Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
CVE-2026-33728 discloses critical unsafe RMI deserialization in Datadog’s `dd-trace-java` agent, risking JMX/RMI-port remote code execution on JDK 16 and earlier.
Saloon fixed unsafe `unserialize()` in `AccessTokenAuthenticator` OAuth token restore, where attacker-controlled serialized state can trigger PHP object injection and potential RCE in versions `< 4.0.0`.