GHSA-P4V8-RW59-93CQ Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface

Impact A stored Cross-site Scripting XSS vulnerability exists on confirmation messages within the wagtail.contrib.simpletranslation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, cause...

BIT-DISCOURSE-2026-28218 Discourse's Fail-Open Access Control in Data Explorer Plugin Allows Unauthorized SQL Query Execution

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL queries that have no explicit group assignments, including built-in system queries. Versions 2025.12....

BIT-DISCOURSE-2026-26979 Discourse: TL4 users are able to change status of restricted topics

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available...

Security update for patch

This update for patch fixes the following issues: CVE-2021-45261: Clear range of pointers before they are used/freed bsc1194037. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you can run the...

PT-2026-23004

Name of the Vulnerable Software and Affected Versions Ghost versions 0.7.2 through 6.19.0 Description Ghost, a Node.js content management system, is affected by a code execution issue. Maliciously crafted themes can execute arbitrary code on the server. It is recommended to avoid installing...

GHSA-GV46-4XFQ-JV58 OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway

Summary A remote code execution RCE vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into node.invoke parameters. Affected Component - Gateway method: node.invoke for node command...

EUVD-2026-9211

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has be...

CVE-2026-28396 NocoDB: Refresh Tokens Not Revoked on Password Reset

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has be...

CVE-2026-28361 NocoDB: Missing Ownership Validation in MCP Token Operations

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in...

CVE-2026-28361

CVE-2026-28361 affects NocoDB prior to version 0.301.3, where the MCP token service did not validate token ownership. This allowed a Creator within the same base to read, regenerate, or delete another user’s MCP tokens if the token ID was known. The issue is fixed in 0.301.3. Remediation: upgrade...

CVE-2026-28361 NocoDB: Missing Ownership Validation in MCP Token Operations

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in...

EUVD-2026-9209

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3...

CVE-2026-28357 NocoDB: Stored Cross-Site Scripting via Formula Cell

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI:: patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This issue has been patche...

CVE-2025-52564

Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fails to properly sanitize user input. This allows an attacker to inject arbitrary HTML, such as underlined text, via a crafted URL. This issue has been patched in version 1.11.30...

EUVD-2025-208173

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows...

CVE-2025-50187

Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without filtering which leads to Remote Code Execution. This issue has been patched in version 1.11.28...

PT-2026-22560

Name of the Vulnerable Software and Affected Versions MediaTek chips affected versions not specified Description A logic error in the preloader component allows the reading of device unique identifiers. This can lead to local information disclosure if an attacker has physical access to the device...

PT-2026-22633

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has be...

PT-2026-22631

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3...

Android XR Bulletin—March 2026Stay organized with collectionsSave and categorize content based on your preferences.

The XR Security Bulletin contains details of security vulnerabilities affecting the XR platform. The full XR update comprises the security patch level of 2026-03-05 or later from the March 2026 Android Security Bulletin in addition to all issues in this bulletin. We encourage all customers to...