16:["$","div",null,{"className":"flex min-h-screen flex-col bg-zinc-50 font-sans dark:bg-black","children":[["$","main",null,{"className":"mx-auto flex w-full max-w-7xl flex-1 flex-col gap-6 px-4 py-10 sm:px-6 lg:px-8","children":[["$","header",null,{"className":"flex flex-col gap-3","children":[["$","div",null,{"className":"flex flex-wrap items-baseline gap-3","children":[["$","h1",null,{"className":"text-3xl font-bold text-zinc-900 dark:text-white","children":"News"}],["$","a",null,{"href":"/news/feed","className":"inline-flex items-center gap-1.5 rounded-full border border-zinc-200 bg-white px-3 py-1 text-xs font-semibold uppercase tracking-wide text-zinc-600 transition hover:border-zinc-300 hover:text-zinc-900 dark:border-zinc-700 dark:bg-zinc-900/70 dark:text-zinc-300 dark:hover:border-zinc-500 dark:hover:text-white","aria-label":"News RSS feed","children":[["$","svg",null,{"aria-hidden":"true","viewBox":"0 0 24 24","className":"h-3 w-3 -translate-y-px","fill":"currentColor","children":["$","path",null,{"d":"M6.18 17.82A2.18 2.18 0 1 0 6.18 22a2.18 2.18 0 0 0 0-4.36Zm-3.68-7v3.27a8.73 8.73 0 0 1 8.71 8.71h3.29c0-6.61-5.39-11.98-12-11.98Zm0-6.29v3.27c7.59 0 13.73 6.15 13.73 13.73H19.5C19.5 12.09 11.41 4 2.5 4Z"}]}],"RSS"]}]]}],["$","p",null,{"className":"text-base text-zinc-600 dark:text-zinc-300","children":["Application security news, updated daily (if there is any news to share)."," "]}]]}],["$","$2",null,{"fallback":["$","div",null,{"className":"rounded-2xl border border-dashed border-zinc-200 bg-white p-8 text-center text-base text-zinc-500 dark:border-zinc-800 dark:bg-zinc-900/70 dark:text-zinc-400","children":"Loading news…"}],"children":["$","$L1e",null,{"items":[{"slug":"2026-03-openstack-vitrage-query-parser-rce","title":"OpenStack Vitrage patches query-parser RCE (CVE-2026-28370)","summary":"OpenStack disclosed CVE-2026-28370, a Vitrage query-parser flaw that can let authenticated Vitrage API users execute code on the service host; patches are available.","tags":["News","Cloud Security","OpenStack","Vulnerability"],"isPublished":true,"publishedAt":"2026-03-03T17:44:02Z","updatedAt":null,"sourceName":"Openwall oss-security (OpenStack VMT advisory OSSA-2026-003)","sourceUrl":"https://www.openwall.com/lists/oss-security/2026/03/03/6","cves":["CVE-2026-28370"],"cwes":null,"body":["## What happened\nOpenStack’s Vulnerability Management Team published OSSA-2026-003 describing **CVE-2026-28370**, a vulnerability in the **OpenStack Vitrage query parser**. According to the advisory, a user who is allowed to access the **Vitrage API** may be able to **trigger code execution on the Vitrage service host** as the user account the Vitrage service runs under.","## Who is impacted\nThe advisory states affected versions include **Vitrage < 12.0.1**, and the specific releases **13.0.0**, **14.0.0**, and **15.0.0**. It notes that **all deployments exposing the Vitrage API are affected**, because an API user can potentially reach the vulnerable query parsing path.","## What to do now\n- **Apply the upstream patches** referenced by OSSA-2026-003 for your deployed OpenStack stable branch (patches are provided via OpenDev code reviews for multiple branches).\n- If you cannot patch immediately, **restrict access to the Vitrage API** (network ACLs / security groups / reverse-proxy auth) to minimize the set of users who can send queries.\n- Treat this as a **service-host compromise risk** (code execution as the Vitrage service user): review host hardening, credentials available to the service user, and monitor for suspicious Vitrage API query activity.","## Additional Information\n- Advisory identifier: **OSSA-2026-003** (OpenStack Vulnerability Management Team)\n- CVE: **CVE-2026-28370**\n- Patch references in the advisory include OpenDev review IDs: `962671`, `962713`, `962712`, `962646`, `962658`, `962617`."]},{"slug":"2026-02-fastify-middie-path-normalization-auth-bypass","title":"@fastify/middie patches path normalization auth bypass in path-scoped middleware (CVE-2026-2880)","summary":"A GitHub-reviewed advisory reports a High-severity path normalization mismatch in @fastify/middie that can bypass path-scoped auth middleware; upgrade to 9.2.0.","tags":["News","Node.js","Web Security"],"isPublished":true,"publishedAt":"2026-02-28","updatedAt":"2026-02-28","sourceName":"GitHub Advisory Database","sourceUrl":"https://raw.githubusercontent.com/github/advisory-database/main/advisories/github-reviewed/2026/02/GHSA-8p85-9qpw-fwgw/GHSA-8p85-9qpw-fwgw.json","cves":["CVE-2026-2880"],"cwes":["CWE-20"],"body":["## What happened\n\nA security advisory for `@fastify/middie` describes an improper path normalization issue where middleware path matching can disagree with Fastify/find-my-way route normalization. When these differ, path-scoped middleware (e.g., `app.use('/secret', auth)`) may be skipped while the request is still routed to a protected handler.","## Who is impacted\n\nApplications using `@fastify/middie` with path-scoped middleware protections are impacted, particularly when Fastify router normalization options are enabled (including `ignoreDuplicateSlashes`, `useSemicolonDelimiter`, and related trailing-slash behavior). The advisory states `@fastify/middie@9.1.0` is confirmed affected and that all versions prior to the patch are affected. Example bypass paths mentioned include `//secret` and `/secret;foo=bar` (depending on router option configuration).","## What to do now\n\n- Upgrade `@fastify/middie` to **9.2.0** (fixed version).