CVE-2026-33423

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, staff can modify any user's group notification level. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available...

CVE-2026-23526

CVAT (open-source annotation tool) versions 1.0.0–2.54.0 contain a privilege-escalation issue where users with staff status can freely change their permissions, including granting themselves superuser status and joining the admin group, thereby obtaining full access to data in the instance. The i...

CVE-2026-23526

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to...

CVE-2025-56295

CVE-2025-56295 affects the code-projects Computer Laboratory System 1.0. The issue is a file upload vulnerability in the avatar modification flow, where the upload feature does not restrict file types, enabling staff to upload malicious PHP backdoor files. This can be leveraged to establish a web...

CVE-2025-58449 Maho Vulnerable to Authenticated Remote Code Execution via File Upload

Maho is a free and open source ecommerce platform. In Maho prior to 25.9.0, an authenticated staff user with access to the Dashboard and Catalog\Manage Products permissions can create a custom option on a listing with a file input field. By allowing file uploads with a .php extension, the user ca...