Wiz + Spotify Backstage: Security at the Developer’s Desk

Bring Wiz Issues directly into Backstage, so developers can act on security issues in the tools they use everyday...

Important: Red Hat Security Advisory: Self-service automation portal 2.1 security update

Updated images are now available for Self-service automation portal 2.1, which include new features, bug fixes, and enhancements for Red Hat Ansible Automation Platform integration with Red Hat Developer Hub. Self-service automation portal 2.1 delivers an Ansible-first Red Hat Developer Hub user...

Important: Red Hat Security Advisory: Self-service automation portal 2.0 security update

Updated images are now available for Self-service automation portal 2.0, which include new features, bug fixes, and enhancements for Red Hat Ansible Automation Platform integration with Red Hat Developer Hub. Self-service automation portal 2.0 delivers an Ansible-first Red Hat Developer Hub user...

Building AI Security Together: New Ways to Partner with Wiz for AI Security in 2026

Enhancing the Wiz Integration Network with a new WIN MCP, developer AI agent, WIN AI security category, and partner AI hackathon...

CVE-2026-24070

CVE-2026-24070 describes a local privilege escalation in Native Instruments Native Access. The installer deploys a privileged helper (com.native-instruments.NativeAccess.Helper2) used via XPC to perform actions like copy-file, remove, or set-permissions. The XPC service restricts access to client...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Regular Expression Denial of Service (ReDoS) due to cross-spawn

Summary cross-spawn is used by IBM watsonx Orchestrate Developer Edition as part of image: tools-runtime Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION: Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service ReD...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Server-Side Request Forgery (SSRF) due to urllib3

Summary urllib3 is used by IBM watsonx Orchestrate Developer Edition as part of image: wxo-builder Vulnerability Details CVEID:CVE-2025-50181 DESCRIPTION: urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiati...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to HTTP Request Smuggling vulnerability due to gunicorn

Summary gunicorn is used by IBM watsonx Orchestrate Developer Edition as part of image: wxo-rag-tool Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions ---|--- IBM watsonx Orchestrate Developer...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Path Traversal vulnerability due to github.com/gin-gonic/gin

Summary github.com/gin-gonic/gin is used by IBM watsonx Orchestrate Developer Edition as part of image: tools-runtime-manager Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions ---|--- IBM watson...

Whispers of Wealth: Red-Teaming Google's Agent Payments Protocol Via Prompt Injection

Large language model LLM based agents are increasingly used to automate financial transactions, yet their reliance on contextual reasoning exposes payment systems to prompt-driven manipulation. The Agent Payments Protocol AP2 aims to secure agent-led purchases through cryptographically verifiable...

Security Bulletin: Multiple vulnerabilities in IBM Semeru Runtime affect Rational Business Developer

Summary There are vulnerabilities in IBM Semeru Runtime used by Rational Business Developer. Rational Business Developer has provided fixes for the applicable CVEs. These issues were disclosed as part of the IBM Semeru Runtime Quarterly CPU - Oct 2025. Vulnerability Details CVEID:CVE-2025-53057...

Security Bulletin: Vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer

Summary There are vulnerabilities in IBM® SDK Java™ used by Rational Business Developer. Rational Business Developer has provided fixes for the applicable CVEs. These issues were disclosed as part of the IBM Java SDK and Runtime Environment updates in the Oracle October 2025 Critical Patch Update...

UEVR security vulnerabilities

UEVR is a general-purpose VR engine module developed by PrayDog’s individual developer. Versions of UEVR prior to 1.05 contained security vulnerabilities, which were caused by an out-of-bound read operation in the program file lparser.C...

vm2 security vulnerabilities

vm2 is a high-level virtual machine/sandbox developed by Czech developer Patrik Simek. It runs untrusted code using Node’s built-in modules listed in the allowlist. Versions of vm2 prior to 3.10.2 have security vulnerabilities; these vulnerabilities stem from Promise callback cleanup mechanisms...

[SECURITY] Fedora 43 Update: python3.9-3.9.25-3.fc43

Python 3.9 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.9, see other distributions that support it, such as CentOS or RHEL or older Fedo...

[SECURITY] Fedora 42 Update: python3.9-3.9.25-3.fc42

Python 3.9 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.9, see other distributions that support it, such as CentOS or RHEL or older Fedo...

CVE-2025-52024

A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services,...

An Empirical Study on Remote Code Execution in Machine Learning Model Hosting Ecosystems

Model-sharing platforms, such as Hugging Face, ModelScope, and OpenCSG, have become central to modern machine learning development, enabling developers to share, load, and fine-tune pre-trained models with minimal effort. However, the flexibility of these ecosystems introduces a critical security...

MPay code-related vulnerabilities

MPay is a convenient payment collection tool developed by Technic Laohu in China. Versions of MPay 1.2.4 and earlier have code vulnerabilities, which stem from incorrect handling of the parameter “codeimg”. This vulnerability may lead to arbitrary file uploads...

Flow code issues and vulnerabilities

Flow is a free and open-source enterprise-level process application developed by FlowwJ, a Chinese developer. It combines technologies such as Flowable to create an integrated process engine solution. There are code issues and vulnerabilities in Flow; these vulnerabilities stem from incorrect...