\n- Until upgraded, avoid relying solely on path-scoped middie middleware for auth/authorization; enforce auth at route-level handlers/hooks after router normalization.\n- If operationally feasible, disable risky normalization combinations called out in the advisory.","## Additional Information\n\n- Severity: CVSS v4.0 **8.2 (High)** (vector: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N`).\n- Root cause (as described): canonicalization drift between middie path matching and find-my-way route lookup normalization.\n- Identifier: **CVE-2026-2880**."]},{"slug":"2026-02-ocaml-marshal-deserialization-rce","title":"OCaml fixes Marshal deserialization buffer over-read that can enable RCE (CVE-2026-28364)","summary":"CVE-2026-28364 was published for OCaml Marshal deserialization, where missing bounds validation can enable a multi-phase attack chain leading to remote code execution; upgrade to 4.14.3 or 5.4.1.","tags":["Vulnerabilities","Languages","Secure Coding"],"isPublished":true,"publishedAt":"2026-02-27","updatedAt":"2026-02-27","sourceName":"CVE Project (cvelistV5)","sourceUrl":"https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/28xxx/CVE-2026-28364.json","cves":["CVE-2026-28364"],"cwes":["CWE-126"],"body":["## What happened\nMITRE published **CVE-2026-28364** on **2026-02-27T03:54:53.458Z**, describing a **buffer over-read** in **OCaml Marshal deserialization** (noted as `runtime/intern.c`).\n\nThe CVE record states the issue is caused by **missing bounds validation** in the `readblock()` function, which can result in **unbounded `memcpy()` operations using attacker-controlled lengths** from crafted Marshal data.\n\nThe CVE record further states this can enable **remote code execution** via a **multi-phase attack chain**. The record includes a CVSS v3.1 score of **7.9 (High)** with vector `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N`.","## Who is impacted\n- **OCaml** versions **< 4.14.3** are affected.\n- **OCaml 5.x** versions **>= 5.0.0 and < 5.4.1** are affected.\n- The affected package is identified as `pkg:opam/ocaml` in the CVE record.","## What to do now\n- **Upgrade OCaml to 4.14.3** (for the 4.x line) or **to 5.4.1** (for the 5.x line) or later.\n- Review any components that **deserialize Marshal data** and ensure it is not treated as safe when sourced from untrusted inputs.","## Additional Information\n- CWE: **CWE-126 (Buffer Over-read)**.\n- The CVE record references the OCaml security advisory entry **OSEC-2026-01** (OSV/GitHub advisory metadata) for additional vendor-side context."]},{"slug":"2026-02-hoppscotch-unauth-onboarding-config-takeover","title":"Hoppscotch patches unauthenticated onboarding config takeover (CVE-2026-28215)","summary":"CVE-2026-28215 lets unauthenticated attackers overwrite self-hosted Hoppscotch infrastructure config via POST /v1/onboarding/config, exposing OAuth credentials and plaintext secrets; fixed in 2026.2.0.","tags":["News","Application Security","Supply Chain","API Security"],"isPublished":true,"publishedAt":"2026-02-26T22:34:46.524Z","updatedAt":"2026-02-26T22:34:46.524Z","sourceName":"CVE Project","sourceUrl":"https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/28xxx/CVE-2026-28215.json","cves":["CVE-2026-28215"],"cwes":["CWE-284","CWE-287"],"body":["## What happened\nA critical Hoppscotch vulnerability (CVE-2026-28215) was published that allows an unauthenticated attacker to overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance by sending a single HTTP POST request to `POST /v1/onboarding/config` without any authentication guard and without checking whether onboarding was already completed.","## Who is impacted\nSelf-hosted Hoppscotch deployments running versions **prior to 2026.2.0** are affected. The impact includes the ability to replace the instance's Google/GitHub/Microsoft OAuth application credentials (capturing OAuth tokens and email addresses for subsequent logins) and obtain a recovery token that can be used to read stored secrets in plaintext (including SMTP passwords and other configured credentials).","## What to do now\n- **Upgrade Hoppscotch to 2026.2.0 or later**.\n- Treat the instance as potentially compromised if it was Internet-accessible: rotate OAuth app secrets (Google/GitHub/Microsoft), SMTP credentials, and any other secrets stored in Hoppscotch configuration.\n- Review onboarding/configuration state and audit for unexpected changes to SSO or email/SMTP settings.","## Additional Information\n- Affected endpoint: `POST /v1/onboarding/config`.\n- Fixed version: **2026.2.0**.\n- Severity (CVSS v3.1): **9.1 (CRITICAL)**."]},{"slug":"2026-02-openlit-github-actions-pull-request-target","title":"OpenLIT patches critical GitHub Actions workflow issue that could expose secrets (CVE-2026-27941)","summary":"OpenLIT disclosed and fixed a critical GitHub Actions workflow flaw where `pull_request_target` could execute untrusted fork code with privileged tokens and secrets exposed.","tags":["CI/CD Security","GitHub Actions","Supply Chain","Vulnerability"],"isPublished":true,"publishedAt":"2026-02-26","updatedAt":null,"sourceName":"CVE Project (cvelistV5)","sourceUrl":"https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27941.json","cves":["CVE-2026-27941"],"cwes":["CWE-829"],"body":["## What happened\nCVE-2026-27941 was published for OpenLIT, describing a critical vulnerability in several GitHub Actions workflows in the OpenLIT GitHub repository prior to version 1.37.1.