vulnerability

103 pieces of writing

Gogs, PraisonAI and KnowledgeDeliver show authentication bypass is a self-hosted platform design failure

Gogs, PraisonAI and KnowledgeDeliver show why authentication bypass in self-hosted platforms is often an architectural failure, not a missing if statement.

2 June 2026

vulnerability8 min read

maboloshi/github-chinese PR #692 fixed DOM XSS in translation results

17 May 2026

vulnerability7 min read

RAGFlow PR #14803 removed a CWE-502 pickle RCE footgun from deserialize_b64

15 May 2026

vulnerability9 min read

getsentry/XcodeBuildMCP PR #289 hardens shell escaping in MCP tool execution

getsentry/XcodeBuildMCP accepted MCP tool parameters that could reach /bin/sh -c through unsafe double-quote escaping. PR #289 replaces that path with POSIX single-quote escaping and adds regression coverage.

14 May 2026

vulnerability9 min read

AReaL PR #1323 refuses the default admin API key on network-facing proxy binds

11 May 2026

vulnerability7 min read

Harbor PR #236 blocks CWE-78 in remote profile downloads

9 May 2026

vulnerability7 min read

Softeria ms-365-mcp-server PR #456 validates redirect_uri before Microsoft Entra forwarding

Softeria's ms-365-mcp-server forwarded client-supplied OAuth redirect_uri values to Microsoft Entra without local validation. PR #456 adds scheme checks, loopback-only HTTP defaults and an exact-match allowlist for hosted deployments.

9 May 2026

vulnerability7 min read

CodeGraphContext PR #882 rejects write Cypher on /api/graph

8 May 2026

vulnerability9 min read

Project NOMAD PR #823: a hardcoded HMAC secret was real, but the fix was incomplete

8 May 2026

vulnerability8 min read

Koodo Reader PR #1598 replaced wildcard CORS with an ALLOWED_ORIGINS allowlist

Koodo Reader's optional HTTP server advertised Access-Control-Allow-Origin: * with credentials enabled. PR #1598 removes the wildcard, rejects untrusted cross-origin requests and adds an ALLOWED_ORIGINS allowlist.

8 May 2026

vulnerability7 min read

checkcle PR #224 moved PocketBase JWTs out of localStorage

6 May 2026

vulnerability7 min read

mcp-searxng PR #71 fixed a CWE-1333 ReDoS in section extraction

29 April 2026

vulnerability6 min read

NVIDIA's RAG Blueprint had a path traversal in its MCP server. We got the fix merged in three days.

A CWE-22 path traversal in NVIDIA's RAG Blueprint MCP server allowed any MCP client to read arbitrary files and ingest them into the RAG collection. We submitted the fix and NVIDIA merged it.

12 April 2026

vulnerability8 min read

full-stack-ai-agent-template's webhook service had a full read SSRF with response exfiltration

9 April 2026

security11 min read

Seven authentication bypasses that keep shipping in 2025 and 2026: the same architectural antipatterns, rewritten in new frameworks

7 April 2026

Weekly digests

vulnerability

Gogs, PraisonAI and KnowledgeDeliver show authentication bypass is a self-hosted platform design failure

maboloshi/github-chinese PR #692 fixed DOM XSS in translation results

RAGFlow PR #14803 removed a CWE-502 pickle RCE footgun from deserialize_b64

getsentry/XcodeBuildMCP PR #289 hardens shell escaping in MCP tool execution

AReaL PR #1323 refuses the default admin API key on network-facing proxy binds

Harbor PR #236 blocks CWE-78 in remote profile downloads

Softeria ms-365-mcp-server PR #456 validates redirect_uri before Microsoft Entra forwarding

CodeGraphContext PR #882 rejects write Cypher on /api/graph

Project NOMAD PR #823: a hardcoded HMAC secret was real, but the fix was incomplete

Koodo Reader PR #1598 replaced wildcard CORS with an ALLOWED_ORIGINS allowlist

checkcle PR #224 moved PocketBase JWTs out of localStorage

mcp-searxng PR #71 fixed a CWE-1333 ReDoS in section extraction

NVIDIA's RAG Blueprint had a path traversal in its MCP server. We got the fix merged in three days.

full-stack-ai-agent-template's webhook service had a full read SSRF with response exfiltration

Seven authentication bypasses that keep shipping in 2025 and 2026: the same architectural antipatterns, rewritten in new frameworks

Weekly threat intelligence digest — 2026-W25

Weekly threat intelligence digest — 2026-W23

Weekly threat intelligence digest — 2026-W22

Weekly threat intelligence digest — 2026-W21

Weekly threat intelligence digest — 2026-W20

Weekly threat intelligence digest — 2026-W19

Weekly threat intelligence digest — 2026-W17

Weekly threat intelligence digest — 2026-W16

Weekly threat intelligence digest — 2026-W15

Weekly threat intelligence digest — 2026-W14

Weekly threat intelligence digest — 2026-W13

Weekly threat intelligence digest — 2026-W12

Weekly threat intelligence digest — 2026-W11

Weekly threat intelligence digest — 2026-W10

Weekly threat intelligence digest — 2026-W09

Weekly threat intelligence digest — 2026-W08

Weekly threat intelligence digest — 2026-W07

Weekly threat intelligence digest — 2026-W06

Weekly threat intelligence digest — 2026-W05

Weekly threat intelligence digest — 2026-W04

Weekly threat intelligence digest — 2026-W03

Weekly threat intelligence digest — 2026-W02

Weekly threat intelligence digest — 2025-W52

Weekly threat intelligence digest — 2025-W51

Weekly threat intelligence digest — 2025-W50

Weekly threat intelligence digest — 2025-W49

Weekly threat intelligence digest — 2025-W48

Weekly threat intelligence digest — 2025-W47

Weekly threat intelligence digest — 2025-W46

Weekly threat intelligence digest — 2025-W45

Weekly threat intelligence digest — 2025-W44

Weekly threat intelligence digest — 2025-W43

Weekly threat intelligence digest — 2025-W42

Weekly threat intelligence digest — 2025-W41

Weekly threat intelligence digest — 2025-W40

Weekly threat intelligence digest — 2025-W39

Weekly threat intelligence digest — 2025-W38

Weekly threat intelligence digest — 2025-W37

Weekly threat intelligence digest — 2025-W36

Weekly threat intelligence digest — 2025-W35

Weekly threat intelligence digest — 2025-W34

Weekly threat intelligence digest — 2025-W33

Weekly threat intelligence digest — 2025-W32

Weekly threat intelligence digest — 2025-W31

Weekly threat intelligence digest — 2025-W30

Weekly threat intelligence digest — 2025-W29

Weekly threat intelligence digest — 2025-W28

Weekly threat intelligence digest — 2025-W27

Weekly threat intelligence digest — 2025-W26

Weekly threat intelligence digest — 2025-W25

Weekly threat intelligence digest — 2025-W24

Weekly threat intelligence digest — 2025-W23

Weekly threat intelligence digest — 2025-W21

Weekly threat intelligence digest — 2025-W20

Weekly threat intelligence digest — 2025-W19

Weekly threat intelligence digest — 2025-W17

Weekly threat intelligence digest — 2025-W16

Weekly threat intelligence digest — 2025-W15

Weekly threat intelligence digest — 2025-W13

Weekly threat intelligence digest — 2025-W12

Weekly threat intelligence digest — 2025-W11

Weekly threat intelligence digest — 2025-W10

Weekly threat intelligence digest — 2025-W07

Weekly threat intelligence digest — 2025-W06