In Docling versions prior to 2.91.0 a high severity vulnerability CVE-2026-44017 was detected. This vulnerability allows an attacker to write arbitrary files to any location writable by the process, potentially leading to Remote Code Execution (RCE) or persistent backdoors. This occurs due to a Zip Slip flaw in the EasyOCR model download functionality, where ZIP archives are extracted without properly validating member paths. If an attacker successfully compromises the model download source—such as through a supply chain attack, DNS spoofing, or a Man-in-the-Middle (MITM) attack—they can deliver a maliciously crafted ZIP file containing directory traversal sequences. To address this issue, users should upgrade Docling to version 2.91.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44017.
Read more Data AnalyticsIn Budibase versions prior to 3.39.12 a critical severity vulnerability CVE-2026-54350 was detected. This vulnerability allows an unauthenticated attacker to read or modify all documents within the backing databases (such as MongoDB, CouchDB, Elasticsearch, or DynamoDB). This occurs due to a NoSQL operator injection flaw when processing published-app query templates. The application fails to properly escape JSON metacharacters (such as quotes and braces) when substituting user-controlled parameters into the raw JSON query body. By injecting these characters, an attacker can manipulate the parsed JSON object to include NoSQL operators (e.g., $exists: true), overriding the intended filters and expanding the query scope to the entire collection. Furthermore, endpoints associated with PUBLIC queries do not enforce CSRF protection or require an active session. To address this issue, users should upgrade Budibase to version 3.39.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-54350.
In Helm versions 4.0.0 to before 4.1.4 a high severity vulnerability CVE-2026-35204 was detected. This vulnerability allows an attacker to write the contents of a plugin to arbitrary filesystem locations outside the designated Helm plugin directory. This occurs due to a path traversal flaw when installing or updating a specially crafted Helm plugin. If the version field within the plugin’s plugin.yaml file contains POSIX dot-dot path separators (e.g., /../), Helm fails to properly sanitize the path before writing files. To address this issue, users should upgrade Helm to version 4.1.4 or later. As a temporary workaround, users can manually validate that the plugin.yaml of any Helm plugin does not include path separators in the version field before installation. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-35204.
In Gogs versions prior to 0.14.3 a critical severity vulnerability CVE-2026-52811 was detected. This vulnerability allows an authenticated attacker with repository write access to write files outside the repository working tree, potentially leading to Remote Code Execution (RCE) or unauthorized SSH access. This occurs due to improper symlink validation in the UploadRepoFiles function, which only checks for symlinks at the leaf of the upload target rather than evaluating the entire path. By committing a parent directory symlink and then crafting a multipart upload with a filename containing a literal backslash (which gets converted to a directory separator), an attacker can redirect the file write through the symlink. Because the system opens the destination without preventing symlink following (missing O_NOFOLLOW), the attacker can overwrite sensitive files anywhere the gogs user has write permissions, such as ~git/.ssh/authorized_keys for SSH access or <repo>.git/hooks/post-receive for RCE on the next push. To address this issue, users should upgrade Gogs to version 0.14.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-52811.
In Gitea versions before 1.25.4 a critical severity vulnerability CVE-2026-20897 was detected. This vulnerability allows an authenticated user with write access to one repository to delete Git LFS locks belonging to other repositories, leading to unauthorized data modification and broken access control. This occurs due to an Insecure Direct Object Reference (IDOR) flaw, where the application does not properly validate repository ownership during the Git LFS lock deletion process. To address this issue, users should upgrade Gitea to a patched version 1.25.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-20897.
Read more Developer ToolsIn Appsmith versions prior to 1.99 a low severity vulnerability CVE-2026-49979 was detected. This vulnerability allows an attacker to perform Server-Side Request Forgery (SSRF), internal port scanning, and service banner enumeration. This occurs because the POST /api/v1/admin/send-test-email endpoint accepts user-controlled smtpHost and smtpPort parameters and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses the WebClientUtils.IP_CHECK_FILTER, which only applies to Spring WebClient HTTP requests. Furthermore, the endpoint returns the raw MailException.getMessage() verbatim in the API error response, leaking internal network details to the attacker. To address this issue, users should upgrade Appsmith to version 1.99 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-49979.