•about 3 hours ago•GHSA-H343-GG57-2Q67
10.0CVE-2026-27574: Remote Code Execution in OneUptime Probe via VM Sandbox Escape
A critical Remote Code Execution (RCE) vulnerability exists in the OneUptime Probe component due to unsafe execution of user-supplied JavaScript. The application leverages the standard Node.js `vm` module to run Synthetic Monitors, which fails to provide a secure security boundary. Authenticated attackers, including low-privileged project members, can break out of the sandbox using prototype chain traversal to access the host process. This grants full access to the underlying server and critical cluster credentials, including database passwords and the master secret.
4 views•7 min read
•about 5 hours ago•CVE-2026-30835
6.9CVE-2026-30835: Database Metadata Leak via Malformed Regex in Parse Server
Parse Server, a popular open-source backend framework, contains an information disclosure vulnerability in its query processing layer. The flaw manifests when the server processes malformed regular expression queries targeting the underlying database. Instead of returning a generic error message, the application propagates the raw database error object—containing internal cluster timestamps, topology information, and driver-specific error codes—directly to the API consumer. This exposure allows unauthenticated attackers to fingerprint the backend infrastructure and gather intelligence for subsequent attacks.
5 views•7 min read
•about 6 hours ago•CVE-2026-26018
7.5CVE-2026-26018: Remote Denial of Service in CoreDNS Loop Detection Plugin via Predictable PRNG
CoreDNS, the default DNS server for Kubernetes, contains a critical Denial of Service (DoS) vulnerability in its `loop` detection plugin. The plugin uses a non-cryptographically secure pseudo-random number generator (PRNG) seeded with the current timestamp to generate self-test query names. An unauthenticated remote attacker can predict this seed or observe the query in logs to craft a matching UDP packet. Upon receiving a response that matches the predictable query name, the CoreDNS process triggers a fatal error and terminates, leading to a complete service outage.
5 views•5 min read
•about 7 hours ago•CVE-2026-29064
8.2CVE-2026-29064: Path Traversal via Symlink Extraction in Zarf
A high-severity path traversal vulnerability exists in the archive extraction component of Zarf, an airgap-native Kubernetes package manager. The flaw allows malicious packages to write files outside the intended extraction directory via unvalidated symbolic links. This vulnerability affects Zarf versions 0.54.0 through 0.73.0 and is remediated in version 0.73.1.
6 views•6 min read
•about 7 hours ago•CVE-2026-30228
6.9CVE-2026-30228: Authorization Bypass in Parse Server Files API via readOnlyMasterKey
A high-severity authorization bypass exists in Parse Server's Files API, enabling holders of the `readOnlyMasterKey` to perform unauthorized write operations. While this key is architecturally intended to restrict access to read-only database queries, a logic flaw in the `FilesRouter` component permits it to bypass checks for file creation and deletion. This allows restricted administrators or compromised services possessing the read-only key to upload arbitrary files or delete existing assets, violating the integrity and availability of the application's file storage.
5 views•5 min read
•about 8 hours ago•CVE-2026-30241
2.7CVE-2026-30241: Missing Query Depth Validation in Mercurius GraphQL Subscriptions
A logic vulnerability in the Mercurius GraphQL adapter for Fastify allows attackers to bypass query depth limits using WebSocket subscriptions. While standard HTTP queries are validated against the configured `queryDepth`, subscription operations received via the WebSocket transport layer skip this check. This oversight allows unauthenticated remote attackers to submit arbitrarily nested queries, potentially leading to Denial of Service (DoS) via CPU and memory exhaustion when the subscription events are resolved.
8 views•5 min read
•about 9 hours ago•CVE-2026-30229
8.5CVE-2026-30229: Privilege Escalation via Read-Only Master Key in Parse Server
A high-severity authorization bypass vulnerability exists in Parse Server's `/loginAs` endpoint. This administrative endpoint, designed to allow user impersonation, failed to strictly enforce scope restrictions on the provided master key. Consequently, an attacker possessing a `readOnlyMasterKey`—intended solely for data inspection—can successfully request a session token for any user, including full administrators. This results in a vertical privilege escalation from read-only access to full read/write capabilities across the entire application.
5 views•6 min read
•about 9 hours ago•GHSA-9R75-G2CR-3H76
7.5GHSA-9r75-g2cr-3h76: Predictable Webhook Tokens in Vercel Workflow
A high-severity vulnerability exists in the Vercel Workflow DevKit (`@workflow/core`) affecting the `createWebhook()` function. The vulnerability allows developers to manually specify predictable tokens for public webhook endpoints, leading to an Insecure Direct Object Reference (IDOR) flaw. Unauthenticated attackers can guess these tokens (e.g., `github_webhook:repo_name`) and send malicious POST requests to resume paused workflows, inject data, or trigger unauthorized state transitions. The vendor has patched this by removing the ability to specify custom tokens in favor of mandatory cryptographically secure identifiers.
8 views•5 min read
•about 11 hours ago•CVE-2026-26017
7.7CVE-2026-26017: CoreDNS ACL Bypass via TOCTOU in Plugin Chain
A logical vulnerability in CoreDNS versions prior to 1.14.2 allows attackers to bypass access control lists (ACLs) via a Time-of-Check Time-of-Use (TOCTOU) flaw. The default plugin execution order processes security enforcement plugins (such as `acl`, `firewall`, and `opa`) before the `rewrite` plugin. Consequently, an attacker can query a permitted domain name that is subsequently rewritten to a restricted internal domain, bypassing the intended security policies and resolving the restricted target.
5 views•5 min read
•about 11 hours ago•CVE-2026-3419
5.3CVE-2026-3419: Content-Type Validation Bypass in Fastify via Regex Anchor Missing
Fastify, a high-performance web framework for Node.js, contains a validation bypass vulnerability in its `Content-Type` header parsing logic. Due to an incomplete regular expression in `lib/content-type.js`, the framework fails to enforce the end-of-string anchor (`$`) when validating media subtypes. This omission allows attackers to supply malformed `Content-Type` headers containing illegal trailing characters (e.g., `application/json garbage`), which Fastify incorrectly accepts as valid. This behavior violates RFC 9110 §8.3.1 and can lead to parser confusion where malicious payloads are routed to incorrect content parsers, potentially bypassing security controls or triggering unexpected application behavior.
4 views•4 min read
•about 12 hours ago•CVE-2026-29783
7.5CVE-2026-29783: Command Injection via Bash Parameter Expansion in GitHub Copilot CLI
A critical command injection vulnerability exists in the GitHub Copilot CLI's shell safety assessment layer, affecting versions 0.0.422 and prior. The vulnerability allows attackers to bypass the CLI's "read-only" safety checks by leveraging advanced Bash parameter expansion features, specifically prompt expansion (`${var@P}`) and assignment operators. When the CLI processes a seemingly benign command containing these payloads, the shell evaluates the expansion, resulting in arbitrary code execution on the user's workstation.
5 views•6 min read
•1 day ago•GHSA-FWHJ-785H-43HH
7.5GHSA-FWHJ-785H-43HH: Denial of Service via Null Pointer Dereference in OliveTin
A Null Pointer Dereference vulnerability has been identified in OliveTin, an open-source web interface for shell commands. The flaw exists within the API handlers responsible for action execution and management, specifically allowing unauthenticated remote attackers to trigger a server-side panic. By manipulating the sequence of API calls, an attacker can create an invalid internal state that crashes the application process, resulting in a Denial of Service (DoS).
4 views•6 min read