\n\nThe issue is that these workflows used the `pull_request_target` event while checking out and executing untrusted code from forked pull requests, causing the workflow to run in the security context of the base repository.\n\nAs described in the CVE record, this base-repo context includes a write-privileged `GITHUB_TOKEN` and other sensitive secrets (including API keys, database/vector store tokens, and a Google Cloud service account key).","## Who is impacted\n- Repositories using OpenLIT versions **< 1.37.1** (affected range listed as `< 1.37.1`).\n- Specifically, environments where the affected GitHub Actions workflows run and can be triggered via forked pull requests under the `pull_request_target` event model described in the CVE record.","## What to do now\n- Upgrade to **OpenLIT 1.37.1** (the CVE record states 1.37.1 contains a fix).\n- Review GitHub Actions workflows for unsafe `pull_request_target` usage combined with checkout/execution of PR code.\n- If you suspect exposure, rotate GitHub Actions secrets and any credentials referenced by workflows (API keys, DB/vector store tokens, and any cloud service account keys).","## Additional Information\n- GitHub Security Advisory: GHSA-9jgv-x8cq-296q\n- Fix reference commit: 4a62039a1659d6cbb8913172693f587b5fc2546c"]},{"slug":"2026-02-terraform-linode-provider-debug-log-leak","title":"CVE-2026-27900: terraform-provider-linode debug logs could expose passwords and TLS private keys (fixed in v3.9.0)","summary":"An oss-security disclosure says terraform-provider-linode versions before v3.9.0 could log passwords, tokens, scripts, and NodeBalancer TLS private keys when debug logging is enabled.","tags":["News","IaC Security","Secrets Management","Cloud"],"isPublished":true,"publishedAt":"2026-02-26","updatedAt":null,"sourceName":"Openwall oss-security","sourceUrl":"https://www.openwall.com/lists/oss-security/2026/02/26/2","cves":["CVE-2026-27900"],"cwes":null,"body":["## What happened\nOn 2026-02-26 at 04:15:38 UTC, a post to the oss-security mailing list disclosed **CVE-2026-27900**, describing sensitive information exposure in **Terraform Provider for Linode** when provider/debug logging is enabled.","The report states that **terraform-provider-linode versions prior to v3.9.0** could write sensitive fields into debug logs without redaction, including instance root passwords, StackScript content, object storage data, image share group tokens, and **NodeBalancer TLS private keys (SSLKey)**.","## Who is impacted\nTeams using **terraform-provider-linode < v3.9.0** are impacted **if** Terraform/provider debug logging is explicitly enabled (e.g., during local troubleshooting or in CI/CD), especially where logs are shipped to centralized collectors or shared with others.","Any authenticated user (or operator) who can access those debug/provider logs could potentially extract credentials and secret material from retained log output.","## What to do now\n- **Upgrade** to **terraform-provider-linode v3.9.0 or later**, which the disclosure says sanitizes debug logs by logging only non-sensitive metadata and redacting sensitive values.\n- **Disable provider/Terraform debug logging** where possible (e.g., unset `TF_LOG_PROVIDER` and `TF_LOG`, or use `WARN`/`ERROR` levels).\n- **Restrict access** to existing and historical CI/CD and log-aggregation data that may contain leaked values.\n- **Purge/trim log retention** for affected time ranges.\n- **Rotate potentially exposed secrets**, including instance root passwords, image share group tokens, NodeBalancer TLS private keys/certificates, and any secrets embedded in StackScripts.","## Additional Information\nThe disclosure credits a report via Akamai's HackerOne bug bounty program and references the upstream **v3.9.0 release**, a GitHub pull request, and a commit implementing the log sanitization, plus Terraform debugging documentation for log configuration."]},{"slug":"2026-02-n8n-expression-sandbox-rce","title":"n8n fixes critical expression sandbox escape that can lead to RCE (CVE-2026-27577)","summary":"CVE-2026-27577 discloses a critical n8n expression-evaluation sandbox escape enabling authenticated workflow editors to execute system commands; fixed in 1.123.22, 2.9.3, and 2.10.1.","tags":["News","RCE","DevSecOps","Workflow Automation"],"isPublished":true,"publishedAt":"2026-02-25T22:19:44.806Z","updatedAt":"2026-02-25T22:19:44.806Z","sourceName":"CVE Project (cvelistV5)","sourceUrl":"https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27577.json","cves":["CVE-2026-27577"],"cwes":["CWE-94"],"body":["## What happened\nA new CVE record, **CVE-2026-27577**, was published for **n8n** describing an **expression evaluation sandbox escape** that can result in **unintended system command execution on the host** running n8n.","The advisory notes this as **additional exploits** identified and patched following **CVE-2025-68613**, and assigns a **CVSS v4.0 base score of 9.4 (Critical)** with vector `CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H`.","## Who is impacted\nSelf-hosted n8n deployments where users can create or modify workflows are impacted. The advisory describes the attacker as an **authenticated user with permission to create or modify workflows** who can abuse crafted expressions in workflow parameters.\n\nAffected version ranges listed in the CVE record:\n- `< 1.123.22`\n- `>= 2.0.0, < 2.9.3`\n- `>= 2.10.0, < 2.10.1`","## What to do now\n- **Upgrade** to a fixed release for your branch:\n - 1.x: **1.123.22**\n - 2.x stable: **2.9.3**\n - 2.x beta: **2.10.1**\n- If you cannot upgrade immediately (temporary mitigations listed in the record):\n - **Limit workflow creation/editing permissions to fully trusted users only**.