Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
CVE-2026-28291 reports a High-severity command-execution bypass in `simple-git` (aka `git-js`) where Git option variants evade blocklist safety checks, affecting versions `< 3.32.0`.
CVE-2026-40175 reports a Critical Axios header-injection gadget chain that can turn upstream prototype pollution into SSRF/request-smuggling and AWS IMDSv2 credential theft in axios <1.15.0.
CVE-2026-35641 discloses a High-severity code-execution path in `openclaw` (<`2026.3.24`) where attacker-controlled `.npmrc` can hijack `git` during plugin/hook installation.
CVE-2025-62718 discloses a Critical Axios NO_PROXY hostname normalization bypass affecting `axios < 1.15.0`, enabling proxy misrouting and practical SSRF to loopback/internal services.
A High-severity DoS in React Server Components lets unauthenticated attackers spike CPU via crafted requests to Server Function endpoints in `react-server-dom-*` 19.0.0–19.2.4.
CVE-2026-39363 is a High Vite dev-server WebSocket file-read issue affecting `vite` 6.x/7.x/8.x, enabling attackers to exfiltrate arbitrary host files when reachable without an `Origin` header.
CVE-2026-34950 discloses a Critical JWT algorithm confusion in `fast-jwt` <=6.1.0 that can accept attacker-signed tokens when key parsing is bypassed by leading whitespace.
CVE-2026-34208 discloses a Critical SandboxJS sandbox-integrity escape affecting `SandboxJS` <0.8.36, where untrusted code can mutate host global objects via `this.constructor.call()`.
OpenSSF Package Analysis flagged `@not-nemo/crypto-tracker` versions `1.0.4` and `1.0.6` as malicious, citing command execution and outbound communication to a domain associated with malicious activity.
A report says attackers are exploiting React2Shell (CVE-2025-55182) in unpatched, internet-exposed Next.js apps to automate credential theft from compromised servers at scale.
SafeDep reports 36 malicious npm packages masquerading as Strapi CMS plugins, using `postinstall` execution to exploit local Redis/PostgreSQL and deploy shells and persistent implants in developer and CI environments.
A High-severity Electron vulnerability lets apps that bridge `VideoFrame` objects across `contextBridge` bypass context isolation, exposing preload-isolated capabilities after renderer JavaScript execution.
OSV flagged `strapi-plugin-form`, a fake Strapi npm plugin whose `postinstall` exfiltrates `.env` and platform secrets and enables remote shell command execution.
CVE-2026-34076 discloses an unauthenticated SSRF in Clerk’s `clerkFrontendApiProxy` that can exfiltrate `Clerk-Secret-Key` in several `@clerk/*` server SDKs used by Node.js backends.
CVE-2026-4800 is a High-severity code injection in `lodash` <4.18.0 where untrusted `_.template` `options.imports` key names can execute code at compile time.
VulnCheck-published CVE-2026-32917 reports a critical SCP command injection in `openclaw` <2026.3.13, allowing unauthenticated network attackers to execute commands on configured remote attachment hosts.
StepSecurity reports `[email protected]` and `[email protected]` were maliciously published on npm via compromised maintainer credentials, adding a `postinstall` RAT dropper dependency.
CVE-2026-32922 is a critical privilege escalation in `openclaw` <2026.3.11 where pairing-scoped callers can mint `operator.admin` tokens, potentially reaching node RCE via `system.run`.
A critical Handlebars.js flaw lets attackers inject JavaScript via crafted AST objects passed to `Handlebars.compile()`, impacting `handlebars` npm users on versions `>=4.0.0,<4.7.9`.
CVE-2026-33696 reports a critical prototype pollution flaw in n8n XML and GSuiteAdmin nodes that can let low-privileged workflow editors achieve remote code execution.
NVD published a critical jsrsasign DSA domain-parameter validation flaw that can allow forged DSA signatures or X.509 certificates to pass `X509.verifySignature()` checks.
SandboxJS disclosed a Critical sandbox escape where untrusted JavaScript can obtain the host Function constructor and achieve host-level code execution.
CVE-2026-27971 reports a critical unauthenticated RCE in Qwik's server$ RPC unsafe deserialization affecting @builder.io/qwik <=1.19.0, where require() is available at runtime.
GitHub's Advisory Database published a malware advisory for the npm package ambar-src, warning that any affected machine should be treated as fully compromised.
OpenSSF Package Analysis identified the npm package compass-e2e-tests (version 99.0.0) as malicious due to communication with a domain associated with malicious activity.