Labs
Short research notes on newly disclosed vulnerabilities: the problem, the payload, and the fix.
- high
@better-auth/scim: SCIM Provider Account Takeover via Missing Owner Binding
Any authenticated user can hijack another user's SCIM directory connection by calling the token-regeneration endpoint with a known provider ID, invalidating the legitimate bearer token and gaining ful
- criticalCVE-2026-27823
CVE-2026-27823: EGroupware SmallPART Remote Code Execution via Auth Bypass and Path Traversal
A critical chain of three bugs in EGroupware lets an attacker bypass teacher authorization, overwrite the PHP configuration file with malicious code, and achieve remote code execution on the server.
- highCVE-2026-33655
CVE-2026-33655: new-api SSRF Protection Bypass via Unresolved Hostname
Authenticated users of new-api could point Webhook, Bark, or Gotify notification URLs at a hostname that resolves to an internal or cloud-metadata IP address, causing the server to make requests to in
- highCVE-2026-34151
CVE-2026-34151: XWiki Platform Old Core Path Traversal via /skin/ Endpoint on Jetty 12
A double-percent-encoded path in XWiki's /skin/ action lets any unauthenticated user read arbitrary files from the server filesystem, including /etc/passwd and WEB-INF config files, when running on Je
- highCVE-2026-40187
CVE-2026-40187: EGroupware Authenticated RCE via eTemplate eval Injection
An authenticated EGroupware administrator can upload a malicious XML template file that causes the server to execute arbitrary OS commands, taking full control of the underlying system.
- highCVE-2026-35341
CVE-2026-35341: uu_mkfifo Unauthorized Permission Overwrite on Existing Files
A missing 'continue' in uutils mkfifo lets a failed FIFO creation silently overwrite the permissions of whatever file was already at that path, potentially making private files like SSH keys world-rea
- highCVE-2026-55794
CVE-2026-55794: Craft CMS Authenticated RCE via Twig Injection in Referer Header
A logged-in Craft CMS editor can run arbitrary server commands by placing Twig template code in the HTTP Referer header when saving an entry, because the redirect URL is rendered without sandboxing.
- criticalCVE-2026-55500
CVE-2026-55500: 9router Unprotected Database Export/Import Credential Theft
Any authenticated 9router user can dump the entire database in plaintext (all API keys, OAuth tokens, and OIDC secrets) or silently overwrite it with attacker-controlled data, including a new admin pa
- highCVE-2026-55501
CVE-2026-55501: 9router Login Rate-Limit Bypass via X-Forwarded-For Spoofing
The 9router dashboard login page lets attackers bypass its brute-force lockout entirely by rotating a spoofed X-Forwarded-For header on each request, giving every attempt a fresh rate-limit counter.
- highCVE-2026-54641
CVE-2026-54641: OpenRemote Manager Cross-Realm User Information Disclosure
A tenant admin in one OpenRemote realm can read the full profile and role assignments of any user in any other realm, including the privileged master realm, by supplying an arbitrary user UUID to thre
- critical
9router: Unauthenticated CRUD on Provider API and Full API Key Leak
Any unauthenticated user on the network can read, create, modify, or delete all AI provider connections in 9router and retrieve plaintext API keys, because the Next.js middleware never guards the /api
- criticalCVE-2026-55615
CVE-2026-55615: langroid Neo4jChatAgent Prompt-to-Cypher Injection (RCE)
Langroid's Neo4jChatAgent passes LLM-generated Cypher queries directly to the Neo4j driver with no validation, letting anyone who can influence the agent's prompt read or destroy all graph data and, w