CVE-2026-44736

OpenProject vulnerability CVE-2026-44736 affects the OpenProject web-based project management platform. The flaw exists in the GET /api/v3/relations endpoint prior to version 17.4.0, allowing any authenticated user to retrieve relations and the titles of work packages they should not have permiss...

CVE-2026-47193 OpenProject: Journal diff endpoint bypasses object, journal, and field visibility checks

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field visibility. This vulnerability is fixed in 17.3.3 and 17.4.1...

CVE-2026-47193

OpenProject (open-source web-based project management) contains a vulnerability in the journal diff endpoint that discloses hidden historical field values due to lack of object/field visibility enforcement. The issue is fixed in versions 17.3.3 and 17.4.1. Affected component: journal diff endpoin...

KevinLAB BEMS (Building Energy Management System) - Backdoor Account

KevinLAB BEMS has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highes...

CVE-2026-0934

GitLab has remediated an issue in GitLab EE affecting all versions from 17.9 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with custom role permissions to view, create, or delete protected environment configuratio...

CVE-2026-0934 Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 17.9 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with custom role permissions to view, create, or delete protected environment configuratio...

CVE-2026-0934

GitLab Enterprise Edition (GitLab EE) has remediated a privilege‑escalation issue affecting all releases prior to fixed patches: 17.9 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1. An authenticated user with custom role permissions could view, create, or delete protected environment ...

CVE-2026-47279

NocoDB's CVE-2026-47279 describes an Access Control problem in public shared-view relation endpoints (LTAR columns). Before patch 2026.05.1, endpoints accepted a caller-supplied column ID without verifying the column’s visibility, allowing anyone with a share UUID to read links from hidden LTAR c...

CVE-2026-47279 NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on t...

CVE-2026-54321

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. From 0.101.0 until 0.184.0, sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached...

CVE-2026-54321

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. From 0.101.0 until 0.184.0, sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached...

CVE-2026-54321

CVE-2026-54321 (Daytona) : Sandboxes that were switched from public to private could remain reachable without authentication for a short period due to a cached visibility state not invalidated on change. This affected Daytona versions 0.101.0 through 0.184.0 and allowed unauthenticated access to ...

CVE-2026-48089

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create,...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: net: nexthop: Fixed the issue of “use-after-free” in removenhgrpentry. When removing a nexthop from a group, removenhgrpentry publishes the new group via rcuassignpointer, and then immediately frees the percpu stats of the remove...

New Forrester Total Economic Impact™ study projects a 124% ROI from unifying with Microsoft Security

Across many industries, organizations are unifying security and putting AI agents to work. Security teams are utilizing agents that reason, decide, and act on their behalf, under their governance. At Microsoft, we see this firsthand—more than 80% of the Fortune 500 are already using AI.1 The...

Adversarial Exposure Validation Turns Security Visibility into Confident Prioritization

For security teams, the findings never stop, but confidence in knowing which ones matter is becoming harder to maintain. The problem is no longer visibility. It's validation. Security teams must decide which findings warrant action while operating under constant pressure and incomplete informatio...

GHSA-WW63-PV5X-VFC8 Daytona: Public sandbox previews remain accessible for up to one hour after being made private

Summary Sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed. Impact When a sandbox owner changed a preview from...

Daytona: Public sandbox previews remain accessible for up to one hour after being made private

Summary Sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed. Impact When a sandbox owner changed a preview from...

CVE-2026-53844

OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that shoul...

CVE-2026-53844

OpenClaw vulnerability CVE-2026-53844 affects OpenClaw prior to version 2026.4.29, involving a session visibility check bypass in the shared memory search path. The issue enables authenticated callers to skip session visibility guards and access memory entries that should not be visible to their ...