Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
CVE-2024-2374 reports a High-severity XXE in multiple WSO2 products, enabling unauthenticated file reads, limited HTTP resource access, and denial of service via XML entity expansion.
CVE-2026-5936 is a High-severity SSRF in `Foxit PDF Services API` that can pivot server-side requests to arbitrary destinations, impacting deployments listed as affected before 2026-04-07.
A GitHub-reviewed advisory says PraisonAI exposed an unauthenticated `/media-stream` WebSocket that proxies to OpenAI Realtime API, enabling DoS and paid-API credit exhaustion.
CVE-2026-35442 is a High-severity Directus flaw where authenticated users can bypass `conceal` masking via `min`/`max` + `groupBy`, exposing API tokens and TOTP secrets.
CVE-2026-34612 is a critical SQL injection in Kestra `< 1.3.7` that can escalate to OS command execution in default `docker-compose` deployments after login.
CVE-2026-0545 reports MLflow’s `/ajax-api/3.0/jobs/*` endpoints bypass `basic-auth`, allowing unauthenticated job submission and potentially unauthenticated RCE when job execution is enabled.
CVE-2026-34953 is a critical auth bypass in PraisonAI where arbitrary Bearer tokens authenticate to the MCP server, granting full tool and agent capability access.
Microsoft published a critical Azure Databricks SSRF elevation-of-privilege CVE that allows unauthenticated network attackers to escalate privileges within the hosted service.
CVE-2026-32871 is a critical SSRF/path traversal issue in `fastmcp` < `3.2.0`, letting MCP clients escape OpenAPI URL prefixes and hit arbitrary backend endpoints with provider auth headers.
CVE-2026-33286 is a critical Graphiti JSON:API write-path flaw allowing unauthenticated attackers to invoke arbitrary public model methods via crafted relationship names on exposed endpoints.
CVE-2026-28215 lets unauthenticated attackers overwrite self-hosted Hoppscotch infrastructure config via POST /v1/onboarding/config, exposing OAuth credentials and plaintext secrets.