In Gogs versions prior to 0.14.3 a high severity vulnerability CVE-2026-52812 was detected. This vulnerability allows an authenticated user with write access to one repository to access and download private Git LFS content from other repositories, leading to unauthorized cross-tenant information disclosure. This occurs because the Git LFS storage deduplicates content using only the Object ID (OID). The serveUpload function skips the upload process if a file with the claimed OID already exists on disk, and binds it to the user’s repository without verifying that the provided request body actually hashes to that OID. By claiming an OID that belongs to a private repository, an attacker can bypass authorization checks and download the original file bytes through their own repository’s download endpoint. To address this issue, users should upgrade Gogs to version 0.14.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-52812.
In Appsmith versions prior to 2.1 a critical severity vulnerability CVE-2026-55454 was detected. This vulnerability allows an authenticated low-privileged user to fully replace the live Caddy configuration and take over the reverse proxy. This occurs because the bundled Caddy reverse-proxy’s admin API lacks authentication by default and is bound to 0.0.0.0:2019 inside the container. By leveraging a Server-Side Request Forgery (SSRF) vulnerability or the Appsmith server process itself, an attacker can issue administrative requests (such as POST /load) against this internal listener. To address this issue, users should upgrade Appsmith to version 2.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-55454.
In Budibase versions prior to 3.39.9 a critical severity vulnerability CVE-2026-54352 was detected. This vulnerability allows an authenticated workspace-level builder to read arbitrary files from the server, leading to sensitive information disclosure. This occurs due to improper handling of symbolic links when processing uploaded PWA ZIP files at the POST /api/pwa/process-zip endpoint. The application uses [email protected], which preserves absolute symlink targets, and the subsequent path validation fails to reject symlink entries before streaming their contents into MinIO. As a result, an attacker can craft a ZIP archive containing symlinks pointing to local system files, which are then processed and served back to the attacker via the asset-fetch endpoint. To address this issue, users should upgrade Budibase to version 3.39.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-54352.
In Docling versions 2.73.0 to before 2.91.0 a medium severity vulnerability CVE-2026-44022 was detected. This vulnerability allows an attacker to read arbitrary files from the local file system, potentially exposing configuration files, credentials, and other sensitive data. This occurs due to a path traversal flaw in the LaTeX backend’s handling of the \includegraphics, \input, and \include commands, which lacked proper path containment validation. By crafting a malicious LaTeX document with directory traversal sequences, an attacker can force the system to include sensitive files directly into the converted document output. To address this issue, users should upgrade Docling to version 2.91.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44022.
In Gitea versions before 1.25.4 a critical severity vulnerability CVE-2026-20750 was detected. This vulnerability allows an authenticated user with project write access in one organization to modify projects belonging to a different organization, leading to unauthorized data modification and an authorization bypass. This occurs due to an Insecure Direct Object Reference (IDOR) flaw in organization project operations, where Gitea does not properly validate project ownership against the user’s permissions when a Project ID is supplied. To address this issue, users should upgrade Gitea to a patched version [укажите исправленную версию]. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-20750.
Read more Developer Tools
In HAProxy versions through 3.4.0 a high severity vulnerability CVE-2026-55203 was detected. This vulnerability allows a malicious FastCGI backend to desynchronize the FCGI framing parser, potentially leading to request routing errors, response smuggling, or memory safety issues. This occurs due to an integer overflow in the fcgi_conn structure’s drl field. Specifically, when contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record consumption and a buffer misparse. To address this issue, users should upgrade HAProxy to a patched version 3.4.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-55203.