vulnerability

94 pieces of writing

AReaL PR #1323 refuses the default admin API key on network-facing proxy binds

AReaL's proxy rollout server used a public default admin API key while binding to a network interface by default. PR #1323 turns that insecure default into a startup failure.

11 May 2026

vulnerability7 min read

Harbor PR #236 blocks CWE-78 in remote profile downloads

9 May 2026

vulnerability7 min read

Softeria ms-365-mcp-server PR #456 validates redirect_uri before Microsoft Entra forwarding

9 May 2026

vulnerability7 min read

CodeGraphContext PR #882 rejects write Cypher on /api/graph

CodeGraphContext's visualisation endpoint accepted arbitrary Cypher through /api/graph and passed it directly to Neo4j. PR #882 adds the missing read-only guard.

8 May 2026

vulnerability9 min read

Project NOMAD PR #823: a hardcoded HMAC secret was real, but the fix was incomplete

8 May 2026

vulnerability8 min read

Koodo Reader PR #1598 replaced wildcard CORS with an ALLOWED_ORIGINS allowlist

8 May 2026

vulnerability7 min read

checkcle PR #224 moved PocketBase JWTs out of localStorage

operacle/checkcle persisted PocketBase authentication JWTs in localStorage, making token theft trivial after any same-origin script execution. PR #224 replaces local persistence with an in-memory auth store.

6 May 2026

vulnerability7 min read

mcp-searxng PR #71 fixed a CWE-1333 ReDoS in section extraction

29 April 2026

vulnerability6 min read

NVIDIA's RAG Blueprint had a path traversal in its MCP server. We got the fix merged in three days.

12 April 2026

vulnerability8 min read

full-stack-ai-agent-template's webhook service had a full read SSRF with response exfiltration

The webhook service in vstorm-co's full-stack-ai-agent-template accepted arbitrary URLs and stored HTTP responses in the database, creating a full read SSRF that could exfiltrate cloud metadata credentials. The fix adds DNS-aware URL validation at every code path.

9 April 2026

security11 min read

Seven authentication bypasses that keep shipping in 2025 and 2026: the same architectural antipatterns, rewritten in new frameworks

7 April 2026

ics8 min read

CVE-2025-10492: a Java deserialisation flaw in Jasper Report gives attackers remote code execution on Hitachi Energy Ellipse

6 April 2026

vulnerability5 min read

Edict's file:// handler let anyone read files outside the project directory (CWE-22)

The add_remote_skill endpoint in cft0808/edict applied path traversal protection to local and relative paths but skipped the file:// branch entirely. One .resolve() and an allowed_roots check closed the gap.

5 April 2026

vulnerability5 min read

AIPex's localhost daemon let any website control your browser through a WebSocket

3 April 2026

siemens6 min read

Two CVEs in Siemens SICAM 8 firmware expose three product families to unauthenticated denial of service

3 April 2026

Weekly digests

vulnerability

AReaL PR #1323 refuses the default admin API key on network-facing proxy binds

Harbor PR #236 blocks CWE-78 in remote profile downloads

Softeria ms-365-mcp-server PR #456 validates redirect_uri before Microsoft Entra forwarding

CodeGraphContext PR #882 rejects write Cypher on /api/graph

Project NOMAD PR #823: a hardcoded HMAC secret was real, but the fix was incomplete

Koodo Reader PR #1598 replaced wildcard CORS with an ALLOWED_ORIGINS allowlist

checkcle PR #224 moved PocketBase JWTs out of localStorage

mcp-searxng PR #71 fixed a CWE-1333 ReDoS in section extraction

NVIDIA's RAG Blueprint had a path traversal in its MCP server. We got the fix merged in three days.

full-stack-ai-agent-template's webhook service had a full read SSRF with response exfiltration

Seven authentication bypasses that keep shipping in 2025 and 2026: the same architectural antipatterns, rewritten in new frameworks

CVE-2025-10492: a Java deserialisation flaw in Jasper Report gives attackers remote code execution on Hitachi Energy Ellipse

Edict's file:// handler let anyone read files outside the project directory (CWE-22)

AIPex's localhost daemon let any website control your browser through a WebSocket

Two CVEs in Siemens SICAM 8 firmware expose three product families to unauthenticated denial of service

Weekly threat intelligence digest — 2026-W19

Weekly threat intelligence digest — 2026-W17

Weekly threat intelligence digest — 2026-W16

Weekly threat intelligence digest — 2026-W15

Weekly threat intelligence digest — 2026-W14

Weekly threat intelligence digest — 2026-W13

Weekly threat intelligence digest — 2026-W12

Weekly threat intelligence digest — 2026-W11

Weekly threat intelligence digest — 2026-W10

Weekly threat intelligence digest — 2026-W09

Weekly threat intelligence digest — 2026-W08

Weekly threat intelligence digest — 2026-W07

Weekly threat intelligence digest — 2026-W06

Weekly threat intelligence digest — 2026-W05

Weekly threat intelligence digest — 2026-W04

Weekly threat intelligence digest — 2026-W03

Weekly threat intelligence digest — 2026-W02

Weekly threat intelligence digest — 2025-W52

Weekly threat intelligence digest — 2025-W51

Weekly threat intelligence digest — 2025-W50

Weekly threat intelligence digest — 2025-W49

Weekly threat intelligence digest — 2025-W48

Weekly threat intelligence digest — 2025-W47

Weekly threat intelligence digest — 2025-W46

Weekly threat intelligence digest — 2025-W45

Weekly threat intelligence digest — 2025-W44

Weekly threat intelligence digest — 2025-W43

Weekly threat intelligence digest — 2025-W42

Weekly threat intelligence digest — 2025-W41

Weekly threat intelligence digest — 2025-W40

Weekly threat intelligence digest — 2025-W39

Weekly threat intelligence digest — 2025-W38

Weekly threat intelligence digest — 2025-W37

Weekly threat intelligence digest — 2025-W36

Weekly threat intelligence digest — 2025-W35

Weekly threat intelligence digest — 2025-W34

Weekly threat intelligence digest — 2025-W33

Weekly threat intelligence digest — 2025-W32

Weekly threat intelligence digest — 2025-W31

Weekly threat intelligence digest — 2025-W30

Weekly threat intelligence digest — 2025-W29

Weekly threat intelligence digest — 2025-W28

Weekly threat intelligence digest — 2025-W27

Weekly threat intelligence digest — 2025-W26

Weekly threat intelligence digest — 2025-W25

Weekly threat intelligence digest — 2025-W24

Weekly threat intelligence digest — 2025-W23

Weekly threat intelligence digest — 2025-W21

Weekly threat intelligence digest — 2025-W20

Weekly threat intelligence digest — 2025-W19

Weekly threat intelligence digest — 2025-W17

Weekly threat intelligence digest — 2025-W16

Weekly threat intelligence digest — 2025-W15

Weekly threat intelligence digest — 2025-W13

Weekly threat intelligence digest — 2025-W12

Weekly threat intelligence digest — 2025-W11

Weekly threat intelligence digest — 2025-W10

Weekly threat intelligence digest — 2025-W07

Weekly threat intelligence digest — 2025-W06

Weekly threat intelligence digest — 2025-W05

Weekly threat intelligence digest — 2025-W03

Weekly threat intelligence digest — 2025-W02

Weekly threat intelligence digest — 2025-W01