News

Application security news, updated daily (if there is any news to share).

@fastify/middie patches path normalization auth bypass in path-scoped middleware (CVE-2026-2880)

A GitHub-reviewed advisory reports a High-severity path normalization mismatch in @fastify/middie that can bypass path-scoped auth middleware; upgrade to 9.2.0.

NewsNode.jsWeb Security

28 Feb 2026

Hoppscotch patches unauthenticated onboarding config takeover (CVE-2026-28215)

CVE-2026-28215 lets unauthenticated attackers overwrite self-hosted Hoppscotch infrastructure config via POST /v1/onboarding/config, exposing OAuth credentials and plaintext secrets; fixed in 2026.2.0.

NewsApplication SecuritySupply Chain

26 Feb 2026

CVE-2026-27900: terraform-provider-linode debug logs could expose passwords and TLS private keys (fixed in v3.9.0)

An oss-security disclosure says terraform-provider-linode versions before v3.9.0 could log passwords, tokens, scripts, and NodeBalancer TLS private keys when debug logging is enabled.

NewsIaC SecuritySecrets Management

26 Feb 2026

n8n fixes critical expression sandbox escape that can lead to RCE (CVE-2026-27577)

CVE-2026-27577 discloses a critical n8n expression-evaluation sandbox escape enabling authenticated workflow editors to execute system commands; fixed in 1.123.22, 2.9.3, and 2.10.1.

NewsRCEDevSecOps

25 Feb 2026

ImageMagick fixes path-policy bypass that can expose restricted files (CVE-2026-25965)

ImageMagick disclosed a High-severity path-policy bypass where traversal in filenames can read restricted files despite policy-secure.xml; update to 7.1.2-15 or 6.9.13-40.

NewsVulnerabilityOpen Source

24 Feb 2026

Apache Superset fixes High-severity dataset authorization bypass (CVE-2026-23982)

Apache disclosed CVE-2026-23982, a High-severity authorization bypass in Superset versions before 6.0.0 enabling low-privilege users to access restricted data via dataset SQL overwrite.

NewsVulnerabilitiesWeb Security

24 Feb 2026

Broadcom publishes VMSA-2026-0001 for VMware Aria Operations (command injection, stored XSS, and privilege escalation)

Broadcom issued VMSA-2026-0001 for VMware Aria Operations, fixing a High command-injection bug and additional XSS and privilege-escalation flaws affecting VCF deployments.

NewsCloudDevSecOps

24 Feb 2026

Anthropic launches Claude Code Security preview for AI-assisted vulnerability scanning and patch suggestions

Anthropic is rolling out Claude Code Security in limited preview for Enterprise/Team plans, scanning codebases for vulnerabilities and suggesting patches with human approval.

NewsDevSecOpsApplication Security

21 Feb 2026

Jenkins advisory fixes High-severity stored XSS in node "mark temporarily offline" description

Jenkins published a security advisory fixing a High-severity stored XSS in core that can be abused by users with node configuration/disconnect permissions; update is available.

NewsCI/CD SecurityWeb Security

18 Feb 2026

Red Hat issues Important nodejs:20 security update for RHEL 9.4 EUS

Red Hat published RHSA-2026:2768, an Important security advisory updating RHEL 9.4 EUS nodejs:20 to address three Node.js vulnerabilities, including a DoS issue.

NewsApplication SecuritySupply Chain

17 Feb 2026

GitHub flags ambar-src on npm as malware with no patched versions

GitHub's Advisory Database published a malware advisory for the npm package ambar-src, warning that any affected machine should be treated as fully compromised.

Supply ChainJavaScriptMalware

16 Feb 2026

OpenSSF flags npm package compass-e2e-tests 99.0.0 as malicious

OpenSSF Package Analysis identified the npm package compass-e2e-tests (version 99.0.0) as malicious due to communication with a domain associated with malicious activity.

NewsSupply ChainJavaScript

16 Feb 2026

Loading news…