Labs
Short research notes on newly disclosed vulnerabilities: the problem, the payload, and the fix.
- highCVE-2025-10996
CVE-2025-10996: Open Babel SMILES Parser Heap Buffer Overflow
Open Babel's SMILES parser reads past the end of a heap buffer when given a crafted molecule string, which can crash or corrupt memory in any application that converts chemistry file formats.
- high
Kahi Supervisor Privilege Drop and Socket Permission Issues
Kahi's process supervisor silently failed to apply configured user credentials to child processes, left supplementary groups intact after dropping privileges, and exposed FastCGI Unix sockets to all l
- highCVE-2026-49473
CVE-2026-49473: @cedar-policy/authorization-for-expressjs Authorization Bypass via Query String
A query string appended to a request URL tricks the Cedar middleware into evaluating a less restrictive authorization policy while Express routes the request to a more privileged endpoint, letting an
- high
Fission MessageQueueTrigger Secret Exfiltration and PodSpec Injection
Any Kubernetes tenant who can create a Fission MessageQueueTrigger can read any Secret in the namespace and run an arbitrary container image under any service account, far beyond their intended RBAC p
- highCVE-2026-49821
CVE-2026-49821: Fission Package Cross-Namespace Confused Deputy RCE and SA Token Exfiltration
A Fission user in one Kubernetes namespace could trick the build controller into running their code inside another tenant's builder pod and leaking that namespace's service-account token, giving the a
- highCVE-2026-49822
CVE-2026-49822: Fission KubernetesWatchTrigger Cross-Namespace Event Leakage
A low-privilege Fission tenant could spy on Pods, Services, and Jobs in any Kubernetes namespace, or even the entire cluster, by creating a watch trigger that pointed its spec.namespace at a namespace
- highCVE-2026-49823
CVE-2026-49823: Fission Cross-Namespace Package Read via Unvalidated PackageRef
A low-privilege Fission function author in one Kubernetes namespace could read the source code and embedded secrets of any Package in any other namespace by setting a single field the admission webhoo
- highCVE-2026-49824
CVE-2026-49824: Fission Cross-Namespace Environment Reference via Unvalidated EnvironmentRef
A Fission tenant with permission to create Functions in their own namespace could point a Function at another tenant's Environment CRD, causing their code to run inside the victim's container image an
- criticalCVE-2026-50545
CVE-2026-50545: Fission Environment PodSpec Injection Leading to Node Escape and Cluster Takeover
A tenant with basic Kubernetes RBAC on Fission's Environment CRD can inject privileged pod settings through a two-step apply-then-patch that bypasses the admission webhook, causing poolmgr to schedule
- criticalCVE-2026-50563
CVE-2026-50563: Fission Container Executor PodSpec Injection Leading to Node Escape
A Fission user with only the ability to create functions can craft a malicious pod spec that tricks the executor into scheduling a privileged, host-namespace pod, escaping to the underlying Kubernetes
- criticalCVE-2026-50564
CVE-2026-50564: Fission Environment PodSpec Passthrough Privilege Escalation to Node Escape
Any user with permission to create or update a Fission Environment can craft a manifest that spins up a privileged, host-network pod, giving them full access to the underlying Kubernetes node and pote
- criticalCVE-2026-50566
CVE-2026-50566: Fission Environment Container SecurityContext Bypass Allows Privileged Pod Creation
A gap in Fission's admission and merge-layer validation lets any tenant with Environment create/update access spin up fully privileged Kubernetes pods, enabling container escape and potential cluster