🔴 CVE-2026-54350 - Critical (10)
Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection and,...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-54350/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
🟠CVE-2026-45807 - High (7.7)
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying ...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-45807/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
🔴 CVE-2026-53576 - Critical (10)
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@filter("/api/v1/**")) treats any request whose path ends in /configs as the public instance-config endpoint and...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-53576/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
🟠CVE-2026-49984 - High (7.7)
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows-style backslashes to forward slashes. An attack...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-49984/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
🔴 CVE-2026-49869 - Critical (10)
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the c...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-49869/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
🟠CVE-2026-55069 - High (8.7)
Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the Postgre...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-55069/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
🟠CVE-2026-31928 - High (8.1)
The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31928/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
🔴 CVE-2026-28701 - Critical (9.8)
Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28701/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
🔴 CVE-2026-12415 - Critical (9.8)
The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wp_ajax_nopriv_...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-12415/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
🟠CVE-2026-56082 - High (7.5)
Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is granted to the anon role and callable with only the public Supabase publishabl...
🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-56082/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
TheHackerWire