Security Advisories
Real-world vulnerabilities discovered and responsibly disclosed by turingpoint in widely used open-source and enterprise software.
Security Research
Published Advisories
turingpoint conducts active security research on widely used open-source and enterprise software. Many of these vulnerabilities surface directly during penetration tests for our clients. The following findings were identified by us, disclosed to the vendors through coordinated disclosure, and published as CVEs once a patch became available. Security research made in Germany.
- MalcolmCVE-2026-55676Authenticated RCE via unrestricted `.php` upload in the file-upload component (empty allowlist)8.8 · High
- CronicleCVE-2026-55562Stored XSS in the `full_name` field of the Activity Log → code execution in the admin session9.0 · Critical
- TautulliCVE-2026-45381Reflected XSS in the `/search` `query` parameter (incomplete escaping) → API key theft7.4 · High
- Part-DBCVE-2026-54630Authenticated RCE via `.phar` file upload from `public/media`9.6 · Critical
- FreeScoutCVE-2026-53595Anonymous account takeover via `/user-setup` empty `invite_hash` (MySQL trailing-space)9.4 · Critical
- ts3-managerCVE-2026-54253Reflected XSS in the `/api/download` `port` parameter → theft of the operator session and ServerQuery password8.2 · High
- StatamicCVE-2026-54243CSV formula injection in form submission exports (anonymous field values without `EscapeFormula` neutralization)6.1 · Medium
- LemmyCVE-2026-54743Stored XSS via Markdown image alt-text (html5-embed)5.4 · Medium
- KestraCVE-2026-53576Unauthenticated RCE via `/configs` auth-filter bypass → root in container + host takeover10.0 · Critical
- WekanCVE-2026-52890Arbitrary file read + DoS via `versions.original.path` in attachments7.1 · High
- SiYuanCVE-2026-54070Stored XSS in the Bazaar marketplace via a package README event-handler denylist bypass (JS in admin origin)7.1 · High
- OpenReplayCVE-2026-55879Unauthenticated stored XSS via tracker event data (`TextEllipsis` `innerHTML`) → dashboard account takeover via JWT in localStorage9.3 · Critical
- OpenReplayCVE-2026-55880Cross-user IDOR: logged-in user deletes/modifies other users' private notes and dashboard widgets (missing `user_id` check)7.1 · High
- NocoBaseCVE-2026-52887Unauthenticated SQL injection in `/api/myInAppChannels:list` ($lt filter) leading to PG-superuser RCE10.0 · Critical
- MastodonCVE-2026-50129Persistent federated DoS via unhandled `NoMethodError` in `MATH_TRANSFORMER`7.5 · High
- BudibaseCVE-2026-54350Anonymous NoSQL operator injection via published PUBLIC queries (unescaped parameters in JSON body)10.0 · Critical
- BudibaseCVE-2026-54352Arbitrary file read by a workspace builder via a symlink in a PWA zip (`/data/.env` → JWT forgery → global admin)9.6 · Critical
- NocoDBCVE-2026-47387Stored XSS via a form view's `redirect_url` → account takeover8.7 · High
- HeadplaneCVE-2026-46484Path traversal + RBAC bypass in `renameNode`8.1 · High
- authentikCVE-2026-42849Reflected XSS in the SFE AutosubmitStage via OAuth2 redirect_uri/state9.3 · Critical
- Argo CDCVE-2026-45738Stored XSS via the link.argocd.argoproj.io/* annotation7.3 · High
- ILIASpendingBlind SQL injection in the MyStaff lists via `_table_nav` (whitelist bypass)9.3 · Critical
- Chamilo LMSCVE-2026-45143Student-to-admin stored XSS in private messages via `v-html`9.0 · Critical
- TYPO3 CoreCVE-2026-47348Stored XSS in the Indexed Search core system extension via unescaped page titles (`f:format.raw`)5.1 · Medium
Coordinated Disclosure
turingpoint follows the principle of coordinated disclosure: vulnerabilities we find are first reported confidentially to the affected vendor and only documented publicly once a patch is available. This gives users the opportunity to secure their systems before technical details become known.
This Expertise for Your Software
Our team finds critical vulnerabilities in production software before attackers do. Have your applications tested by the same specialists, with a penetration test from turingpoint.