Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
CVE-2026-3865 discloses a Kubernetes `smb.csi.k8s.io` path traversal where PersistentVolume creators can trigger deletion/modification of unintended SMB-export directories; fixed in v1.20.1.
CVE-2026-35204 reports a High-severity Helm plugin path traversal where a crafted plugin can write files to arbitrary locations during install/update in Helm 4.0.0–4.1.3.
A GitHub-reviewed advisory reports a High-severity Flannel Extension backend command injection where attackers who can set Kubernetes Node annotations can execute root commands on Flannel nodes.
CVE-2026-33413 discloses High-severity authorization bypasses in etcd gRPC APIs, letting unauthorized clients call sensitive functions on clusters exposing gRPC to untrusted networks.
CVE-2026-33211 is a critical Tekton Pipelines git resolver path traversal that lets tenants read arbitrary resolver-pod files (including ServiceAccount tokens) via `pathInRepo`.
CVE-2026-27134 in Strimzi 0.49.0–0.50.0 can trust every CA in a provided multi-CA chain, weakening mTLS authentication on Kafka listeners.