Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
An oss-security post highlights a third-party Hex.pm security audit, with multiple remediated findings including unsafe deserialization (CVE-2026-21619) and auth/API-key flaws.
A Critical command-injection flaw in `aws-mcp-server` can enable unauthenticated remote code execution, impacting deployments that expose the MCP service to untrusted clients.
Gleam disclosed and patched a git-dependency path traversal that can delete or overwrite attacker-chosen directories during `gleam deps download`, impacting developer workstations and CI runners.
A Critical path traversal in `praisonai` lets crafted `.praison` bundles overwrite arbitrary files during `praisonai recipe unpack`, impacting versions >=2.7.2 and fixed in >=4.5.128.
GitLab’s Apr 8 patch release fixes a High unauthenticated GraphQL DoS (CVE-2025-12664) affecting GitLab CE/EE 13.0+ prior to patched 18.8.9/18.9.5/18.10.3.
CVE-2026-33540 reports a High-severity credential exfiltration risk in `distribution` pull-through cache mode, where attacker-controlled `WWW-Authenticate` `realm` redirects basic-auth credentials.
CVE-2026-35053 is a Critical missing-auth flaw in OneUptime < 10.0.42 that lets unauthenticated attackers trigger workflows via ManualAPI endpoints, enabling JavaScript execution and abuse.
CVE-2026-34528 is a High-severity logic flaw in `filebrowser` < `2.62.2` where self-signup can inherit command execution rights and run arbitrary shell commands.
GitHub advisory for Juju reports a critical TLS authentication flaw allowing unauthenticated network attackers to join the controller’s Dqlite cluster and read/modify all controller data.
VulnCheck-published CVE-2026-32917 reports a critical SCP command injection in `openclaw` <2026.3.13, allowing unauthenticated network attackers to execute commands on configured remote attachment hosts.
StepSecurity reports `[email protected]` and `[email protected]` were maliciously published on npm via compromised maintainer credentials, adding a `postinstall` RAT dropper dependency.
CVE-2026-33032 reports a critical unauthenticated access flaw in `nginx-ui` <=2.3.5 where `/mcp_message` exposes MCP tools, enabling remote Nginx config takeover.
A High-severity GitLab CE/EE authorization flaw in Jira Connect installations could let low-privilege authenticated users obtain installation credentials and impersonate the GitLab app.
CVE-2026-32922 is a critical privilege escalation in `openclaw` <2026.3.11 where pairing-scoped callers can mint `operator.admin` tokens, potentially reaching node RCE via `system.run`.
SandboxJS disclosed a Critical sandbox escape where untrusted JavaScript can obtain the host Function constructor and achieve host-level code execution.
GitHub Advisory Database published a critical OneUptime advisory for CVE-2026-30957, where synthetic monitor code can trigger probe-side RCE via exposed Playwright objects.
CVE-2026-31816 reports a critical Budibase auth-bypass where adding a webhook-like path in the query string can skip authorization and CSRF checks on server APIs.
NVD published a Critical Apache Artemis/ActiveMQ Artemis auth-bypass where unauthenticated Core protocol clients can coerce outbound federation connections for queue message injection or exfiltration.
CVE-2026-27577 discloses a critical n8n expression-evaluation sandbox escape enabling authenticated workflow editors to execute system commands.
Broadcom issued VMSA-2026-0001 for VMware Aria Operations, fixing a High command-injection bug and additional XSS and privilege-escalation flaws affecting VCF deployments.
Anthropic is rolling out Claude Code Security in limited preview for Enterprise/Team plans, scanning codebases for vulnerabilities and suggesting patches with human approval.
OpenSSF Package Analysis identified the npm package compass-e2e-tests (version 99.0.0) as malicious due to communication with a domain associated with malicious activity.