Self-Hosted
Gitea CVE-2026-20896: Docker Images Trusted a Spoofable Header for Admin Access, Now Under Active Probing
Gitea's official Docker images shipped with reverse-proxy header trust wide open by default, letting anyone who can reach the port impersonate any user including an admin — Sysdig has now caught the first in-the-wild probing, 13 days after disclosure.
Gogs 0-Day: Argument Injection in Rebase Merging Gives Any User RCE — and There's No Patch
Rapid7 disclosed an unpatched CVSS 9.4 RCE in Gogs. A malicious branch name injects --exec into git rebase during 'Rebase before merging,' giving any registered user code execution on the server. No CVE, no fix — only config-level mitigations.
Gitea CVE-2026-27771: Container Registry Hands Out Private Images Without Authentication, 30,000 Instances Exposed
A four-year-old flaw in Gitea's OCI container registry lets anyone on the internet pull images marked private. 30,000+ deployments are exposed, Forgejo inherits the bug, and the only real fix is upgrading to 1.26.2 or forcing sign-in for all content.
CrowdStrike LogScale CVE-2026-40050: Unauthenticated Path Traversal Reads Arbitrary Files (CVSS 9.8)
A critical unauthenticated path-traversal flaw (CVSS 9.8) in CrowdStrike LogScale Self-Hosted lets remote attackers read arbitrary server files via an exposed cluster API endpoint. SaaS already mitigated; on-prem operators must patch immediately.
Self-Hosted and Unprotected: The AI Workflow Tool Security Crisis
Langflow, Flowise, n8n, ComfyUI — every major self-hosted AI workflow tool has shipped unauthenticated RCE vulnerabilities in 2026. This isn't a coincidence. It's a structural failure baked into how these tools were designed.