Latest AppSec news
Security news teams can act on.
New vulnerabilities, incidents, and software security updates with plain context for what to check next.
Latest queue
Recent stories
- Argo CD diff endpoint leaks raw Kubernetes Secret values`ServerSideDiff` returns unmasked Secret data when `IncludeMutationWebhook=true`. Read-only Argo CD access is enough to exploit it. Fixed in `3.2.11` and `3.3.9`.
- CircleCI fork PR config exposes every project secret to outsidersTwo CircleCI project settings, both enabled, hand every environment secret to anyone who opens a fork PR. Disable secret passing for forks, then rotate.
- 44,000 cPanel servers hit as auth bypass drives ransomware waveCVE-2026-41940, an authentication bypass in cPanel and WHM, is being mass-exploited to encrypt hosted sites with "Sorry" Linux ransomware. Shadowserver counts 44,000 compromised IPs.
- Missing auth checks let Subscribers tamper with Stripe webhooks in PMProAny logged-in WordPress user can delete, create, or rebuild Stripe webhooks in `Paid Memberships Pro` <= `3.6.5` via unprotected AJAX handlers. CVSS 7.1.
- Wildcard in table names collapses S3 credential scope in Apache PolarisA literal `*` in a table name becomes an IAM wildcard when Polaris builds S3 delegation policies, letting crafted credentials read and write other tables' storage prefixes.
- Unauthenticated PHP object injection in Profile Builder ProProfile Builder Pro <= 3.14.5 deserializes attacker-controlled POST data via `maybe_unserialize()` in a publicly accessible AJAX handler. No login required. CVSS 8.1.
- Unauthenticated path traversal exfiltrates server files via booking emailsA path traversal flaw in `Salon Booking System` <= `10.30.25` lets anyone submit a booking with a crafted file path and receive sensitive server files as an email attachment. CVSS 7.5.
- PHP type juggling lets anyone log in as any WordPress userLoose comparison in `user_verification_form_wrap_process_otpLogin()` means submitting a `true` OTP value bypasses authentication entirely. Any verified account, including admins. CVSS 9.8.
- WCFM IDOR lets vendors delete any WordPress user, including adminsAny authenticated Vendor-level account can delete arbitrary WordPress users - including administrators - by forging `customerid` in a single AJAX call. CVSS 8.1.
- Widget Options eval() bypass gives Contributors server-side RCEWordPress plugin `Widget Options` uses `eval()` for Display Logic rules. Its blocklist is bypassable via `array_map` with string concatenation, giving any Contributor-or-higher account full PHP execution. CVSS 8.8.
More headlines
Keep scanning
May 2026
- Missing file type validation enables unauthenticated upload to WordPress registration forms
- Apache MINA allowlist bypass opens unauthenticated deserialization RCE
- Malformed WS-Policy can exhaust JVM heap via Neethi normalization
- Single WebSocket frame can OOM the BEAM via Bandit deflate
- Bandit WebSocket fragment reassembly has no size cap, enabling unauthenticated DoS
- Fake Bitwarden CLI package stole credentials and backdoored other packages
- DDoS knocks out Ubuntu update and security advisory infrastructure
- Linux kernel LPE lets unprivileged users overwrite setuid binaries in memory
- Gravity Forms stored XSS reaches admin sessions via Product Option labels
- Malicious Intercom PHP SDK tag drops Bun credential stealer at install time
- Keystone EC2 credential API allows cross-project token scope
- Crafted experiment file triggers RCE via LabOne Q deserialization
- PyPI fixes two High-severity auth bugs found in Trail of Bits audit
April 2026
- Unauthenticated XXE in 4D Server SOAP endpoint leaks files and drives SSRF
- 575+ trojanized AI skills found on ClawHub in active supply chain attack
- Chartbrew 4.9.0 exposes private chart data without authentication
- Cloud Foundry Route Services can sidestep app egress controls
- Windows ECS Agent FSx mount flow allows SYSTEM command injection
- CVSS 10.0: Gemini CLI auto-trust flaw turns fork PRs into CI RCE
- Hex lockfile checksum enforcement silently bypassed since 0.16.0
- IntelliJ IDEA built-in web server leaks arbitrary local files
- Compromised intercom-client 7.0.4 exfiltrates Kubernetes and Vault secrets
- Malicious lightning 2.6.2 and 2.6.3 harvest credentials on import
- Malicious `lightning` PyPI releases steal credentials on import
- Critical auth bypass in MOVEit Automation demands immediate patching
- OpenHarness `/bridge spawn` command reaches shell, patched local-only
- Array confusion in Temporary Login plugin allows unauthenticated takeover
- WP Editor CSRF lets attackers overwrite plugin and theme files
- Cockpit CMS collection rules written to disk and executed via include()
- cPanel auth bypass gives unauthenticated access to hosting control plane
- Crafted recipe URL triggers XSS in CyberChef before 11.0.0
- DHCPv6 parser underflow freezes FreeRTOS-Plus-TCP IP task permanently
- Jenkins Credentials Binding path traversal write primitive reaches RCE
- Ollama Windows updater accepts unsigned payloads, enabling persistent RCE
- Otter Blocks unsigned cookie lets anyone forge Stripe ownership
- pgjdbc SCRAM flaw lets a malicious server exhaust client CPU
- Malicious preinstall hooks turn SAP CAP npm install into credential theft
- Malicious preinstall hook in SAP CAP packages runs credential stealer
- SureForms Pro unauthenticated access control bypass fixed in 2.8.1
- Wireshark TLS dissector crash opens door to code execution
- Unauthenticated RCE in DocsGPT MCP stdio transport endpoint
- e-Sushrut HMIS: auth bypass, plaintext OTPs, hardcoded AES keys
- Git push option injection enables GitHub server RCE
- Unauthenticated gRPC pickle deserialization gives RCE in LeRobot
- NVFlare Dashboard pre-auth bypass allows privilege escalation and code execution
- OpenCATS installer writes attacker PHP into config, enabling unauthenticated RCE
- Unauthenticated routes inherit operator write scopes in openclaw
- Outline IDOR lets authenticated users exfiltrate private docs via share links
- Spring gRPC leaks authenticated identity to later unauthenticated requests
- Apache Thrift Node.js bindings vulnerable to stack exhaustion via skip()
- Apache MINA allowlist bypass turns deserialization into network RCE
- Checkmarx GitHub repo data appears on dark web after supply-chain breach
- Script injection in GitHub Actions ships malicious elementary-data to PyPI
- LatePoint agent role gives attackers a path to full admin takeover
- LogonTracer authenticated command injection gives shell access
- openclaw SSH sandbox tar upload lets attackers write arbitrary files
- HTTP/2 scheme header can exhaust BEAM atom table in plug_cowboy
- Pre-auth SQL injection in ProjeQtor login puts instances at critical risk
- Admin sandbox escape in QnABot on AWS enables Lambda code execution
- SQL injection in Spring AI CosmosDBVectorStore delete flow