Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
Apache Storm disclosed an unsafe-deserialization RCE in `org.apache.storm:storm-client` Kerberos TGT credential handling, affecting versions before `2.8.6` when submitting topologies via Nimbus.
VulnCheck disclosed a High-severity authenticated command injection in `VA MAX <= 8.3.4` that enables remote code execution via `changeip.php`, with a public Exploit-DB reference.
Budibase disclosed a critical unauthenticated RCE where public webhook-triggered automations with a Bash step can execute attacker-controlled commands as `root` in self-hosted deployments.
CVE-2026-1961 discloses a High-severity command injection in Foreman’s WebSocket proxy that can yield server-side RCE when VM console access is used with a malicious compute resource.
GitHub Advisory Database published a critical OneUptime advisory for CVE-2026-30957, where synthetic monitor code can trigger probe-side RCE via exposed Playwright objects.
CVE-2026-27577 discloses a critical n8n expression-evaluation sandbox escape enabling authenticated workflow editors to execute system commands.