Labs
Short research notes on newly disclosed vulnerabilities: the problem, the payload, and the fix.
- high
CVE-2026-56382: Craft CMS RCE via Yii2 Event Handler Injection in FieldsController
An authenticated Craft CMS admin can execute arbitrary PHP code by injecting a Yii2 event handler into a POST parameter that the card-preview endpoint passes directly to the object factory without san
- highCVE-2026-49464
CVE-2026-49464: NL Portal Taak IDOR Allows Takeover of Any User's Open Task
Any logged-in user of NL Portal can complete or tamper with another user's open government task by sending the victim's task UUID to an unprotected GraphQL mutation, leaking and overwriting the victim
- highCVE-2026-49471
CVE-2026-49471: serena-agent Unauthenticated Flask Dashboard Enables DNS Rebinding to RCE
Serena's built-in web dashboard runs on a fixed port with no authentication, letting any malicious webpage use DNS rebinding to write arbitrary instructions into the agent's memory store and trigger O
- highCVE-2026-49825
CVE-2026-49825: lxml_html_clean javascript: XSS via xlink:href
lxml_html_clean's HTML sanitizer silently passes javascript: URLs through to the browser when they appear in SVG or MathML anchor tags using the xlink:href attribute, letting attackers store executabl
- highCVE-2026-50197
CVE-2026-50197: Skipper opaAuthorizeRequestWithBody OPA Policy Bypass via Chunked Encoding
Skipper's OPA body-inspection filter silently skips reading the request body for chunked or HTTP/2 requests, letting attackers smuggle forbidden payloads past policy checks that should have blocked th
- criticalCVE-2026-52831
CVE-2026-52831: Nuclio Cron Trigger OS Command Injection (Persistent RCE)
Nuclio's Kubernetes cron trigger builds a shell command string from unsanitized user input, letting anyone with Dashboard access run arbitrary commands inside CronJob pods on every scheduled tick, and
- highCVE-2026-49832
CVE-2026-49832: DSpace Remote Code Execution via Velocity Template Injection in LDN
A DSpace administrator can plant a malicious Velocity template inside a COAR Notify/LDN message template to execute arbitrary Java code on the server.
- criticalCVE-2026-53649
CVE-2026-53649: Joro Unauthenticated Cross-Origin Plugin Upload RCE
Joro's default proxy mode exposed its local API with no authentication and a wildcard CORS policy, letting any webpage the operator visited silently upload a native plugin and trigger a restart to ach
- highCVE-2026-53530
CVE-2026-53530: ratex-parser Process Abort via UTF-8 Multibyte Delimiter in \verb
Sending a nine-byte LaTeX string with a non-ASCII delimiter to ratex-parser causes the Rust process to abort immediately, taking down any server or pipeline that renders untrusted LaTeX.
- criticalCVE-2026-53552
CVE-2026-53552: Goploy Cross-Namespace IDOR and RCE via Body-Controlled Project ID
A manager in any Goploy namespace can read, overwrite, or delete project files owned by other namespaces, and rewrite a foreign project's git remote URL to trigger remote code execution on the next de
- highCVE-2026-53553
CVE-2026-53553: Goploy Arbitrary File Read via Path Traversal in /deploy/fileDiff
Any low-privileged Goploy user can read arbitrary files on both the Goploy server and every remote server it manages by sending a crafted file path to the file-comparison API.
- highCVE-2026-53514
CVE-2026-53514: better-auth Organization Invitation Takeover via Unverified Email Pre-Registration
An attacker who registers an account using a victim's email address (without verifying it) can accept organization invitations meant for that victim, joining the organization at whatever role the admi