258 matches found
Inside the Advisory Database and what happens when vulnerability volume breaks records
In May 2026, the GitHub Advisory Database published 1,560 reviewed advisories --more than five times our typical monthly output and the highest in its history. And it still wasn't enough to keep up. Over the past few months, the vulnerability ecosystem has shifted in a fundamental way. Input acro...
Navigating the New Federal Logging Mandate | OMB Memorandum M-26-14
The White House Memorandum puts in place an “adaptive framework,” where agencies make risk-based, prioritized logging decisions...
CVE-2026-48998
GuzzleHttp/psr7 (PHP) before version 2.10.2 is affected by improper Host header validation when parsing raw HTTP requests or deriving a server request URI from server variables. An attacker can supply a Host header containing URI delimiters (for example [email protected]) that can be r...
EUVD-2026-36214
The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored...
GHSA-3QMC-CJ7Q-62HV Litestar: AllowedHostsMiddleware bypasses host validation via client-controlled X-Forwarded-Host header
Summary AllowedHostsMiddleware trusts the X-Forwarded-Host header as a fallback when the Host header is absent. Since X-Forwarded-Host is a client-controllable header, an attacker can bypass the allowed hosts validation by omitting the Host header and supplying an X-Forwarded-Host header set to a...
PT-2026-48543
Summary AllowedHostsMiddleware trusts the X-Forwarded-Host header as a fallback when the Host header is absent. Since X-Forwarded-Host is a client-controllable header, an attacker can bypass the allowed hosts validation by omitting the Host header and supplying an X-Forwarded-Host header set to a...
CVE-2026-41856: Spring GraphQL Annotation Detection Vulnerability
The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. Spring for GraphQL application are vulnerable when all the...
Learn from Your Mistakes: Tree-Like Self-Play for Secure Code LLMs
While Large Language Models LLMs excel in code generation, they remain prone to replicating subtle yet critical vulnerabilities endemic to their training data. Current alignment techniques, such as Supervised Fine-Tuning SFT and Reinforcement Learning RL, typically apply coarse-grained optimizati...
Incorrect Authorization
Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Incorrect Authorization via cached template security decisions in the sandbox implementation. An attacker can bypass sandbox filter, tag, and function restrictions...
Microsoft Open-Sources RAMPART and Clarity to Secure AI Agents During Development
Microsoft has unveiled two new open-source tools called RAMPART and Clarity to assist developers in better testing the security of artificial intelligence AI agents. RAMPART, short for Risk Assessment and Measurement Platform for Agentic Red Teaming, functions as a Pytest-native safety and securi...
Astra Linux – Vulnerability in Golang-1.19
The ParseAddressList function improperly handles comments text within parentheses within display names. Since this contradicts conforming address parsers, it can lead to different trust decisions being made by programs that use different parsers...
Why Agentic AI Is Security's Next Blind Spot
Agentic AI is already running in production environments across many organizations today. It is executing tasks, consuming data, and taking actions — most likely without meaningful involvement from the security team. The industry conversation has largely framed this as a question of policy: allow...
AgentTrust: Runtime Safety Evaluation and Interception for AI Agent Tool Use
Modern AI agents execute real-world side effects through tool calls such as file operations, shell commands, HTTP requests, and database queries. A single unsafe action, including accidental deletion, credential exposure, or data exfiltration, can cause irreversible harm. Existing defenses are...
CVE-2026-39807
The CVE describes a vulnerability in Bandit (Elixir) where the function Elixir.Bandit.Pipeline:determine_scheme/2 returns the client-supplied URI scheme verbatim, ignoring the transport’s secure flag. On plaintext TCP, a client can declare https and Bandit will set conn.scheme = :https even witho...
Managed vs Self-Managed Cloud Hosting: Choosing the Best Option for Your Business
As more businesses relocate their operations to the cloud, one important decision arises: should you choose managed or…...
PT-2026-35774
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28 Description An exec allowlist bypass exists where allow-always persistence fails to unwrap /usr/bin/script and similar wrappers before storing trust decisions. This allows attackers to obtain user approval...
MARD: A Multi-Agent Framework for Robust Android Malware Detection
With the rapid evolution of Android applications, traditional machine learning-based detection models suffer from concept drift. Additionally, they are constrained by shallow features, lacking deep semantic understanding and interpretability of decisions. Although Large Language Models LLMs...
Architecture Matters for Multi-Agent Security
Multi-agent systems MAS, composed of networks of two or more autonomous AI agents, have become increasingly popular in production deployments, yet introduce security risks that do not arise in single-agent settings. Even if individual agents exhibit robust security, architectural decisions...
GHSA-JWVJ-G8PC-CX45 OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision
Description In OpenFGA, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. Am I affected? You are affected if you meet the following preconditions: 1. You execute BatchCheck operation...
From Incomplete Architecture to Quantified Risk: Multimodal LLM-Driven Security Assessment for Cyber-Physical Systems
Cyber-physical systems often contend with incomplete architectural documentation or outdated information resulting from legacy technologies, knowledge management gaps, and the complexity of integrating diverse subsystems over extended operational lifecycles. This architectural incompleteness...