•25 minutes ago•CVE-2026-27730
8.6The Proxy that Talked Too Much: Breaking esm.sh with SSRF
A critical Server-Side Request Forgery (SSRF) vulnerability in esm.sh allowed attackers to bypass string-based hostname validation using DNS aliases. By masking internal IP addresses behind innocent-looking domain names, attackers could trick the CDN into scanning local networks or retrieving cloud metadata. While a patch attempted to pin hosts during redirects, the fundamental flaw of validating hostnames before DNS resolution remains a classic example of 'checking the ID card but ignoring the face'.
2 views•6 min read
•about 1 hour ago•CVE-2026-27577
9.4n8n RCE: When the Sandbox Becomes a Launchpad
A critical Sandbox Escape vulnerability in n8n allows authenticated users (and potentially unauthenticated ones via a logic flaw) to break out of the JavaScript and Python execution environments. By exploiting flaws in the `PrototypeSanitizer` involving spread operators and variable shadowing, attackers can access the host process's internal objects, leading to full Remote Code Execution (RCE).
6 views•7 min read
•about 1 hour ago•CVE-2026-27794
6.6Cache Me If You Can: LangGraph RCE via Pickle
LangGraph, the brain behind many stateful LLM agents, contained a critical deserialization vulnerability in its caching layer. By defaulting to Python's insecure `pickle` module for fallback serialization, the library opened a backdoor for attackers with write access to the cache backend (like Redis) to execute arbitrary code on the application server. It turns out that trusting serialized data from your cache is just as dangerous as trusting user input directly.
2 views•5 min read
•about 1 hour ago•CVE-2026-27804
9.3Trust Issues: How a JWT Header Toppled Parse Server Authentication
A critical vulnerability in Parse Server's authentication adapters allows for complete Account Takeover (ATO) via JWT algorithm confusion. By trusting the 'alg' header in user-provided tokens, attackers can bypass signature verification using the 'none' algorithm or exploit key confusion attacks to impersonate any user on the platform without credentials.
5 views•6 min read
•about 2 hours ago•CVE-2026-27795
4.1The Chain Breaker: Bypassing LangChain's SSRF Guards
A sophisticated Server-Side Request Forgery (SSRF) bypass was discovered in the `@langchain/community` package, specifically within the `RecursiveUrlLoader`. Despite previous attempts to secure this component against internal network scanning, the implementation failed to handle HTTP redirects manually. This allowed attackers to supply a benign, validated URL that subsequently redirected the server's HTTP client to sensitive internal resources (like AWS Metadata services or local admin panels), completely bypassing the initial security checks. This vulnerability highlights the classic 'Check-Then-Act' race condition in web security.
12 views•5 min read
•about 2 hours ago•CVE-2026-27822
9.1RustFS & The PDF Trojan: Anatomy of a Critical Stored XSS
While the world rushes to rewrite everything in Rust to escape the nightmare of memory corruption, we are reminded that logic bugs and web vulnerabilities don't care about your borrow checker. CVE-2026-27822 is a critical Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Management Console. By exploiting the PDF preview functionality, an attacker can turn a simple file upload into a weaponized payload that executes arbitrary JavaScript in the context of an administrator's session. This isn't just a pop-up alert; it's a full administrative account takeover via `localStorage` exfiltration, granting total control over the distributed object storage system.
12 views•6 min read
•about 3 hours ago•CVE-2026-27695
4.3The 1,000 WCU Ceiling: Crashing zae-limiter with DynamoDB Hot Partitions
A deep dive into an architectural race condition in the `zae-limiter` library where the promise of 'infinite scale' collides with the hard reality of DynamoDB physical partition limits. By funneling all rate-limiting state for a single entity into one partition key, the library inadvertently created a 'hot partition' bottleneck. This allows attackers to trigger a denial of service (DoS) simply by exceeding 1,000 write units per second, turning the rate limiter—the very tool designed to prevent floods—into the point of failure.
5 views•6 min read
•about 3 hours ago•GHSA-X43W-PH7M-PFJX
8.7Suicide by Plugin: Use-After-Free in HexChat Rust Bindings
Rust promises memory safety, but when you dance with C libraries via FFI, that promise relies entirely on the quality of the glue code. The `hexchat` crate, a set of Rust bindings for the popular IRC client, contains a fatal flaw in how it manages command lifecycles. By allowing a command callback to capture its own handle and deregister itself during execution, the library enables a classic Use-After-Free scenario. Coupled with thread-safety lies (macros marked safe that aren't), this unmaintained crate serves as a textbook example of how 'Safe Rust' can still segfault if the foundations are rotten.
5 views•6 min read
•about 4 hours ago•CVE-2026-3105
7.6Mautic SQLi: When "Order By" Becomes "Pwned By"
Mautic, the open-source darling of marketing automation, recently patched a high-severity SQL Injection vulnerability (CVE-2026-3105) that turns a mundane API sorting feature into a database exfiltration pipeline. By failing to validate the direction of a sort (ASC/DESC), the application allowed attackers to append arbitrary SQL commands directly into the query structure. This deep dive explores how a classic 'Order By' injection works in modern ORM environments and why input validation remains the unshakeable law of the land.
11 views•6 min read
•about 4 hours ago•CVE-2026-25734
6.1Science vs. Scripting: Stored XSS in Rucio WebUI
Rucio, the data management titan used by CERN and other scientific behemoths, suffered from a classic web vulnerability: Stored Cross-Site Scripting (XSS). Buried within the Rucio Storage Element (RSE) metadata handling, the WebUI blindly trusted backend data, rendering it directly into the DOM via unsafe jQuery methods. This allows an attacker with RSE configuration privileges to plant malicious JavaScript payloads that execute in the browser of any administrator viewing the storage details, leading to session hijacking and potential compromise of massive scientific datasets.
8 views•6 min read
•about 5 hours ago•CVE-2026-25735
6.1Rucio WebUI: When Scientific Data Management Meets Unsanitized jQuery
A critical Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Rucio WebUI, the interface for the open-source scientific data management framework used by major research institutions. The flaw stems from the insecure use of jQuery manipulation methods—specifically `.html()`, `.append()`, and `.after()`—to render user-controlled data retrieved from the backend API. By injecting malicious JavaScript into the 'Identity Name' field of an account, an attacker can persist a payload that executes in the browser of any administrator who views that account's details. The impact is exacerbated by a lack of defense-in-depth measures: session cookies lack the `HttpOnly` flag, and authentication tokens are exposed as global variables, making full account takeover trivial.
6 views•6 min read
•about 5 hours ago•CVE-2026-25736
6.1Science Gone Wrong: Stored XSS in Rucio WebUI
Rucio, the data management heavyweight used by CERN and the scientific community to juggle petabytes of physics data, has a soft underbelly: its WebUI. A Stored Cross-Site Scripting (XSS) vulnerability exists in the RSE (Rucio Storage Element) attribute management system. By injecting malicious JavaScript into storage attributes, an attacker can turn the administrative dashboard into a weapon, executing arbitrary code in the browser of any admin who views the details. Coupled with a lack of `HttpOnly` cookies and globally exposed auth tokens, this is a textbook session hijacking vector.
7 views•5 min read