•16 minutes ago•CVE-2026-25734
6.1Science vs. Scripting: Stored XSS in Rucio WebUI
Rucio, the data management titan used by CERN and other scientific behemoths, suffered from a classic web vulnerability: Stored Cross-Site Scripting (XSS). Buried within the Rucio Storage Element (RSE) metadata handling, the WebUI blindly trusted backend data, rendering it directly into the DOM via unsafe jQuery methods. This allows an attacker with RSE configuration privileges to plant malicious JavaScript payloads that execute in the browser of any administrator viewing the storage details, leading to session hijacking and potential compromise of massive scientific datasets.
2 views•6 min read
•about 1 hour ago•CVE-2026-25735
6.1Rucio WebUI: When Scientific Data Management Meets Unsanitized jQuery
A critical Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Rucio WebUI, the interface for the open-source scientific data management framework used by major research institutions. The flaw stems from the insecure use of jQuery manipulation methods—specifically `.html()`, `.append()`, and `.after()`—to render user-controlled data retrieved from the backend API. By injecting malicious JavaScript into the 'Identity Name' field of an account, an attacker can persist a payload that executes in the browser of any administrator who views that account's details. The impact is exacerbated by a lack of defense-in-depth measures: session cookies lack the `HttpOnly` flag, and authentication tokens are exposed as global variables, making full account takeover trivial.
3 views•6 min read
•about 1 hour ago•CVE-2026-25736
6.1Science Gone Wrong: Stored XSS in Rucio WebUI
Rucio, the data management heavyweight used by CERN and the scientific community to juggle petabytes of physics data, has a soft underbelly: its WebUI. A Stored Cross-Site Scripting (XSS) vulnerability exists in the RSE (Rucio Storage Element) attribute management system. By injecting malicious JavaScript into storage attributes, an attacker can turn the administrative dashboard into a weapon, executing arbitrary code in the browser of any admin who views the details. Coupled with a lack of `HttpOnly` cookies and globally exposed auth tokens, this is a textbook session hijacking vector.
5 views•5 min read
•about 2 hours ago•CVE-2026-27610
7.0Key Swap: How Parse Dashboard Handed Admin Keys to Guests via Cache Collision
A critical race condition and cache collision vulnerability exists in Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7. The flaw lies within the configuration caching mechanism for dynamic master keys. When an application configures its `masterKey` as a function (for rotation or retrieval purposes), the dashboard caches the result. However, the cache key failed to differentiate between a full administrative session and a read-only session. This allows a read-only user to inherit the cached full master key if an administrator has recently accessed the dashboard, leading to immediate privilege escalation and potential data destruction.
3 views•6 min read
•about 3 hours ago•CVE-2026-22866
2.7Identity Theft by Cube Root: Forging DNSSEC in Ethereum Name Service
A critical cryptographic oversight in the Ethereum Name Service (ENS) DNSSEC oracle allowed attackers to bypass RSA signature verification. By exploiting a lazy validation implementation in `RSASHA256Algorithm` and `RSASHA1Algorithm` contracts, adversaries could forge valid-looking signatures for specific Top-Level Domains (TLDs) like `.cc` and `.name` that utilize a low public exponent ($e=3$). This flaw essentially permitted the hijacking of ENS domains rooted in these TLDs without possessing the actual DNS private keys.
5 views•6 min read
•about 3 hours ago•GHSA-2PHG-QGMM-R638
7.5The Sliver Zip Bomb: Crashing C2 Infrastructure with Compression
A high-severity Denial of Service (DoS) vulnerability exists in the BishopFox Sliver C2 framework. The vulnerability, caused by uncontrolled resource consumption in the Gzip decompression logic, allows an unauthenticated attacker to crash the Sliver server by sending a 'Zip Bomb'—a small, highly compressed payload that expands into gigabytes of data in memory.
6 views•6 min read
•about 4 hours ago•CVE-2026-27597
10.0Breaking the Enclave: How JavaScript Coercion Shattered a Sandbox
In the world of AI agents, executing untrusted code is a necessary evil. @enclave-vm/core promised a 'secure' environment to run this code, wrapping standard JavaScript objects in protective boundaries. However, a critical flaw in its AST validation logic failed to account for one of JavaScript's most chaotic features: implicit type coercion. By tricking the validator with objects that look innocent statically but scream 'constructor' at runtime, attackers could break out of the sandbox and execute arbitrary commands on the host system.
8 views•6 min read
•about 4 hours ago•CVE-2026-27628
7.5The Ouroboros Document: Infinite Loops in pypdf
A critical Denial of Service (DoS) vulnerability exists in the `pypdf` library, a ubiquitous tool for PDF manipulation in the Python ecosystem. By crafting a PDF with a circular cross-reference (xref) chain, an attacker can trap the parser in an infinite loop. This results in immediate 100% CPU utilization and process hang, potentially taking down document processing pipelines, web services, or serverless functions.
5 views•5 min read
•about 5 hours ago•CVE-2026-27626
10.0OliveTin: When 'Safe' Shell Execution Goes Rogue (CVE-2026-27626)
OliveTin, a tool designed to simplify shell command execution for end-users, suffers from two critical Command Injection vulnerabilities (CVE-2026-27626). By failing to sanitize arguments in 'password' fields and entirely bypassing validation for Webhook triggers, the application allows unauthenticated attackers to execute arbitrary code with the privileges of the hosting process. This effectively turns a tool meant for controlled access into an open door for full system compromise.
8 views•6 min read
•about 5 hours ago•CVE-2026-27611
7.1The 'Secure' Share That Wasn't: Bypassing FileBrowser Quantum
FileBrowser Quantum, a popular self-hosted file management solution, suffered from a critical logic flaw in its sharing mechanism. Intended to protect files with passwords, the application inadvertently leaked the authentication tokens required to bypass that very protection. By simply querying a metadata API endpoint, an attacker could retrieve a direct download URL for any shared file—password protected or not—rendering the security controls purely cosmetic.
8 views•5 min read
•about 16 hours ago•CVE-2026-27461
6.9Pimcore SQL Injection: When 'Enterprise' Logic Meets 'Select * From Disaster'
A critical SQL Injection vulnerability in the Pimcore platform allows authenticated administrators to execute arbitrary SQL commands via the dependency listing feature. By manipulating JSON filter parameters, attackers can bypass sanitization and inject malicious payloads directly into `RLIKE` clauses.
12 views•6 min read
•about 16 hours ago•CVE-2026-27483
8.8Lobotomy by File Upload: RCE in MindsDB via Path Traversal
A critical path traversal vulnerability in MindsDB allows authenticated attackers to break out of the upload sandbox and overwrite arbitrary system files. By manipulating the 'Content-Disposition' header during file uploads, an attacker can replace core Python libraries with malicious code, leading to Remote Code Execution (RCE) when the application subsequently attempts to use those libraries. The flaw stems from an unsafe configuration of the 'python-multipart' library.
11 views•6 min read