In Ghost CMS version 4.42.0 a high severity vulnerability CVE-2022-28397 was reported. This vulnerability reportedly allows an attacker to execute arbitrary code (RCE) via a maliciously crafted file uploaded through the file upload module. However, it should be noted that the vendor disputes this vulnerability, stating that according to Ghost’s security documentation, files can only be uploaded and published by strictly trusted users, and this functionality is intentional. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-28397.
Read more CMSIn Elasticsearch versions including 7.0.0 and before 7.17.24, including 8.0.0 and before 8.15.0 a medium severity vulnerability CVE-2026-49090 was detected. This vulnerability allows an authenticated user to cause a Denial of Service (DoS) by rendering the affected node unable to process requests. This occurs due to an Uncontrolled Resource Consumption (CWE-400) flaw when processing bulk requests. By submitting a specially crafted bulk request, an attacker can trigger sustained high CPU consumption via excessive resource allocation (CAPEC-130), effectively exhausting server resources. To address this issue, users should upgrade Elasticsearch to a patched version 7.17.24 or later, 8.15.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-49090.
Read more Data AnalyticsIn Kestra versions prior to 1.3.24 a high severity vulnerability CVE-2026-55069 was detected. This vulnerability allows an attacker who has gained read access to the database to recover the administrator password offline, potentially leading to vertical privilege escalation. This occurs because the BasicAuth authentication component uses the SHA-512 hashing algorithm, which has a high computation speed and lacks the necessary work factors to deter rapid brute-force or dictionary attacks. If the password is successfully cracked in a Kubernetes deployment, the attacker can further compromise the system by reading the cluster ServiceAccount Token and all Kubernetes Secrets. To address this issue, users should upgrade Kestra to version 1.3.24 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-55069.
Read more MonitoringIn Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28 (with earlier unsupported versions potentially affected) a high severity vulnerability CVE-2026-1312 was detected. This vulnerability allows an attacker to execute unauthorized database queries, potentially leading to data exfiltration or modification via SQL Injection (SQLi). This occurs due to a flaw in how .QuerySet.order_by() handles column aliases containing periods when the exact same alias is utilized within FilteredRelation using dictionary expansion. By supplying a specially crafted dictionary, an attacker can manipulate the generated SQL query structure. To address this issue, users should upgrade Django to versions 6.0.2, 5.2.11, 4.2.28, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1312.
In Dolibarr ERP & CRM versions up to and including 22.0.4 a high severity vulnerability CVE-2026-31018 was detected. This vulnerability allows an authenticated user with restricted privileges (limited to HTML/JavaScript editing) to inject and execute arbitrary PHP code, potentially leading to Remote Code Execution (RCE) and privilege escalation. This occurs due to the inconsistent application of PHP code detection and permission enforcement within the Website module. During website page creation, certain input parameters remain unprotected, allowing an attacker to bypass intended restrictions and supply malicious PHP payloads. To address this issue, users should upgrade Dolibarr to a patched version 23.0.0 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-31018.
Read more ERPIn WordPress versions 1.21.16 a high severity vulnerability CVE-2020-37255 was detected. This vulnerability allows unauthenticated attackers to obtain valid administrator session cookies and access the WordPress dashboard without credentials. To address this issue, users should upgrade plugin to version beyond 1.2.4.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2020-37255.
Read more CMS