Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
A High-severity OpenStack Keystone LDAP backend bug can treat disabled LDAP users as enabled, allowing authentication and actions until patched or mitigated.
CVE-2026-5936 is a High-severity SSRF in `Foxit PDF Services API` that can pivot server-side requests to arbitrary destinations, impacting deployments listed as affected before 2026-04-07.
CVE-2026-4810 is a Critical code-injection + missing-auth flaw in Google ADK that enables unauthenticated server-side code execution in affected Python/Cloud Run/GKE deployments.
A Critical command-injection flaw in `aws-mcp-server` can enable unauthenticated remote code execution, impacting deployments that expose the MCP service to untrusted clients.
A GitHub advisory reports High unauthenticated SSRF in Arcane <=1.17.2, letting remote attackers probe internal services via `/api/templates/fetch` using a user-supplied URL.
CVE-2026-40175 reports a Critical Axios header-injection gadget chain that can turn upstream prototype pollution into SSRF/request-smuggling and AWS IMDSv2 credential theft in axios <1.15.0.
Canonical warns a Critical Juju authorization flaw lets any authenticated controller user call `CloudSpec` and extract bootstrap cloud credentials in affected 2.9, 3.6, and 4.0/edge builds.
A GitHub-reviewed advisory says PraisonAI exposed an unauthenticated `/media-stream` WebSocket that proxies to OpenAI Realtime API, enabling DoS and paid-API credit exhaustion.
A GitHub-reviewed advisory reports High-severity unauthenticated SSRF in `PraisonAI` where attacker-controlled `webhook_url` makes the server POST to internal services, including cloud metadata endpoints.
CVE-2026-5747 is a High out-of-bounds write in Amazon Firecracker’s virtio-pci transport affecting 1.13.0–1.14.3 and 1.15.0, risking VMM crashes or potential host code execution.
AWS published a security bulletin for three High issues in Research and Engineering Studio (RES) that enable authenticated command injection and AWS permission escalation in impacted releases.
AWS disclosed and patched six vulnerabilities in the Amazon Athena ODBC Driver, including Linux OS command injection and a query-processing out-of-bounds write, affecting all supported platforms.
CVE-2026-27124 reports a High-severity OAuth consent-validation flaw in `fastmcp` (<3.2.0) that can let attackers impersonate GitHub users against MCP servers.
Microsoft published a critical Azure Databricks SSRF elevation-of-privilege CVE that allows unauthenticated network attackers to escalate privileges within the hosted service.
GitHub advisory for Juju reports a critical TLS authentication flaw allowing unauthenticated network attackers to join the controller’s Dqlite cluster and read/modify all controller data.
CVE-2026-34214 allows Trino users with SQL write privileges to extract Iceberg REST catalog object-storage credentials from query JSON, risking data exposure in shared clusters.
CVE-2026-34204 lets authenticated MinIO clients with `s3:PutObject` permission make objects permanently unreadable by injecting internal SSE metadata via crafted `X-Minio-Replication-*` headers.
CVE-2026-33992 reports an authenticated SSRF in `pyload` allowing internal service access and cloud metadata exfiltration on self-hosted instances prior to the patched build.
CVE-2026-33413 discloses High-severity authorization bypasses in etcd gRPC APIs, letting unauthorized clients call sensitive functions on clusters exposing gRPC to untrusted networks.
CVE-2026-33897 is a critical template-engine sandbox bypass in Incus <6.23.0 that lets low-privileged API users read/write host files as root.
CVE-2026-33322 discloses a critical JWT algorithm confusion in MinIO OIDC login that lets attackers with the OIDC ClientSecret forge tokens and obtain S3 credentials.
An oss-security disclosure says terraform-provider-linode versions before v3.9.0 could log passwords, tokens, scripts, and NodeBalancer TLS private keys when debug logging is enabled.
Broadcom issued VMSA-2026-0001 for VMware Aria Operations, fixing a High command-injection bug and additional XSS and privilege-escalation flaws affecting VCF deployments.