📄 PEGA Infinity Brute Force / Insecure Direct Object Reference

PEGA Infinity suffers from brute forcing and insecure direct object reference vulnerabilities. Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by the brute force issue. Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by the idor issue. SEC Consult Vulnerability Lab...

PT-2026-26657

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-based unlock flow explicitly supports hub+http and consumes Hub endpoints from vault metadata without enforcing HTTPS. As a result, a vault configuration can drive OAuth and key-loading traffic over...

PT-2026-26669

GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt remote dataset id function within src/gmt remote.c. This issue occurs when a speciall...

PT-2026-26542

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open-source discussion platform. An authorization bypass in the poll plugin allowed authenticat...

CVE-2026-29108

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...

CVE-2026-33289 SuiterCRM has LDAP Filter Injection in Authentication Module

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding i...

CVE-2026-32099

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, when a user has hideprofile enabled, their bio, location, and website were still exposed through the user onebox preview. An authenticated user could request a onebox for a hidden user's...

CVE-2026-33394

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report /admin/reports/postedits leaked the first 40 characters of raw post content from private messages and secure categories to moderators who shouldn't have access...

CVE-2026-33355 Discourse filters whisper posts from private-posts feed

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the /private-posts endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1...

CVE-2026-33410 Discourse hardens chat DM channel creation and expansion

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the targetgroups parameter was passed direct...

CVE-2026-32099

Discourse (open-source platform) is vulnerable in versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 due to improper exposure of hidden profile fields (bio, location, website) in the user onebox preview. An authenticated user could request a onebox for a hidden profile URL and receive th...

CVE-2026-28282 Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a...

Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR

An Open Redirect vulnerability exists in @angular/ssr due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes e.g., ///, the internal validation logic fails to account for a single backslash \ bypass. When an Angular SSR application is...

CLSA-2026-1773930717 Fix CVE(s): CVE-2026-25210

SECURITY UPDATE: integer overflow in doContent tag buffer reallocation. - debian/patches/CVE-2026-25210.patch: add overflow check for tag buffer reallocation - CVE-2026-25210...

PT-2026-26359

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open-source discussion platform. A type coercion issue exists in a post actions API endpoint...

PT-2026-26438

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...

PT-2026-26423

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open-source discussion platform. When a user has hide profile enabled, their bio, location, and...

PT-2026-26427

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse, an open-source discussion platform, has authorization issues within its chat direct message API...

PT-2026-26361

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse, an open-source discussion platform, is affected by a cross-site scripting issue. The system improper...

GHSA-P7M9-V2CM-2H7M HAPI FHIR HTTP authentication leak in redirects

Impact When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of...