•9 minutes ago•CVE-2026-27465
4.3Fleet's Open Secret: The Google Calendar Key Leak
A deep dive into CVE-2026-27465, where Fleet Device Management inadvertently exposed Google Calendar Service Account private keys to low-privileged users via the application configuration API. This vulnerability highlights the dangers of implicit serialization in Go and the risks of treating configuration data as a 'catch-all' bucket.
1 views•7 min read
•39 minutes ago•CVE-2026-27837
6.3dottie.js: The "One-Deep" Security Check That Failed
A classic example of a failed patch. The popular dottie.js library attempted to fix a prototype pollution vulnerability by blocking malicious keys, but only checked the first segment of the property path. Attackers could simply nest their payload one level deep to bypass the check completely.
3 views•5 min read
•about 1 hour ago•CVE-2026-27888
6.6Death by Decompression: Inside the pypdf XFA RAM Exhaustion Exploit
A critical resource exhaustion vulnerability in the popular pypdf library allows attackers to crash applications by supplying a malicious PDF. The flaw lies in the handling of XML Forms Architecture (XFA) streams, where a 'zip bomb' technique can trigger unbounded memory allocation.
3 views•5 min read
•about 2 hours ago•CVE-2026-27900
5.0The Chatterbox Cloud: Leaking Root in Linode Terraform Provider
A classic case of 'logging too much,' the Linode Terraform Provider (prior to v3.9.0) treated debug logs as a confessional booth, whispering root passwords, SSL keys, and user data to anyone listening. By dumping entire Go structs into the log stream, developers inadvertently exposed critical secrets in CI/CD environments where debug mode was enabled.
4 views•6 min read
•about 3 hours ago•CVE-2026-27148
8.9Storybook Ending: Dev Server RCE via WebSocket Hijacking
A critical flaw in the Storybook development server allows attackers to hijack the WebSocket connection from a malicious website via Cross-Site WebSocket Hijacking (CSWSH). Because the server failed to validate the `Origin` header or require authentication, a drive-by attack can silently connect to a developer's local instance, overwrite files, and achieve Remote Code Execution (RCE) on the developer's machine.
3 views•6 min read
•about 3 hours ago•CVE-2026-27735
6.4Git Outta Here: Exfiltrating Secrets via CVE-2026-27735
A path traversal vulnerability in the Model Context Protocol (MCP) Git server allows attackers (or confused LLMs) to stage and commit files outside the repository root. By abusing the `git_add` tool, sensitive host files can be added to the git index and exfiltrated via a push.
10 views•5 min read
•about 4 hours ago•CVE-2026-27808
5.8Return to Sender: Turning Mailpit into an Internal Port Scanner
A critical Server-Side Request Forgery (SSRF) vulnerability in Mailpit's Link Check API allows unauthenticated remote attackers to map internal networks and enumerate cloud metadata. By injecting malicious URLs into emails and triggering the application's automated link verification, attackers can force the server to issue HTTP requests to arbitrary destinations, bypassing network segmentation.
4 views•6 min read
•about 4 hours ago•CVE-2026-27809
6.8Death by Pixels: Unpacking CVE-2026-27809 in psd-tools
A deep dive into a series of memory corruption and logic flaws within the `psd-tools` Python library. This vulnerability exploits the complex nature of Adobe's PSD format to trigger massive memory exhaustion (Zip Bombs), integer overflows in Cython modules, and bypasses critical integrity checks in production environments. It highlights the dangers of parsing untrusted binary formats without strict bounds checking.
6 views•6 min read
•about 5 hours ago•CVE-2026-27818
8.7Close But No Cigar: The TerriaJS SSRF Suffix Bypass
A classic string validation error in the TerriaJS-Server proxy controller allowed attackers to bypass domain allowlists. By relying on a primitive `indexOf` check to validate hostnames, the server failed to distinguish between legitimate subdomains and malicious domains sharing a common suffix. This vulnerability transforms the geospatial data server into an open proxy, enabling Server-Side Request Forgery (SSRF) and potential network scanning.
4 views•6 min read
•about 5 hours ago•GHSA-F3F2-MCXC-PWJX
8.8n8n SQL Injection: When Low-Code Meets High-Risk
n8n, the beloved workflow automation tool that glues the internet together, has patched a critical SQL Injection vulnerability affecting its Microsoft SQL, MySQL, and PostgreSQL nodes. The flaw allowed attackers with workflow editing permissions—or external actors feeding data into dynamic workflow inputs—to break out of SQL contexts via unsanitized table identifiers, LIMIT clauses, and WHERE conditions. This wasn't just a simple query manipulation; in some database configurations, it effectively handed over the keys to the kingdom, allowing for arbitrary command execution and total data exfiltration.
6 views•7 min read
•about 6 hours ago•GHSA-MQPR-49JJ-32RC
6.5The Automation Trap: Forging GitHub Webhooks in n8n
A critical look at how n8n, the popular workflow automation tool, left the door wide open for webhook forgery. For years, the GitHub Trigger node failed to verify cryptographic signatures, allowing anyone who guessed the webhook URL to masquerade as GitHub. Combined with a flaw where webhook IDs were preserved during workflow copying, this vulnerability created a perfect storm for unauthorized workflow execution and potential lateral movement.
7 views•5 min read
•about 6 hours ago•CVE-2026-27819
9.1Vikunja's Kamikaze Restore: Zip Slips and Database Wipes
A critical vulnerability in Vikunja's restore functionality allows for arbitrary file overwrites via Path Traversal (Zip Slip) and permanent data loss due to improper error handling. The application destructively wipes the existing database before validating the integrity of the backup archive, leading to potential Denial of Service (DoS) or Remote Code Execution (RCE).
8 views•6 min read