EUVD-2026-13912

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index endpoint. Versions...

CVE-2026-33422

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ipaddress of a flagged user is exposed to any user who can access the review queue, including users who should not be able to see IP addresses. Versions 2026.3.0-latest.1, 2026.2.1, a...

CVE-2026-33426 Discourse users can edit or synonymize hidden tags they can't see

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users with tag-editing permissions could edit and create synonyms for tags hidden in restricted tag groups, even if they lacked visibility into those tags. Versions 2026.3.0-latest.1,...

CVE-2026-33180 HAPI FHIR HTTP authentication leak in redirects

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP...

AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN

Summary AWS-LC is an open-source, general-purpose cryptographic library. Impact A logic error in CN Common Name validation allows certificates with wildcard or raw UTF-8 Unicode CN values to bypass name constraints enforcement. The cn2dnsid function does not recognize these CN patterns as valid D...

CVE-2026-33143 OneUptime: WhatsApp Webhook Missing Signature Verification

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler /notification/whatsapp/webhook processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any...

CVE-2026-33143

CVE-2026-33143 (OneUptime) affects OneUptime prior to version 10.0.34. The WhatsApp POST webhook handler at /notification/whatsapp/webhook processes events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC, enabling unauthenticated attackers to forge webhook payloads. Impact includes m...

EUVD-2026-13496

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerControllermentions endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowednames referencing a hidden-membership grou...

CVE-2026-31805

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access to. By passing...

CVE-2026-30891 Discourse hasUnauthorized Exposure of Private User Action Types

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a user could access another user's private activity due to insufficient authorization checks in the user actions endpoint. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a pat...

CVE-2026-30888

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents ToS, guidelines, privacy policy that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 conta...

CVE-2026-33063

CVE-2026-33063 affects free5GC AUSF prior to 1.4.2. The vulnerability is an improper nil check in GetSupiFromSuciSupiMap, which can panic when SuciSupiMap is nil, causing the AUSF authentication service to crash and deny service for deployments using the UE authentication endpoint /nausf-auth/v1/...

PT-2026-26768

Name of the Vulnerable Software and Affected Versions Syft versions prior to 1.42.3 Description Syft did not properly remove temporary files if temporary storage became full during a scan. This occurred when unpacking archives, specifically with large or highly compressed archives. The issue caus...

CVE-2026-29189

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL Access Control List checks on several endpoints, allowing authenticated users to access and manipulate data they...

EUVD-2026-13361

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service DoS vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue...

CVE-2026-33408

Discourse (open-source discussion platform) has a CVE-2026-33408 affecting versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The issue allows moderators to see the first 40 characters of post edits in private messages and private categories due to improper authorization. A patch exists...

EUVD-2026-13403

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds a...

CVE-2026-33355

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the /private-posts endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1...

CVE-2026-33394 Discourse leaks PM post edits to moderators

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report /admin/reports/postedits leaked the first 40 characters of raw post content from private messages and secure categories to moderators who shouldn't have access...

EUVD-2026-13337

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the /private-posts endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1...