All topics

open-source

31 pieces of writing

security13 min read

PCPJack, polyfill CDN and Bright Data SDK show supply chain attacks moving into runtime weaponisation

Supply chain compromise is shifting from static package poisoning towards runtime weaponisation, where trusted code becomes a credential harvester, traffic broker or covert infrastructure node after deployment.

security12 min read

Gogs, PraisonAI and KnowledgeDeliver show authentication bypass is a self-hosted platform design failure

security11 min read

GitHub Actions OIDC and TanStack show why 2026 supply chain attacks target release authority

maboloshi/github-chinese PR #692 fixed DOM XSS in translation results
vulnerability8 min read

maboloshi/github-chinese PR #692 fixed DOM XSS in translation results

maboloshi/github-chinese inserted third-party translation API responses into GitHub pages as HTML. PR #692 changes that untrusted response handling to text nodes.

RAGFlow PR #14803 removed a CWE-502 pickle RCE footgun from deserialize_b64
vulnerability7 min read

RAGFlow PR #14803 removed a CWE-502 pickle RCE footgun from deserialize_b64

getsentry/XcodeBuildMCP PR #289 hardens shell escaping in MCP tool execution
vulnerability9 min read

getsentry/XcodeBuildMCP PR #289 hardens shell escaping in MCP tool execution

AReaL PR #1323 refuses the default admin API key on network-facing proxy binds
vulnerability9 min read

AReaL PR #1323 refuses the default admin API key on network-facing proxy binds

AReaL's proxy rollout server used a public default admin API key while binding to a network interface by default. PR #1323 turns that insecure default into a startup failure.

Harbor PR #236 blocks CWE-78 in remote profile downloads
vulnerability7 min read

Harbor PR #236 blocks CWE-78 in remote profile downloads

Softeria ms-365-mcp-server PR #456 validates redirect_uri before Microsoft Entra forwarding
vulnerability7 min read

Softeria ms-365-mcp-server PR #456 validates redirect_uri before Microsoft Entra forwarding

CodeGraphContext PR #882 rejects write Cypher on /api/graph
vulnerability7 min read

CodeGraphContext PR #882 rejects write Cypher on /api/graph

CodeGraphContext's visualisation endpoint accepted arbitrary Cypher through /api/graph and passed it directly to Neo4j. PR #882 adds the missing read-only guard.

vulnerability9 min read

Project NOMAD PR #823: a hardcoded HMAC secret was real, but the fix was incomplete

Koodo Reader PR #1598 replaced wildcard CORS with an ALLOWED_ORIGINS allowlist
vulnerability8 min read

Koodo Reader PR #1598 replaced wildcard CORS with an ALLOWED_ORIGINS allowlist

vulnerability7 min read

checkcle PR #224 moved PocketBase JWTs out of localStorage

operacle/checkcle persisted PocketBase authentication JWTs in localStorage, making token theft trivial after any same-origin script execution. PR #224 replaces local persistence with an in-memory auth store.

mcp-searxng PR #71 fixed a CWE-1333 ReDoS in section extraction
vulnerability7 min read

mcp-searxng PR #71 fixed a CWE-1333 ReDoS in section extraction

security14 min read

Checkmarx KICS, npm Bitwarden CLI and GlassWorm show developer trust is the supply chain target