\n - **Run n8n in a hardened environment** with restricted OS privileges and network access to reduce blast radius.","## Additional Information\n- Weakness classification: **CWE-94 (Improper Control of Generation of Code / Code Injection)**.\n- References in the CVE record include the GitHub advisory **GHSA-vpcf-gvg4-6qwr**, prior advisory **GHSA-v98v-ff95-f3cp**, and associated fix commits `1479aab2d32fe0ee087f82b9038b1035c98be2f6` and `9e5212ecbc5d2d4e6f340b636a5e84be6369882e`."]},{"slug":"2026-02-cline-cli-npm-token-compromise","title":"F5 Labs: Cline CLI 2.3.0 npm token compromise used postinstall to install OpenClaw on developer systems","summary":"F5 Labs reports a supply-chain compromise of Cline CLI 2.3.0 via a stolen npm token, installing OpenClaw and highlighting GitHub Actions cache-poisoning and prompt-injection risks.","tags":["Supply Chain","CI/CD Security","AI Security"],"isPublished":true,"publishedAt":"2026-02-25","updatedAt":null,"sourceName":"F5 Labs","sourceUrl":"https://www.f5.com/labs/articles/weekly-threat-bulletin-february-25th-2026","cves":null,"cwes":null,"body":["## What happened\nF5 Labs reported that the open-source AI coding assistant **Cline CLI** suffered a supply-chain incident in which **version 2.3.0** was published to npm using a **compromised npm publish token**.\n\nAccording to F5, the malicious `cline@2.3.0` package included a **`postinstall` script** that installed **`openclaw@latest`** (an autonomous AI agent) onto developer systems, and was downloaded **~4,000 times** during an **~8-hour** window.\n\nF5 notes that OpenClaw itself was **not deemed malicious**, but the installation was unauthorized/unintended as part of the supply-chain compromise.\n\nF5 attributes the compromise to a workflow weakness it calls **\"Clinejection\"**: a misconfigured GitHub workflow where an AI agent (**Claude**) with excessive permissions could be manipulated via **prompt injection in a GitHub issue title** to execute arbitrary code, enabling **GitHub Actions cache poisoning** and theft of publication secrets (including the npm publish token).","## Who is impacted\n- Teams and developers who installed **`cline@2.3.0`** from npm during the affected window.\n- Organizations whose developer workstations or CI runners may have executed the package install hooks.\n- Engineering orgs using **GitHub Actions** for release/publishing, especially where workflows/agents have broad permissions and shared caches between low-trust and high-trust jobs.","## What to do now\n- **Inventory** developer endpoints and CI/CD runners for `cline` and specifically flag **version `2.3.0`**.\n- **Upgrade** to **`cline@2.4.0` or later** as recommended by F5.\n- **Check for and remove** unauthorized `openclaw` installations where not explicitly approved.\n- **Reduce CI/CD token exposure** by migrating publishing pipelines from long-lived registry tokens to **OIDC-based** (tokenless/short-lived) publishing where supported.\n- **Harden GitHub Actions**: enforce separation between low-trust and high-trust workflows so that low-trust jobs cannot write to or influence caches consumed by release/publish jobs; apply least-privilege to workflow and agent permissions.","## Additional Information\nF5 reports that Cline maintainers responded by releasing **Cline CLI 2.4.0**, deprecating **2.3.0**, revoking the compromised token, and implementing **OIDC for npm publishing via GitHub Actions**."]},{"slug":"2026-02-imagemagick-policy-bypass-path-traversal","title":"ImageMagick fixes path-policy bypass that can expose restricted files (CVE-2026-25965)","summary":"ImageMagick disclosed a High-severity path-policy bypass where traversal in filenames can read restricted files despite policy-secure.xml; update to 7.1.2-15 or 6.9.13-40.","tags":["News","Vulnerability","Open Source","Libraries"],"isPublished":true,"publishedAt":"2026-02-24","updatedAt":"2026-02-24","sourceName":"CVEProject cvelistV5 (GitHub raw)","sourceUrl":"https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/25xxx/CVE-2026-25965.json","cves":["CVE-2026-25965"],"cwes":["CWE-22"],"body":["## What happened\nA new CVE record (CVE-2026-25965) was published for ImageMagick describing a path traversal technique that bypasses ImageMagick's path security policy by exploiting how the policy matcher evaluates the raw (unnormalized) filename before the OS resolves the final path. This can allow reading files that would be expected to be blocked by rules such as `/etc/*`, resulting in local file disclosure (LFI) even when `policy-secure.xml` is in use.","## Who is impacted\n- Anyone running ImageMagick versions **< 7.1.2-15** (including the affected range **>= 7.0.0, < 7.1.2-15**) or **< 6.9.13-40**.\n- Deployments that rely on ImageMagick's policy files to restrict filesystem reads (e.g., image processing services, conversion pipelines, and apps that accept user-controlled image inputs/paths).\n- Severity is listed as **HIGH (CVSS 3.1 base score 8.6)** with vector **CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N**.","## What to do now\n- **Upgrade** ImageMagick to **7.1.2-15** (7.x) or **6.9.13-40** (6.x).\n- If you cannot upgrade immediately, the advisory recommends adding an explicit traversal-blocking rule to your ImageMagick policy:\n - ``\n- Review any services where untrusted inputs can influence ImageMagick read paths or conversions, especially in containerized or multi-tenant environments.","## Additional Information\n- CVE publication timestamp in the CVE record: **2026-02-24T01:20:44.175Z**.