Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
A GitHub advisory reports a High sandbox escape in `@anthropic-ai/claude-code` <2.1.64 where symlink writes can reach outside the workspace, enabling code execution via prompt injection.
CVE-2026-40489 reports a High-severity stack buffer overflow in `editorconfig-core-c` <0.12.11 that can crash apps parsing attacker-controlled `.editorconfig` in deep paths.
CVE-2026-6442 reports a High-severity sandbox escape in Snowflake's Cortex Code CLI (<1.0.25) where crafted `bash` commands from untrusted content can execute code locally without user consent.
CVE-2026-40164 reports a High-severity algorithmic complexity DoS in `jq` where crafted JSON keys trigger O(n²) CPU exhaustion in CI/CD, services, and scripts.
CVE-2026-35454 discloses a High-severity Zip Slip in `coder/code-marketplace` that lets a crafted VSIX write files outside the extension directory before `2.4.2`.
AWS disclosed and patched six vulnerabilities in the Amazon Athena ODBC Driver, including Linux OS command injection and a query-processing out-of-bounds write, affecting all supported platforms.
GitHub disclosed a High-severity issue in Copilot CLI (<=0.0.422) where crafted bash parameter expansion can bypass shell safety checks and execute arbitrary commands.