Labs
Short research notes on newly disclosed vulnerabilities: the problem, the payload, and the fix.
- highCVE-2026-49451
CVE-2026-49451: Microsoft.OpenAPI Uncontrolled Recursion via Circular Schema References
A tiny OpenAPI document with two schemas that point at each other can exhaust the call stack and terminate any .NET process that parses it using Microsoft.OpenAPI.
- highCVE-2026-44840
CVE-2026-44840: Dgraph DQL Injection via checkUserPassword GraphQL Query
Dgraph's checkUserPassword GraphQL query passes user-supplied passwords directly into a DQL query string, letting an unauthenticated attacker inject arbitrary query blocks and enumerate or probe the d
- highCVE-2026-47424
CVE-2026-47424: OpenAM Authenticated Groovy Sandbox Escape to RCE
A flaw in OpenAM's server-side Groovy scripting sandbox lets an authenticated script author run operating-system commands on the host, breaking the only code-level wall between a realm administrator a
- high
pnpm Path Traversal via configDependencies Lockfile Entry Allows Symlink Escape
A crafted pnpm-lock.yaml with a dot-dot package name in configDependencies tricks pnpm install into creating symlinks outside the intended node_modules/.pnpm-config directory, giving an attacker a fil
- high
pnpm Hoisted Lockfile Alias Path Traversal ()
A crafted pnpm lockfile alias used with the hoisted node linker could escape node_modules entirely, writing package files to arbitrary paths on the filesystem.
- highCVE-2026-49339
CVE-2026-49339: gonic Playlist ID Path Traversal Bypasses Ownership Check
Any logged-in user of the gonic music server can read or delete another user's private playlists by crafting a playlist ID that smuggles directory traversal sequences past the ownership check.
- highCVE-2026-55698
CVE-2026-55698: pnpm Env Lockfile Package-Manager Integrity Bypass
A malicious repository can commit a crafted pnpm-lock.yaml that tricks pnpm into downloading and executing an attacker-chosen pnpm binary instead of fetching a fresh, verified one from the registry.
- highCVE-2026-55487
CVE-2026-55487: pnpm allowBuilds Build Policy Identity Spoof
A flaw in how pnpm normalized dependency identifiers let an attacker append a fake peer suffix to a git, tarball, or URL dependency and have it pass as an already-approved build, running arbitrary lif
- highCVE-2026-55697
CVE-2026-55697: pnpm Repository-Controlled configDependencies Native Binary Execution
A malicious repository can place a specially crafted entry in pnpm-workspace.yaml that causes pnpm to download and execute an attacker-controlled native binary whenever a developer or CI runner runs p
- highCVE-2026-49340
CVE-2026-49340: gonic Arbitrary File Write via Path Traversal in createPlaylist
Any authenticated gonic user, including non-admins, can write attacker-controlled content to arbitrary paths on the server's filesystem by passing a path-traversal sequence as a playlist ID.
- high
CVE-2026-47074: ex_aws_sns SNS Signature Verification Bypass via Unvalidated SigningCertURL
The ex_aws_sns Elixir library blindly fetches whatever certificate URL an incoming SNS message provides, letting any unauthenticated attacker forge a valid-looking SNS message by pointing that URL at
- highCVE-2026-50016
CVE-2026-50016: pnpm Transitive Dependency Alias Path Traversal via Symlink Replacement
A malicious npm registry package can smuggle path traversal segments into a dependency alias, causing pnpm to replace project directories like .git/hooks with symlinks to attacker-controlled code duri