\n- Upstream advisory reference: **GHSA-8jvj-p28h-9gm7** (ImageMagick/ImageMagick GitHub Security Advisory)."]},{"slug":"2026-02-superset-dataset-authorization-bypass","title":"Apache Superset fixes High-severity dataset authorization bypass (CVE-2026-23982)","summary":"Apache disclosed CVE-2026-23982, a High-severity authorization bypass in Superset versions before 6.0.0 enabling low-privilege users to access restricted data via dataset SQL overwrite.","tags":["News","Vulnerabilities","Web Security","Data Platforms"],"isPublished":true,"publishedAt":"2026-02-24","updatedAt":null,"sourceName":"oss-security (Openwall)","sourceUrl":"https://www.openwall.com/lists/oss-security/2026/02/24/6","cves":["CVE-2026-23982"],"cwes":["CWE-863"],"body":["## What happened\nApache disclosed **CVE-2026-23982**, an **Improper Authorization** issue in **Apache Superset** where a low-privileged authenticated user can bypass data access controls during dataset creation by **overwriting the SQL query of an existing dataset**.","The Apache CNA lists this as **High severity** (CVSS v4 base **7.1**), reflecting that the attack is network-reachable, requires authentication with low privileges, and can expose high-value data.","## Who is impacted\n- Organizations running **Apache Superset < 6.0.0**.\n- Deployments where users (including non-admin roles) have permissions that allow **writing datasets** and **reading charts** (as described in the advisory).","## What to do now\n- **Upgrade Apache Superset to 6.0.0** (the advisory states this version fixes the issue).\n- Review Superset role permissions, especially who can **create/modify datasets** and **view charts**, and audit recent dataset changes for unexpected SQL modifications.","## Additional Information\n- Affected versions: \"Apache Superset 0.0.0 before 6.0.0\" (per oss-security post).\n- Credit: **River Koh** (reporter) and **Daniel Gaspar** (remediation developer).\n- Reference: oss-security announcement for CVE-2026-23982."]},{"slug":"2026-02-vmware-aria-operations-vmsa-2026-0001","title":"Broadcom publishes VMSA-2026-0001 for VMware Aria Operations (command injection, stored XSS, and privilege escalation)","summary":"Broadcom issued VMSA-2026-0001 for VMware Aria Operations, fixing a High command-injection bug and additional XSS and privilege-escalation flaws affecting VCF deployments.","tags":["News","Cloud","DevSecOps","Vulnerability"],"isPublished":true,"publishedAt":"2026-02-24","updatedAt":"2026-02-24","sourceName":"Broadcom Support (VMware Security Advisory)","sourceUrl":"https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947","cves":["CVE-2026-22719","CVE-2026-22720","CVE-2026-22721"],"cwes":null,"body":["## What happened\n\nBroadcom published **VMSA-2026-0001** on **2026-02-24**, stating that multiple vulnerabilities in **VMware Aria Operations** were privately reported and that patches/workarounds are available for affected Broadcom products.","The advisory covers three issues: **CVE-2026-22719** (command injection, max **CVSS 8.1**), **CVE-2026-22720** (stored cross-site scripting, max **CVSS 8.0**), and **CVE-2026-22721** (privilege escalation, max **CVSS 6.2**).","For **CVE-2026-22719**, Broadcom says an unauthenticated attacker may be able to execute arbitrary commands leading to remote code execution **while support-assisted product migration is in progress**; the advisory lists patches and a workaround referenced as **KB430349**.","## Who is impacted\n\nThe advisory lists impacted products including **VMware Aria Operations**, **VMware Cloud Foundation**, **VMware Telco Cloud Platform**, and **VMware Telco Cloud Infrastructure** (where Aria Operations is bundled/used).","Broadcom's response matrix indicates fixes are available via updated releases/KBs, including **VMware Aria Operations 8.18.6** and **VMware Cloud Foundation Operations 9.0.2.0** (plus KB-based fixes for some bundled versions).","## What to do now\n\n- Identify where **VMware Aria Operations** is deployed directly or via **VCF/Telco** bundles.\n- Apply the vendor-provided fixed versions listed in the advisory's **Response Matrix** for your product/version.\n- If you are performing or planning a **support-assisted product migration**, review and apply the advisory's workaround guidance for **CVE-2026-22719** (KB430349) until fully patched.\n- Limit or review permissions for features referenced in the advisory (e.g., the ability to create **custom benchmarks**) and access paths from **vCenter** to Aria Operations, consistent with least privilege.","## Additional Information\n\n- Advisory: **VMSA-2026-0001** (Issue date **2026-02-24**, updated **2026-02-24**).\n- CVEs: **CVE-2026-22719**, **CVE-2026-22720**, **CVE-2026-22721**.\n- Fixed-version references called out in the advisory include **VMware Aria Operations 8.18.6** and **VMware Cloud Foundation Operations 9.0.2.0**."]},{"slug":"2026-02-claude-code-security-preview","title":"Anthropic launches Claude Code Security preview for AI-assisted vulnerability scanning and patch suggestions","summary":"Anthropic is rolling out Claude Code Security in limited preview for Enterprise/Team plans, scanning codebases for vulnerabilities and suggesting patches with human approval.","tags":["News","DevSecOps","Application Security","AI Security"],"isPublished":true,"publishedAt":"2026-02-21","updatedAt":null,"sourceName":"The Hacker News","sourceUrl":"https://thehackernews.com/2026/02/anthropic-launches-claude-code-security.html","cves":null,"cwes":null,"body":["## What happened\nThe Hacker News reports that Anthropic has begun rolling out **Claude Code Security**, a security feature for Claude Code that scans a user's software codebase for vulnerabilities and suggests targeted patches.