In Discourse versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1 a medium severity vulnerability CVE-2026-44779 was detected. This vulnerability allows unauthorized access to sensitive information. This occurs because the bot debug endpoints inadvertently disclose whisper translation audit logs. To address this issue, users should upgrade Discourse to versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44779.
Read more Communication
In ChromaDB Python versions 0.4.17 or later a high severity vulnerability CVE-2026-45830 was detected. This vulnerability allows any authenticated user to arbitrarily read, write, update, or delete data in any tenant’s collection, leading to unauthorized cross-tenant data access. This occurs due to a lack of proper authorization validation across tenant boundaries, meaning users are not restricted to the tenant they actually belong to. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-45830.
Read more Database
In Rocket.Chat versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13 a high severity vulnerability CVE-2026-48929 was detected. This vulnerability allows an unauthenticated attacker to permanently delete any uploaded file by its ID. This occurs because calling the deleteFileMessage Meteor method via an unauthenticated DDP WebSocket connection causes Meteor.userId() to return null, which improperly skips the authorization check. The execution then falls through to unconditionally remove the file from storage and the database using FileUpload.getStore('Uploads').deleteById(fileID). Because file IDs are easily discoverable via public channel message payloads and download URLs, an attacker can target and destroy specific files. To address this issue, users should upgrade Rocket.Chat to versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, or 7.10.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48929.
In pgAdmin 4 versions 6.0 before 9.16 a critical severity vulnerability CVE-2026-12048 was detected. This vulnerability allows an attacker to execute arbitrary JavaScript or conduct highly deceptive phishing attacks via Stored Cross-Site Scripting (XSS). This occurs because untrusted text returned by a PostgreSQL server (such as error messages or execution plan nodes) is passed directly through html-react-parser without proper sanitization. By controlling a server or creating database objects with maliciously crafted names, an attacker can inject arbitrary HTML, such as malicious <iframe> tags. These iframes can fetch attacker-served scripts and redirect the victim’s top-level browser tab. To address this issue, users should upgrade pgAdmin 4 to version 9.16 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-12048.
In MongoDB versions Versions before 8.3.3, 8.2.10, 8.0.10, 7.0.35 a medium severity vulnerability CVE-2026-9748 was detected. This vulnerability allows a user to cause a mongod server crash, leading to a Denial of Service (DoS). This occurs because the $_internalConvertBucketIndexStats stage incorrectly uses PauseExecution as a mechanism to skip documents when an index stats conversion fails on non-timeseries input. However, PauseExecution is not a general-purpose skip signal; it is an internal TeeBuffer signal used solely by the $facet stage. When $_internalConvertBucketIndexStats is placed before $facet in a pipeline, the TeeBuffer receives this unexpected signal, triggers a hard invariant assertion, and crashes the server. To address this issue, users should upgrade MongoDB to a patched version 7.0.35 and later, 8.0.24 and later, 8.2.10 and later, 8.3.3 and later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-9748.
In pgAdmin 4 versions from 1.0.0 up to, but not including, 9.16.0. a medium severity vulnerability CVE-2026-12050 was detected. This vulnerability allows an authenticated user with a connected PostgreSQL session to execute arbitrary SQL statements. This occurs due to an SQL injection flaw in the named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}), where the user-supplied value field is interpolated directly into the SQL string instead of being passed as a bound parameter. While the injected SQL executes under the user’s existing database role and does not cross privilege boundaries, it bypasses application-layer restrictions, allowing SQL execution outside of the documented Query Tool interface. To address this issue, users should upgrade pgAdmin 4 to a patched version 9.16 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-12050.