Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
CVE-2026-5463 reports a critical command injection in `pymetasploit3` <= `1.0.6` where newline injection into module options can drive arbitrary Metasploit console commands.
VulnCheck-published CVE-2026-32917 reports a critical SCP command injection in `openclaw` <2026.3.13, allowing unauthenticated network attackers to execute commands on configured remote attachment hosts.
A GitHub-reviewed advisory reports a High-severity Flannel Extension backend command injection where attackers who can set Kubernetes Node annotations can execute root commands on Flannel nodes.
GitHub published a Critical advisory for @budibase/server where PostgreSQL integration builds a pg_dump shell command with unsanitized config values, enabling command injection and RCE.
GitHub disclosed a High-severity issue in Copilot CLI (<=0.0.422) where crafted bash parameter expansion can bypass shell safety checks and execute arbitrary commands.