\n\nAccording to the article, Claude Code Security is available as a **limited research preview** for **Enterprise and Team** customers, and it is positioned as a defender-focused capability where findings and suggested fixes are reviewed by humans.","## Who is impacted\n- Teams using (or evaluating) Claude Code for development workflows, especially organizations looking to add AI-assisted vulnerability discovery and patch suggestions into existing AppSec/DevSecOps processes.\n- Security and platform engineering teams that must validate tool output, manage false positives, and decide how findings should flow into their normal triage/remediation pipeline.","## What to do now\n- If you are eligible and considering the preview, plan for **human review gates**: the article emphasizes a human-in-the-loop model where nothing is applied without approval.\n- Treat findings as **triage inputs**, not authoritative truth: ensure your normal verification steps (reproduction, unit/integration tests, and code review) remain mandatory before shipping changes.\n- Decide where the output fits operationally (e.g., separate \"AI suggested\" queue vs. normal vuln backlog) so developers are not overwhelmed and remediation is trackable.","## Additional Information\nThe article says Anthropic claims the system goes beyond rule-based static analysis by reasoning about code like a human researcher, including tracing data flows and component interactions, and that findings go through a \"multi-stage verification process\" to filter false positives. It also notes that findings receive severity ratings and are shown in a dashboard where analysts can review suggested patches and approve them."]},{"slug":"2026-02-sentry-saml-sso-takeover","title":"CVE-2026-27197: Critical Sentry SAML SSO issue can enable account takeover in some multi-organization deployments","summary":"CVE-2026-27197 is a critical SAML SSO flaw in self-hosted Sentry that can enable account takeover in multi-organization instances; fixed in 26.2.0.","tags":["CVE","Identity","SSO"],"isPublished":true,"publishedAt":"2026-02-21","updatedAt":"2026-02-21","sourceName":"CVEProject cvelistV5","sourceUrl":"https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27197.json","cves":["CVE-2026-27197"],"cwes":["CWE-287"],"body":["## What happened\nA CVE record was published for **CVE-2026-27197** at **2026-02-21T04:35:14Z** describing an **Improper Authentication** issue in Sentry's **SAML SSO** implementation that can allow an attacker to take over user accounts under certain conditions.","## Who is impacted\n- Product: **getsentry/sentry**\n- Affected versions: **>= 21.12.0 and < 26.2.0**\n- The record notes self-hosted risk depends on deployment/permissions conditions in multi-organization setups (including the ability of a malicious user to modify SSO settings for another organization).","## What to do now\n- **Upgrade Sentry to 26.2.0** (the CVE record states this fixes the issue).\n- If you cannot immediately upgrade, the CVE record recommends enabling **user account-based two-factor authentication (2FA)** as a workaround/mitigation.","## Additional Information\n- CVSS v3.1 (from the CVE record): **9.1 (Critical)** — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`\n- Weakness: **CWE-287 (Improper Authentication)**\n- Reference advisory: **GHSA-ggmg-cqg6-j45g** (linked from the CVE record)"]},{"slug":"2026-02-node-tar-hardlink-escape","title":"CVE-2026-26960: node-tar extraction hardlink escape enables arbitrary file read/write","summary":"A newly published CVE for the npm `tar` package describes a High-severity hardlink escape during archive extraction; users should upgrade to `tar` 7.5.8.","tags":["Vulnerability","Node.js","Dependency Security"],"isPublished":true,"publishedAt":"2026-02-20","updatedAt":"2026-02-20","sourceName":"CVE Project (cvelistV5)","sourceUrl":"https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/26xxx/CVE-2026-26960.json","cves":["CVE-2026-26960"],"cwes":["CWE-22"],"body":["## What happened\nThe CVE record for **CVE-2026-26960** was published to the CVE List at **2026-02-20T01:07:52.979Z**. It describes a vulnerability in **node-tar** (npm package `tar`) where, when using default extraction options in **versions 7.5.7 and below**, an attacker-controlled tar archive can create a **hardlink inside the extraction directory** that points to a file **outside** the intended extraction root, enabling **arbitrary file read and write** as the extracting user.","## Who is impacted\n- Projects that use the npm package **`tar`** (node-tar) for extraction (directly or via transitive dependencies), and may extract **untrusted or attacker-controlled tar archives**.\n- Affected versions: **`tar` < 7.5.8**.\n- Severity (CVSS v3.1, CNA: GitHub_M): **7.1 HIGH** (vector: `CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N`).","## What to do now\n- **Upgrade** npm package `tar` to **7.5.8** or later.\n- Audit code paths where `tar.extract()` is used with archives that could be influenced by external users (uploads, CI artifacts, build caches, plugin content, etc.).