CVE Vulnerabilities - 14 April 2026

## Summary The `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SS...

When goshs is deployed without a global username and password, an attacker can intercept a user's folder credentials through the public collaborator feed and use them to access and modify files in the...

ColdFusion versions 2023.18 and earlier have a security flaw that allows an attacker to access files they shouldn't be able to. This could happen without the user knowing, and it's a serious issue tha...

OpenStack Keystone versions before 28.0.1 have a bug that allows users who are disabled in LDAP to still log in and access resources. This is a security concern for organizations using Keystone's LDAP...

Kyverno's APICall feature in multi-tenant Kubernetes environments can be exploited by low-privilege users to access sensitive data from other tenants, such as database passwords and API keys, without ...

A vulnerability in Kyverno's APICall feature allows users with Policy creation permissions to access sensitive data from other tenants, breaking multi-tenant isolation. This means a malicious user cou...

Kyverno's API call feature can be exploited by authenticated users to make requests to any website or service, potentially revealing internal network information. This could happen if an attacker can ...

### Summary A Server-Side Request Forgery (SSRF) vulnerability in Kyverno allows authenticated users to induce the admission controller to send arbitrary HTTP requests to attacker-controlled endpoints...

An attacker with physical access to a Windows system can potentially bypass BitLocker encryption by exploiting a weakness in input validation. This means they may be able to access encrypted data with...

Deno's permission prompts can be manipulated by an attacker using special terminal sequences. This allows an attacker to bypass Deno's security settings and potentially perform actions that the user d...

If an administrator changes a user's permissions, the user's session may still allow them to access data they shouldn't. This means a user who loses access to certain features can still use a valid se...

An attacker can use a malicious request to consume excessive system resources, potentially causing .NET applications to become unresponsive or crash. This can impact the availability of affected syste...

.NET, .NET Framework, and Visual Studio have a bug that can cause a computer to freeze or crash when processing certain network requests. This could prevent others from using the computer or network. ...

An attacker can use this vulnerability to trick a .NET application into thinking it's communicating with a trusted source, allowing unauthorized access to sensitive information. This affects .NET appl...

A specific type of text input can cause the Go Markdown library to crash or behave unexpectedly. This can affect websites and applications that use Go Markdown to render text. To protect against this,...

### Impact The root level `commentable` field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not...

Any registered user can accept or reject amendments on proposals, giving them authorship, which could be a concern for proposal creators. This is a risk for anyone using Decidim's amendment feature. T...

A security issue allows any registered user to accept or reject changes to proposals, potentially affecting the ownership and co-authorship of those proposals. This issue affects versions 0.19.0 and l...

Certain versions of ColdFusion are vulnerable to an input validation issue. An attacker could trick a user into doing something that lets them access the system without permission. To protect your sys...

Justhtml versions 1.15.0 and earlier have security weaknesses in how they handle certain HTML inputs. This can lead to malicious code being executed when sanitizing HTML. To fix this, update to Justht...

An attacker can access sensitive subscriber information by sending a simple HTTP request to the free5gc UDR service. This is a concern for businesses and individuals who rely on the free5gc service, a...

An attacker can crash Windows HTTP.sys, disrupting network services. This affects Windows systems with HTTP.sys enabled. Patch your Windows systems to prevent potential service disruptions.

A flaw in .NET and Visual Studio could allow an attacker to crash a service and disrupt access to it. This could happen if a malicious user sends a specially crafted request to the service. To protect...

A flaw in Windows LSASS service can allow an attacker to crash the service, making it unavailable to legitimate users. This can happen when an attacker sends a specific packet to the service. To prote...

The Windows Server Update Service has a flaw that allows a hacker to manipulate data sent over a network. This could allow an attacker to disrupt the update process or introduce malicious code. You sh...