CVE-2026-44933

Daily digests

When PluginScript's chroot target is set to `/` (the system root), which is the default in many configurations, the chroot call does nothing. That means plugin scripts can execute any binary on the host, like `/bin/bash`, with root privileges. If you run this with the default `repoManagerRoot` or use the `--root` flag, your plugins have full host access.

• Daily Digest · May 20, 2026

  389 DS denial-of-service + Keycloak session hijack