\n- Consider extracting in a sandboxed context (e.g., container/namespace with limited filesystem access) if untrusted archives must be processed.","## Additional Information\n- CWE: **CWE-22 (Path Traversal / improper limitation of pathname to a restricted directory)**.\n- The CVE record cites the upstream GitHub Security Advisory and fixing commits in `isaacs/node-tar` as references."]},{"slug":"2026-02-strimzi-mtls-ca-chain-trust","title":"CVE-2026-27134: Strimzi can trust all CAs in a multi-CA chain for mTLS authentication","summary":"CVE-2026-27134 in Strimzi 0.49.0–0.50.0 can trust every CA in a provided multi-CA chain, weakening mTLS authentication on Kafka listeners.","tags":["CVE","Kubernetes","Certificates"],"isPublished":true,"publishedAt":"2026-02-20","updatedAt":"2026-02-20","sourceName":"CVEProject cvelistV5 (GitHub)","sourceUrl":"https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27134.json","cves":["CVE-2026-27134"],"cwes":["CWE-287","CWE-295","CWE-296"],"body":["## What happened\nA new High-severity vulnerability (CVSS 8.1) was published for Strimzi (CVE-2026-27134). In Strimzi versions 0.49.0 through 0.50.0, when a custom Cluster CA or Clients CA is configured as a multi-stage CA chain containing multiple CAs, Strimzi incorrectly trusts *all* CAs in that chain for mTLS authentication. As a result, a client certificate signed by any CA in the supplied chain may be accepted for authentication.","## Who is impacted\n- Strimzi users running **0.49.0–0.50.0**.\n- Deployments that use a **custom Cluster CA or Clients CA** provided as a **CA chain with multiple CAs**.\n- Impact can apply to internal listeners (broker replication and control-plane communications) and to user-configured listeners that use **TLS client authentication (mTLS)**.\n- Not impacted: users of Strimzi-managed CAs, or custom CA setups that provide only a single CA (no multi-CA chain).","## What to do now\n- **Upgrade Strimzi to 0.50.1 (or later)** to pick up the fix.\n- If you cannot upgrade immediately, use the documented workaround: **provide only the single CA that should be trusted**, not the full multi-CA chain.\n- Review any mTLS client certificates issued from intermediate/alternate CAs in your chain, and consider re-issuing/rotating certificates if unintended trust could have existed in your environment.","## Additional Information\n- CVSS v3.1 vector: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H` (base score 8.1, High).\n- Weakness classifications: Improper Authentication (CWE-287), Improper Certificate Validation (CWE-295), and Improper Following of a Certificate's Chain of Trust (CWE-296).\n- Upstream reference: GitHub Security Advisory **GHSA-2qwx-rq6j-8r6j** (linked from the CVE record)."]},{"slug":"2026-02-jenkins-core-stored-xss-offline-cause","title":"Jenkins advisory fixes High-severity stored XSS in node \"mark temporarily offline\" description","summary":"Jenkins published a security advisory fixing a High-severity stored XSS in core that can be abused by users with node configuration/disconnect permissions; update is available.","tags":["News","CI/CD Security","Web Security"],"isPublished":true,"publishedAt":"2026-02-18","updatedAt":null,"sourceName":"Jenkins Security Advisory","sourceUrl":"https://www.jenkins.io/security/advisory/2026-02-18/","cves":["CVE-2026-27099","CVE-2026-27100"],"cwes":null,"body":["## What happened\nJenkins published a security advisory dated **2026-02-18** covering two Jenkins core issues, including **SECURITY-3669 / CVE-2026-27099**, a **High-severity stored XSS** bug in how Jenkins renders the user-provided description for the \"Mark temporarily offline\" node offline cause.","The advisory explains that since Jenkins **2.483**, offline-cause descriptions are defined as containing HTML and are rendered as such; affected versions **do not escape** the user-provided description for that specific offline-cause path, enabling stored XSS by authorized users.","The same advisory also includes **SECURITY-3658 / CVE-2026-27100** (Medium), where affected versions accept Run Parameter values referencing builds the submitting user cannot access, allowing limited build/job existence and display-name information disclosure.","## Who is impacted\n- Organizations running **Jenkins weekly** versions **up to and including 2.550**.\n- Organizations running **Jenkins LTS** versions **up to and including 2.541.1**.\n- For **CVE-2026-27099**, impact is greatest where users or automation have **Agent/Configure** or **Agent/Disconnect** permissions and where Jenkins UI content is viewed by higher-privileged users (typical in shared CI environments).","## What to do now\n- **Upgrade Jenkins weekly to 2.551**.\n- **Upgrade Jenkins LTS to 2.541.2**.\n- If you are on **Jenkins 2.539+ (including LTS 2.541.1)** and cannot upgrade immediately, **enforce Content Security Policy (CSP) protection** as a mitigation noted by Jenkins (still treat upgrading as the primary fix).\n- Review and tighten Jenkins RBAC around **node (agent) management permissions** (Agent/Configure, Agent/Disconnect) to reduce the number of principals that can reach the vulnerable stored-XSS input.","## Additional Information\n- Advisory: Jenkins Security Advisory **2026-02-18** (covers CVE-2026-27099 and CVE-2026-27100).\n- Fixed versions per advisory: weekly **2.551**, LTS **2.541.2**.\n- Affected versions per advisory: weekly **<= 2.550**, LTS **<= 2.541.1**."]