•17 minutes ago•CVE-2026-27734
6.5Docker API Path Traversal in Beszel Agent via Unsanitized Input
A path traversal vulnerability exists in the Beszel server monitoring agent, allowing authenticated users to access arbitrary Docker Engine API endpoints. The vulnerability arises from improper sanitization of the 'container' query parameter when constructing requests to the Docker Unix socket. By injecting directory traversal sequences, an attacker with minimum privileges (including Read-Only) can escape the intended container scope and query sensitive host-level information, such as the Docker version, system info, or details of other containers running on the host.
2 views•5 min read
•about 1 hour ago•CVE-2026-27970
7.6Angular i18n Pipeline: Stored XSS via Malicious ICU Message Attributes
A Cross-Site Scripting (XSS) vulnerability exists in the Angular internationalization (i18n) pipeline, specifically within the parsing logic for International Components for Unicode (ICU) messages. The vulnerability stems from an insecure heuristic in the `walkIcuTree` function, which incorrectly treats static attributes in translation files as safe, bypassing Angular's standard sanitization mechanisms. This allows attackers who can influence translation files (e.g., compromised third-party translators or supply chain injection) to inject malicious HTML attributes, resulting in arbitrary JavaScript execution upon rendering.
4 views•5 min read
•about 2 hours ago•CVE-2026-27638
7.1Actual Budget Sync Authorization Bypass (IDOR)
A critical authorization flaw exists in Actual Budget's synchronization server, specifically affecting multi-user deployments. The vulnerability allows authenticated users to access, modify, or delete budget files belonging to other users due to missing ownership verification checks in the sync endpoints. This effectively constitutes an Insecure Direct Object Reference (IDOR) where knowledge of a file's UUID is sufficient to grant full access, bypassing intended isolation between users.
3 views•5 min read
•about 2 hours ago•CVE-2026-27449
7.5Unauthenticated Data Exposure via Broken Access Control in Umbraco Engage
A critical access control failure has been identified in Umbraco Engage (formerly uMarketingSuite), specifically affecting the Forms component. The vulnerability arises from missing authentication and authorization checks on sensitive API endpoints, allowing unauthenticated remote attackers to access proprietary marketing data and form submissions. By exploiting this flaw, attackers can bypass intended security boundaries and enumerate records via Insecure Direct Object References (IDOR), leading to significant data leakage of business intelligence and potentially personally identifiable information (PII).
5 views•5 min read
•about 5 hours ago•CVE-2026-27969
9.3Vitess Path Traversal via Backup Manifest Manipulation
A critical path traversal vulnerability exists in the Vitess `builtinbackupengine` component, specifically within the backup restoration workflow. The flaw arises from improper validation of file paths defined in the backup `MANIFEST` file. An attacker with write access to the backup storage location (e.g., S3, GCS, or NFS) can craft a malicious backup manifest containing directory traversal sequences. When a Vitess `vttablet` attempts to restore from this compromised backup, the system processes these sequences, allowing arbitrary file writes to the underlying host filesystem. This vulnerability permits attackers to break out of the intended data directory, potentially overwriting system binaries, configuration files, or authorized keys to achieve remote code execution.
7 views•5 min read
•about 6 hours ago•CVE-2025-54418
9.8CVE-2025-54418: Remote Code Execution in CodeIgniter 4 ImageMagick Handler
A critical OS command injection vulnerability exists in the ImageMagick handler of CodeIgniter 4 versions prior to 4.6.2. The flaw stems from insecure shell command construction when processing image files, allowing unauthenticated remote attackers to execute arbitrary system commands via crafted filenames or text annotations. Successful exploitation results in full server compromise.
4 views•5 min read
•about 14 hours ago•CVE-2026-27904
7.5The Infinite Loop of Doom: Unpacking CVE-2026-27904 in Minimatch
Minimatch, the ubiquitous JavaScript glob matcher that likely powers your entire build pipeline, has a nasty habit of choking on its own logic. A specifically crafted 'extglob' pattern can trick the library into generating a Regular Expression with catastrophic backtracking potential. This allows a remote attacker to freeze the Node.js event loop with a payload smaller than a tweet, turning your high-performance application into a very expensive paperweight.
13 views•4 min read
•about 14 hours ago•CVE-2026-27903
7.5Minimatch Mayhem: How Two Asterisks Can Kill Your Node.js Server
A high-severity Regular Expression Denial of Service (ReDoS) vulnerability exists in the popular `minimatch` library, affecting millions of Node.js projects. The flaw lies in the inefficient recursive handling of GLOBSTAR (`**`) patterns, allowing attackers to trigger combinatorial backtracking that stalls the event loop.
12 views•7 min read
•about 15 hours ago•CVE-2026-27835
4.3CVE-2026-27835: Do You Even Lift? The wger Workout Leak
A classic Insecure Direct Object Reference (IDOR) vulnerability in the wger Workout Manager allows authenticated users to access the repetition configurations of every other user on the platform. Due to a failure to filter API querysets by the requesting user, the application serves up the entire database's workout structure to anyone with a valid account.
10 views•6 min read
•about 15 hours ago•CVE-2026-27838
3.1Leaking Gains: The Cached IDOR in wger Fitness Manager
A classic case of 'premature optimization' leading to security failure. In the wger fitness manager, a caching mechanism designed to speed up API responses inadvertantly bypassed authentication checks. By generating cache keys based solely on the resource ID—ignoring the requesting user's identity—the application served private workout routines to unauthorized users, provided the victim had recently accessed the data.
5 views•5 min read
•about 16 hours ago•CVE-2026-27839
4.3Lifting the Lid on wger: IDOR in the Nutrition API
A classic Insecure Direct Object Reference (IDOR) vulnerability in the 'wger' workout manager allows authenticated users to access the nutritional plans of any other user. By bypassing Django REST Framework's object-level permission checks, the API serves up full macro breakdowns and caloric data for arbitrary IDs.
7 views•5 min read
•about 16 hours ago•CVE-2026-27896
7.0Case-Insensitive Chaos: Bypassing Security Controls in MCP Go SDK
A high-severity interpretation conflict in the Model Context Protocol (MCP) Go SDK allows attackers to bypass security intermediaries. By exploiting Go's standard library JSON parsing behavior, which is case-insensitive by default, attackers can smuggle malicious payloads past WAFs that strictly adhere to the case-sensitive JSON-RPC 2.0 specification.
14 views•5 min read