Briefs

A sandbox integrity escape vulnerability exists in SandboxJS versions prior to 0.8.36, allowing untrusted code to bypass global write protections and mutate host shared global objects, potentially leading to cross-context persistence and broader compromise.

curl_cffi versions before 0.15.0 are vulnerable to server-side request forgery (SSRF) due to unrestricted redirects to internal IP ranges, potentially enabling access to sensitive internal resources and cloud metadata.

CVE-2026-35561 describes an insufficient authentication security control vulnerability in the browser-based authentication components of the Amazon Athena ODBC driver before version 2.1.0.0, potentially allowing a threat actor to intercept or hijack authentication sessions.

A remote, unauthenticated attacker can cause a denial of service by sending crafted input to vulnerable versions of the Amazon Athena ODBC driver, triggering excessive resource consumption during parsing operations.

A man-in-the-middle vulnerability exists in Amazon Athena ODBC driver versions prior to 2.1.0.0 due to improper certificate validation, potentially allowing attackers to intercept authentication credentials when connecting to external identity providers.

A command injection vulnerability (CVE-2026-35558) exists in the Amazon Athena ODBC driver before 2.1.0.0 due to improper neutralization of special elements in connection parameters, potentially leading to arbitrary code execution or authentication redirection.

CVE-2026-32646 allows unauthenticated access to a specific administrative endpoint, potentially exposing device management functions, with a CVSS v3.1 score of 7.5.

prompts.chat prior to commit 30a8f04 is vulnerable to server-side request forgery (SSRF) in Fal.ai media status polling, allowing authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs, leading to potential credential theft and internal network probing.

CVE-2025-10681 describes a vulnerability where hardcoded storage credentials in a mobile app and device firmware, with inadequate permission limits and lack of expiration, could lead to unauthorized access to production storage containers.

A denial-of-service vulnerability in Hirschmann HiOS devices allows remote attackers to crash or hang the device by sending crafted UDP EtherNet/IP packets with invalid length fields.

Multiple supply chain attacks, including the compromise of Axios and Trivy via hijacked GitHub repositories by TeamPCP, demonstrate the increasing threat to open-source software.

A path traversal vulnerability exists in Budibase versions prior to 3.33.4, allowing attackers with Global Builder privileges to delete arbitrary directories and write arbitrary files via crafted plugin uploads.

A stored cross-site scripting (XSS) vulnerability in Budibase versions prior to 3.32.5 allows authenticated users with Builder access to inject malicious HTML payloads into entity names, leading to potential session cookie theft and account takeover when other Builder users open the Command Palette.

Budibase versions before 3.33.4 are susceptible to unauthenticated remote code execution, where a threat actor can trigger a Bash step within an automation via the public webhook endpoint, leading to code execution as root within the container.

An unauthenticated remote attacker can exploit CVE-2026-20093 to bypass authentication in Cisco Integrated Management Controller (IMC), gain full administrative access, and manipulate hardware settings, potentially disrupting critical infrastructure.

Compromised versions of the `axios` npm package introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT), impacting users of `@usebruno/cli` who ran `npm install` between 00:21 UTC and ~03:30 UTC on March 31, 2026, potentially leading to credential exfiltration.

Attackers are leveraging AI to rapidly reconnoiter and tailor content for smaller organizations, making it easier to execute business email compromise (BEC) scams and scam smaller sums from many victims, as demonstrated by a recent attack targeting a small community organization.

The fast-jwt library is vulnerable to JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key due to an incomplete fix for CVE-2023-48223, allowing attackers to bypass intended security measures by exploiting leading whitespace in the RSA public key, enabling attackers to sign arbitrary payloads that will be accepted by the verifier, potentially leading to privilege escalation.

Suricata versions 8.0.0 to before 8.0.4 exhibit a quadratic complexity vulnerability (CVE-2026-31934) when searching for URLs in MIME-encoded SMTP messages, leading to significant performance degradation and potential denial-of-service conditions; this is fixed in version 8.0.4.

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in the Distribution Lists report, allowing attackers to inject malicious scripts.

AIRBUS PSS TETRA Connectivity Server version 7.0 on Windows Server is vulnerable to incorrect default permissions, allowing local privilege escalation to SYSTEM by placing a malicious file in a specific directory.

The Perfmatters plugin for WordPress versions up to 2.5.9.1 is vulnerable to arbitrary file deletion via path traversal, allowing authenticated attackers with minimal privileges to delete sensitive files.

A command injection vulnerability in pymetasploit3 versions up to 1.0.6 allows attackers to inject newline characters into module options, leading to arbitrary command execution within Metasploit sessions.

Ajenti versions before 2.2.15 contain an authorization bypass vulnerability that allows authenticated non-superuser users to install custom packages, potentially leading to privilege escalation and system compromise.

A vulnerability in the multipart parsing logic of gleam-wisp allows an unauthenticated attacker to bypass request size limits and cause a denial of service by exhausting server memory or disk.

The X-Wing decapsulation path in swift-crypto accepts attacker-controlled encapsulated ciphertext bytes without enforcing the required fixed ciphertext length of 1120 bytes, leading to a potential out-of-bounds read.

Ech0 is vulnerable to Server-Side Request Forgery (SSRF) due to an unauthenticated API endpoint (`/api/website/title`) that fetches website titles from user-controlled URLs, lacking proper validation and TLS verification, allowing attackers to access internal resources and potentially cause denial of service.

Better Auth versions prior to 1.4.9 have a critical two-factor authentication bypass vulnerability; when session.cookieCache is enabled, the initial sign-in session may be improperly cached, allowing attackers with valid credentials to bypass 2FA.

CVE-2026-35535 describes a privilege escalation vulnerability in Sudo versions up to 1.9.17p2, where a non-fatal error during privilege dropping can allow an attacker to gain elevated privileges.

A critical time-of-check time-of-use (TOCTOU) vulnerability in OpenClaw's remote file system bridge allows a sandbox escape by exploiting the delay between path validation and file reading, affecting versions up to 2026.3.28.