What you need to know today.

Budibase disclosed a critical remote code execution vulnerability (CVE-2026-54350) in its query engine. The enrichContext function substitutes user-supplied parameter values directly into raw JSON query bodies before passing the result to JSON.parse, allowing an attacker to inject arbitrary JavaScript that gets executed on the server. This flaw affects all versions of the open-source low-code platform and requires no authentication to exploit. Budibase has released a patch in version 2.7.3; users should upgrade immediately given the critical severity and the lack of any preconditions for exploitation.

Three critical vulnerabilities were disclosed in Gogs, the self-hosted Git service. CVE-2026-52806 allows authenticated users to achieve remote code execution by crafting a branch name that injects arguments into git rebase --exec during pull request merging. CVE-2026-52811 bypasses symlink checks during file upload operations, enabling arbitrary file writes. CVE-2026-52813 permits path traversal via organization names, allowing repositories to be stored and retrieved from arbitrary filesystem locations. All three flaws are critical severity and affect Gogs versions prior to 0.14.0. No public exploits have been reported yet, but the combination of RCE and file-write primitives makes this a high-priority patch for any Gogs deployment.

MotionEye, the popular video surveillance front-end, is affected by an absolute path traversal vulnerability (CVE-2026-55488). The media file handlers accept a user-controlled filename parameter without proper sanitization, allowing an attacker to read arbitrary files from the server's filesystem. This could expose configuration files, credentials, or other sensitive data. The vulnerability is rated high severity and affects all versions of MotionEye. No patch has been released as of this writing; users should restrict network access to the MotionEye web interface as a mitigating measure.

OpenAM (now under the OpenAM Consortium) disclosed two high-severity vulnerabilities. CVE-2026-45049 concerns the Cross-Domain Single Sign-On (CDSSO) servlet, which sends a logged-in user's raw session token to a URL controlled by the attacker, enabling session hijacking. CVE-2026-45048 allows a low-privileged authenticated user to retrieve active session credentials belonging to other users via an insufficiently authorized session management endpoint. Both vulnerabilities are rated high severity and affect OpenAM versions prior to 14.0.0. Given OpenAM's role as an enterprise identity provider, these flaws pose significant risk of lateral movement and privilege escalation in production environments.

Jenkins released its weekly security advisory (CVE-2026-57283), which addresses a cross-site request forgery (CSRF) vulnerability in the Pipeline: Groovy Plugin. The flaw allows an attacker to trick an authenticated Jenkins administrator into making unauthorized configuration changes, potentially leading to arbitrary code execution on the Jenkins controller. The vulnerability is rated moderate severity (CVSS 6.5). The Jenkins project has released updated versions of the affected plugin; as the Jenkins security advisory notes, administrators should update immediately given the plugin's widespread use in CI/CD pipelines.

KubeVirt disclosed a moderate-severity vulnerability (CVE-2026-13208) in the virt-handler component. The notify server trusts the VirtualMachineInstance (VMI) identity from unauthenticated gRPC request bodies, allowing an attacker to impersonate arbitrary VMs and potentially trigger unauthorized actions on the hypervisor. This affects KubeVirt deployments where the virt-handler service is exposed to untrusted networks. The KubeVirt team has released a patch; users should update their KubeVirt installation and ensure that virt-handler endpoints are not exposed outside the cluster.