Labs

Short research notes on newly disclosed vulnerabilities: the problem, the payload, and the fix.

• high

  Hysteria: HTTP Sniff Unbounded Header Read Server DoS

  When protocol sniffing is enabled, a Hysteria 2 server will buffer an attacker's HTTP header data indefinitely until the sniff timeout, allowing any authenticated client to exhaust server memory and c

• high

  Hysteria Server Crash via Tiny QUIC max_datagram_frame_size

  An authenticated Hysteria client can crash the server instantly by advertising a tiny QUIC datagram size and then sending a UDP packet, triggering a slice-bounds panic in the fragmentation code.

• criticalCVE-2026-48769

  CVE-2026-48769: Incus Arbitrary File Write via Trusted Image Hash Header

  A malicious image server can trick the Incus daemon into writing attacker-controlled content to any file on the host, including cron jobs, by returning a path-traversal sequence in the HTTP Incus-Imag

• highCVE-2026-48788

  CVE-2026-48788: Remark42 Image Proxy XSS via Content-Type Spoofing

  Remark42's image proxy blindly trusts the Content-Type header from remote servers, so an attacker can serve HTML/JavaScript disguised as an image and have it executed in the browser under Remark42's o

• criticalCVE-2026-48753

  CVE-2026-48753: Incus S3 Multipart Upload Path Traversal to Arbitrary File Write

  A missing path sanitization check in Incus's built-in S3 server lets any authenticated bucket user write files anywhere on the host filesystem, including cron directories, making remote code execution

• criticalCVE-2026-48755

  CVE-2026-48755: Incus Argument Injection in Backup Compression Leading to Arbitrary File Write and RCE

  Incus allows a remote authenticated user to inject extra arguments into the backup compression command, letting them write arbitrary files on the host and potentially execute code as root.

• criticalCVE-2026-48749

  CVE-2026-48749: Incus Arbitrary File Read and Write via rootfs Symlink in Malicious Image

  A crafted container image can trick Incus into mapping its rootfs to any path on the host, letting an authenticated user read or overwrite arbitrary host files as root.

• criticalCVE-2026-48751

  CVE-2026-48751: Incus Restricted Project Bypass via Snapshot Restore

  A flaw in Incus lets an attacker smuggle dangerous low-level container configuration inside a snapshot, move that snapshot into a locked-down project, and restore it to run arbitrary commands as root

• criticalCVE-2026-48752

  CVE-2026-48752: Incus Arbitrary Host File Read and Write via templates/ Symlink

  A malicious container image or instance backup can trick Incus into treating a symlink as its templates directory, letting an attacker read or overwrite any file on the host, including cron jobs that

• highCVE-2026-46619

  CVE-2026-46619: OpenAM MSISDN Authentication Bypass via LDAP Injection

  A missing LDAP filter escape in OpenAM's MSISDN authentication module lets an unauthenticated attacker inject LDAP metacharacters and obtain a valid session as any directory user, no password required

• highCVE-2026-46623

  CVE-2026-46623: OpenAM OAuth2 Module Account Takeover via Unverified Password Change

  A logic flaw in OpenAM's OAuth2 authentication module silently resets any local user's password to their own username after an OAuth2 login, letting an unauthenticated attacker log in as that user usi

• highCVE-2026-49229

  CVE-2026-49229: @actual-app/sync-server Insufficient Session Expiration on User Disable

  Disabling an OpenID user in Actual Budget's sync server does not invalidate that user's existing session tokens, letting the disabled account keep accessing budgets and admin functions indefinitely.