Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
CVE-2026-40164 reports a High-severity algorithmic complexity DoS in `jq` where crafted JSON keys trigger O(n²) CPU exhaustion in CI/CD, services, and scripts.
CVE-2026-28291 reports a High-severity command-execution bypass in `simple-git` (aka `git-js`) where Git option variants evade blocklist safety checks, affecting versions `< 3.32.0`.
CVE-2026-33475 discloses a critical shell-injection flaw in Langflow’s GitHub Actions workflows that lets attackers run commands via branch/PR names and steal CI secrets.
An OpenSSF Siren advisory reports an automated campaign ("hackerbot-claw") actively exploiting insecure GitHub Actions workflows to run code and exfiltrate CI credentials.
OpenLIT disclosed and fixed a critical GitHub Actions workflow flaw where `pull_request_target` could execute untrusted fork code with privileged tokens and secrets exposed.
F5 Labs reports a supply-chain compromise of Cline CLI 2.3.0 via a stolen npm token, installing OpenClaw and highlighting GitHub Actions cache-poisoning and prompt-injection risks.
Jenkins published a security advisory fixing a High-severity stored XSS in core that can be abused by users with node configuration/disconnect permissions; update is available.