversal sequences, an attacker can force the system to include sensitive files directly into the converted document output. To address this issue, users should upgrade Docling to version 2.91.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44022.

    Read more
    Data Analytics
    29 Jun 2026 DevOps
    Budibase: Arbitrary File Read via PWA-ZIP Symlink Upload

    In Budibase versions prior to 3.39.9 a critical severity vulnerability CVE-2026-54352 was detected. This vulnerability allows an authenticated workspace-level builder to read arbitrary files from the server, leading to sensitive information disclosure. This occurs due to improper handling of symbolic links when processing uploaded PWA ZIP files at the POST /api/pwa/process-zip endpoint. The application uses [email protected], which preserves absolute symlink targets, and the subsequent path validation fails to reject symlink entries before streaming their contents into MinIO. As a result, an attacker can craft a ZIP archive containing symlinks pointing to local system files, which are then processed and served back to the attacker via the asset-fetch endpoint. To address this issue, users should upgrade Budibase to version 3.39.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-54352.

    Read more
    Application Development
    29 Jun 2026 DevOps
    Gogs: Cross-Tenant LFS Content Disclosure via Unverified OID Deduplication

    In Gogs versions prior to 0.14.3 a high severity vulnerability CVE-2026-52812 was detected. This vulnerability allows an authenticated user with write access to one repository to access and download private Git LFS content from other repositories, leading to unauthorized cross-tenant information disclosure. This occurs because the Git LFS storage deduplicates content using only the Object ID (OID). The serveUpload function skips the upload process if a file with the claimed OID already exists on disk, and binds it to the user’s repository without verifying that the provided request body actually hashes to that OID. By claiming an OID that belongs to a private repository, an attacker can bypass authorization checks and download the original file bytes through their own repository’s download endpoint. To address this issue, users should upgrade Gogs to version 0.14.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-52812.

    Read more
    Developer Tools
    26 Jun 2026 Data Management and Analytics
    GeoServer DB2 DataStore Extension: Remote Code Execution (RCE) via JNDI Injection

    In GeoServer DB2 DataStore Extension versions prior to 2.27.0 a high severity vulnerability CVE-2025-27511 was detected. This vulnerability allows an authenticated administrator to achieve Remote Code Execution (RCE) on the server. This occurs because the extension is vulnerable to a JNDI injection attack when processing a specially crafted DB2 JDBC URL. To address this issue, users should upgrade the GeoServer DB2 DataStore Extension to version 2.27.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27511.

    Read more
    Database
    26 Jun 2026 DevOps
    GitLab EE: Authorization Bypass via User-Controlled Key in Registry Policies

    In GitLab EE versions 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 a medium severity vulnerability CVE-2026-5309 was detected. This vulnerability allows an authenticated user to read or modify another group’s virtual registry cleanup policy settings without proper authorization. This occurs due to an authorization bypass flaw involving a user-controlled key under certain conditions. To address this issue, users should upgrade GitLab EE to versions 18.11.6, 19.0.3, or 19.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-5309.

    Read more
    Developer Tools
    26 Jun 2026 DevOps
    Gogs: Cross-Site Scripting (XSS) via Unauthenticated Jupyter Notebook Sanitizer

    In Gogs versions prior to 0.14.3 a medium severity vulnerability CVE-2026-52816 was detected. This vulnerability allows an unauthenticated attacker to inject malicious HTML or JavaScript, leading to Cross-Site Scripting (XSS). This occurs because the Jupyter Notebook (ipynb) sanitizer endpoint (POST /-/api/sanitize_ipynb) fails to properly restrict data: URIs. It uses a permissive policy (bluemonday.UGCPolicy() with p.AllowURLSchemes("data")) that allows all data URI schemes, including data:text/html. Additionally, the endpoint lacks authentication middleware, allowing any user to exploit it. To address this issue, users should upgrade Gogs to version 0.14.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-52816.

    Read more
    Developer Tools
    26 Jun 2026 Specialized Software
    Moodle: Group Restriction Bypass in Grade History Report

    In Moodle versions before 3.5.11, 3.6.9, 3.7.5, and 3.8.2 a medium severity vulnerability CVE-2020-1754 was detected. This vulnerability allows an authenticated user to view the grades of users outside their own groups, leading to unauthorized information disclosure. This occurs because the grade history report fails to properly enforce group restrictions for users who lack the ‘access all groups’ capability. To address this issue, users should upgrade Moodle to versions 3.5.11, 3.6.9, 3.7.5, or 3.8.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2020-1754.

    Read more
    Educational
    Proactive Insights and Support For Open-Source Applications
    Contact us: Whatsapp
    Company
    • About Hossted
    • Data Processing Addendum
    Solutions
    • Applications
    • Support Plans
    • About Solution
    Resources
    • FAQ
    • Knowledge Base

    © HOSSTED 2026 All rights reserved

    • Privacy Policy
    • Terms and Conditions
    • Cookies Policy
    Cookie Settings

    We use cookies to measure marketing efforts and improve our services. Please review the cookie settings and confirm your choice.

    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    • Manage options
    • Manage services
    • Manage {vendor_count} vendors
    • Read more about these purposes
    View preferences
    • {title}
    • {title}
    • {title}