Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
SandboxJS disclosed a Critical sandbox escape where untrusted JavaScript can obtain the host Function constructor and achieve host-level code execution.
OpenStack disclosed CVE-2026-28370, a Vitrage query-parser flaw that can let authenticated Vitrage API users execute code on the service host; patches are available.
OpenLIT disclosed and fixed a critical GitHub Actions workflow flaw where `pull_request_target` could execute untrusted fork code with privileged tokens and secrets exposed.
ImageMagick disclosed a High-severity path-policy bypass where traversal in filenames can read restricted files despite policy-secure.xml.
Broadcom issued VMSA-2026-0001 for VMware Aria Operations, fixing a High command-injection bug and additional XSS and privilege-escalation flaws affecting VCF deployments.
A newly published CVE for the npm `tar` package describes a High-severity hardlink escape during archive extraction.