PT-2026-27488

Name of the Vulnerable Software and Affected Versions Astro versions 2.10.10 through 5.18.0 Description Astro’s remotePatterns path enforcement for remote URLs used by server-side fetchers, such as the image optimization endpoint, is affected by an issue. The path matching logic for / wildcards i...

Astro 输入验证错误漏洞

Astro is a content-driven website framework developed by Astro OpenSource. Versions of Astro from 2.10.10 to 5.18.1 had a vulnerability related to input validation errors. This vulnerability stemmed from defects in the path matching logic of remotePatterns, which could allow access to paths that...

PT-2026-27263

Name of the Vulnerable Software and Affected Versions Rails versions prior to 8.1.2.1 Rails versions prior to 8.0.4.1 Rails versions prior to 7.2.3.1 Description Active Storage enables users to attach cloud and local files within Rails applications. A flaw exists in the DiskServicedelete prefixed...

When the Abyss Looks Back: Unveiling Evolving Dark Patterns in Cookie Consent Banners

To comply with data protection regulations such as the EU General Data Protection Regulation GDPR and the California Consumer Privacy Act CCPA, websites widely deploy cookie consent banners to collect users' privacy preferences. In practice, however, these interfaces often embed dark patterns tha...

New tools and guidance: Announcing Zero Trust for AI

Over the past year, I have had conversations with security leaders across a variety of disciplines, and the energy around AI is undeniable. Organizations are moving fast, and security teams are rising to meet the moment. Time and again, the question comes back to the same thing: "We're adopting A...

Allocation of Resources Without Limits or Throttling

Overview next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of an upper bound on the disk cache used by the image optimization. An attacker can exhaust disk storage by generating a large number of...

PT-2026-25984

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the...

Exploit for CVE-2025-48757

🛡️ Supabase Sentinel A Claude Skill that audits your Supaba...

Exploit for Code Injection in Unicode

codescan Fast, configurable code security scanner written in...

GHSA-F8R2-VG7X-GH8M OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths

Summary matchesExecAllowlistPattern normalized patterns and targets with lowercasing and compiled glob matching too broadly on POSIX. In addition, the ? wildcard could match /, which allowed matches to cross path segments. Impact These matching rules could overmatch allowlist entries and permit...

Exploit for Improper Input Validation in Toolkit_Project Toolkit

gha-exploit-guard Standalone GitHub Action that scans GitHub...

CVE-2026-32235

Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents a...

CVE-2026-32235

Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents a...

Open Redirect

Overview @backstage/plugin-auth-backend is an A Backstage backend plugin that handles authentication Affected versions of this package are vulnerable to Open Redirect via the OAuth redirect URI validation bypass. An attacker can intercept authorization codes by crafting a redirect URI that bypass...

This Week in Spring - March 10th, 2026

Hi, Spring fans! Welcome to another installment of This Week in Spring. As I write this, I am preparing for a trip to Rust, Germany, for one of the best Java conferences in Europe: JavaLand, along with its new companion event, DevLand. It should be fun. Will you be around? If so, say hi. We have ...

MCP-In-SoS: Risk Assessment Framework for Open-Source MCP Servers

Model Context Protocol MCP servers have rapidly emerged over the past year as a widely adopted way to enable Large Language Model LLM agents to access dynamic, real-world tools. As MCP servers proliferate and become easy to adopt via open-source releases, understanding their security risks become...

FalconEYE 2.1.0

FalconEYE represents a paradigm shift in static code analysis. Instead of relying on predefined vulnerability patterns, it leverages large language models to reason about your code the same way a security expert would, understanding context, intent, and subtle security implications that tradition...

SlowBA: An Efficiency Backdoor Attack Towards VLM-Based GUI Agents

Modern vision-language-model VLM based graphical user interface GUI agents are expected not only to execute actions accurately but also to respond to user instructions with low latency. While existing research on GUI-agent security mainly focuses on manipulating action correctness, the security...

CVE-2026-28463

OpenClaw exec-approvals allowlist validation checks pre-expansion argv tokens but execution uses real shell expansion, allowing safe bins like head, tail, or grep to read arbitrary local files via glob patterns or environment variables. Authorized callers or prompt-injection attacks can exploit...

EUVD-2026-10049

GitHub Copilot CLI Dangerous Shell Expansion Patterns Enable Arbitrary Code Execution...