Project and Agile Management

In Ansible Lightspeed all the versions a medium severity vulnerability CVE-2026-44188 was detected. This vulnerability allows a remote attacker to hijack a session and gain unauthorized read access to sensitive Ansible resources, such as inventories, playbooks, and configuration data. This occurs due to insufficient session expiration logic. If an attacker exfiltrates a valid OAuth access token before a user logs out, they can maintain persistent access because the backend application fails to properly invalidate the token upon logout, leaving it active until its natural expiration. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44188.

In Ansible versions before 1.6.6 a medium severity vulnerability CVE-2014-3498 was detected. This vulnerability allows remote authenticated users to execute arbitrary commands due to a flaw in the user module. To address this issue, users should upgrade Ansible to version 1.6.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2014-3498.

In Ansible versions before 1.9.2 a high severity vulnerability CVE-2015-6240 was detected. This vulnerability allows local users to escape a restricted environment (such as a chroot, jail, or zone) via a symlink attack targeting the chroot, jail, and zone connection plugins. To address this issue, users should upgrade Ansible to version 1.9.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2015-6240.

In Ansible versions 2.3.x before 2.3.3 and 2.4.x before 2.4.1 a medium severity vulnerability CVE-2017-7550 was detected. This vulnerability allows remote attackers to expose sensitive information, such as passwords, from a remote host’s logs due to a flaw in how parameters are passed to the jenkins_plugin module’s “params” argument. To address this issue, users should upgrade Ansible to versions 2.3.3 or 2.4.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2017-7550.

In Foreman versions since 1.5 a medium severity vulnerability CVE-2017-7505 was detected. This vulnerability allows users with user management permissions assigned to specific organizations to perform unauthorized operations on all administrator user objects outside of their scope, such as editing global admin accounts and changing their passwords, due to an incorrect authorization check. To address this issue, users should upgrade Foreman to version 1.15.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2017-7505.

In Foreman versions before 1.12.2 a medium severity vulnerability CVE-2016-6319 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the label parameter in app/helpers/form_helper.rb, as used by Remote Execution and possibly other plugins. To address this issue, users should upgrade Foreman to version 1.12.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2016-6319.

In Foreman versions before 1.2.3 a high severity vulnerability CVE-2013-4386 was detected. This vulnerability allows remote attackers to execute arbitrary SQL commands via the fqdn or hostgroup parameters. To address this issue, users should upgrade Foreman to version 1.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2013-4386.

In Kimai versions 2.52.0 and below a high severity vulnerability CVE-2026-40486 was detected. This vulnerability allows attackers with standard user accounts to modify restricted attributes such as hourly_rate and internal_rate via the User Preferences API, bypassing intended permission checks. This unauthorized financial tampering directly impacts invoice generation and timesheet calculations. To address this issue users must upgrade to version 2.53.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40486.

In Kanboard versions prior to 1.2.51 a high severity vulnerability CVE-2026-29056 was detected. This vulnerability allows an attacker who receives a user invite link to inject `role=app-admin` during registration, creating an administrator account and escalating privileges. To address this issue, users should upgrade Kanboard to version 1.2.51. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29056.