Recent Advisories

Severity ID Title Vendor Product Date Type
MEDIUM 5.9 CVE-2026-44733

OpenProject: Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements_CVE-2026-44733

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, Business Logic Error on OpenProject through PATCH re...

opf openproject < 17.3.2 CVE
MEDIUM 4.3 CVE-2026-44732

OpenProject: IDOR on OpenProject through /api/v3/documents/{id} via PATCH parameter “project_id” leads to Unauthorized Modification of Resources_CVE-2026-44732

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used ...

opf openproject < 17.3.2 CVE
MEDIUM 4.3 CVE-2026-44731

OpenProject: Improper Access Control on OpenProject through /projects/[projectName]/meetings via “invited_user_id” in GET parameter “filters” leads to user names disclosure_CVE-2026-44731

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks ...

opf openproject < 17.3.2 CVE
MEDIUM 5.7 CVE-2026-44696

OpenProject: Stored CSS injection via Sanitize::Config::RELAXED[:css] enables phishing overlays and data exfiltration_CVE-2026-44696

OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sani...

opf openproject < 17.4.0 CVE
HIGH 8.7 CVE-2026-32833

Cudy LT300 3.0 OS Command Injection via NTP Configuration_CVE-2026-32833

Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execu...

Shenzhen Cudy Technology Co., Ltd. LT300 3.0 CVE
MEDIUM 5.3 CVE-2026-29509

Patool < 4.0.5 Path Traversal via safe_extract() Function_CVE-2026-29509

Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Pytho...

wummel patool CVE
HIGH 8.5 CVE-2026-54353

Budibase: Potential SSRF DNS rebinding bypass in outbound fetch validation_CVE-2026-54353

Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist...

Budibase budibase < 3.39.9 CVE
CRITICAL 9.6 CVE-2026-54352

Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload_CVE-2026-54352

Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a...

Budibase budibase < 3.39.9 CVE
HIGH 8.2 CVE-2026-54351

Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override_CVE-2026-54351

Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full ...

Budibase budibase < 3.39.9 CVE
CRITICAL 10 CVE-2026-54350

Budibase: Anonymous NoSQL operator injection via published-app query templates_CVE-2026-54350

Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of t...

Budibase budibase < 3.39.12 CVE