},{"slug":"2026-02-red-hat-nodejs20-security-update","title":"Red Hat issues Important nodejs:20 security update for RHEL 9.4 EUS","summary":"Red Hat published RHSA-2026:2768, an Important security advisory updating RHEL 9.4 EUS nodejs:20 to address three Node.js vulnerabilities, including a DoS issue.","tags":["News","Application Security","Supply Chain","Linux"],"isPublished":true,"publishedAt":"2026-02-17","updatedAt":"2026-02-17","sourceName":"Red Hat Product Errata","sourceUrl":"https://access.redhat.com/errata/RHSA-2026:2768","cves":["CVE-2025-55130","CVE-2025-55131","CVE-2025-59465"],"body":["## What happened\nRed Hat published **RHSA-2026:2768** (severity: **Important**) for the **nodejs:20** module on **Red Hat Enterprise Linux 9.4 Extended Update Support (EUS)**. The advisory ships an update to Node.js packages and states it addresses three security issues: **Node.js denial of service (CVE-2025-59465)**, **uninitialized memory exposure (CVE-2025-55131)**, and a **file permissions bypass (CVE-2025-55130)**.","## Who is impacted\n- Platform teams running **RHEL 9.4 EUS** that provide the **nodejs:20** runtime to internal applications or build pipelines.\n- Developers building and deploying services that rely on the distribution-provided **Node.js 20** module stream (rather than upstream Node.js binaries/containers).","## What to do now\n- **Prioritize patching** systems using the **nodejs:20** module on RHEL 9.4 EUS.\n- Apply the Red Hat update for **nodejs:20** as described in the advisory (updated packages are listed under \"Updated Packages\").\n- After updating, **restart** Node.js services and any build agents/CI runners that keep long-lived Node.js processes to ensure the patched runtime is in use.","## Additional Information\n- Advisory ID: **RHSA-2026:2768**\n- Type/Severity: **Security Advisory / Important**\n- Security fixes listed by Red Hat: **CVE-2025-59465**, **CVE-2025-55131**, **CVE-2025-55130**\n- Affected product called out by the advisory: **Red Hat Enterprise Linux 9.4 Extended Update Support**"]},{"slug":"2026-02-malicious-npm-ambar-src","title":"GitHub flags ambar-src on npm as malware with no patched versions","summary":"GitHub's Advisory Database published a malware advisory for the npm package ambar-src, warning that any affected machine should be treated as fully compromised.","tags":["Supply Chain","JavaScript","Malware","News"],"isPublished":true,"publishedAt":"2026-02-16","updatedAt":"2026-02-16","sourceName":"GitHub Advisory Database","sourceUrl":"https://github.com/advisories/GHSA-qjgj-mrv7-24f7","cves":null,"body":["## What happened\nGitHub's Advisory Database published **GHSA-qjgj-mrv7-24f7**, classifying the npm package **`ambar-src`** as **malware** and noting there are **no patched versions** available.","## Who is impacted\nAnyone who installed or executed **`ambar-src`** from the npm ecosystem is potentially impacted. The advisory states systems with the package installed/running should be considered **fully compromised**.","## Key details\n- Ecosystem: **npm**\n- Package: **ambar-src**\n- Advisory: **GHSA-qjgj-mrv7-24f7**\n- Affected versions: **>= 0** (effectively all versions)\n- Patched versions: **None**\n- CWE: **CWE-506 (Embedded Malicious Code)**","## What to do now\n- **Remove the package** from builds, lockfiles, and internal mirrors.\n- **Treat affected machines as compromised**: rotate credentials/secrets **from a different (clean) machine**.\n- **Invalidate and re-issue** any CI/CD, registry, cloud, or signing credentials that could have been accessed.\n- **Hunt for downstream exposure**: identify projects, containers, and build jobs that pulled the dependency and re-build from known-good sources."]},{"slug":"2026-02-npm-compass-e2e-tests-malicious","title":"OpenSSF flags npm package compass-e2e-tests 99.0.0 as malicious","summary":"OpenSSF Package Analysis identified the npm package compass-e2e-tests (version 99.0.0) as malicious due to communication with a domain associated with malicious activity.","tags":["News","Supply Chain","JavaScript","DevSecOps"],"isPublished":true,"publishedAt":"2026-02-16","updatedAt":"2026-02-16","sourceName":"Vulnerability-Lookup (CIRCL) — OpenSSF Package Analysis feed","sourceUrl":"https://cve.circl.lu/vuln/mal-2026-922","cves":null,"body":["## What happened\nVulnerability-Lookup (CIRCL), ingesting OpenSSF Package Analysis results, published an entry marking the npm package `compass-e2e-tests` version `99.0.0` as malicious on 2026-02-16T19:55:51Z.","OpenSSF Package Analysis cites the reason as: the package \"communicates with a domain associated with malicious activity.\"","## Who is impacted\nTeams that installed `compass-e2e-tests@99.0.0` in any environment (developer workstations, CI runners, or build containers) are potentially impacted.","## What to do now\n- Search dependency manifests and lockfiles for `compass-e2e-tests@99.0.0` and remove it.\n- Identify where it was installed/executed (CI logs, artifact build logs) and treat affected build environments as potentially compromised.\n- Rotate credentials that may have been accessible to those environments (CI secrets, npm tokens, cloud keys) following your incident response process.","## Additional Information\n- Ecosystem: npm\n- Package: `compass-e2e-tests`\n- Malicious version(s) called out by OpenSSF Package Analysis: `99.0.0`\n- Source attribution in the entry: OpenSSF Package Analysis (finder)"]}],"basePath":"/news","placeholder":"Search news","emptyMessage":"No news items match your filters.","cardVariant":"news"}]}]]}],"$L1f"]}]