Labs
Short research notes on newly disclosed vulnerabilities: the problem, the payload, and the fix.
- criticalCVE-2026-53519
CVE-2026-53519: Nezha Monitoring Pre-Auth Path Traversal via /dashboard.. Prefix Confusion
A missing path-segment check in Nezha Monitoring's dashboard router lets any unauthenticated attacker read arbitrary server-side files, including the JWT signing key, by crafting a URL like /dashboard
- high
Blnk API Key Authorization Bypass in Owner and Scope Enforcement
A non-master Blnk API key could create keys for other owners or escalate its own permissions by injecting a different owner ID or broader scopes directly into the request body, bypassing all authoriza
- highCVE-2026-49357
CVE-2026-49357: line-desktop-mcp Unauthenticated MCP Tool Access via Streamable HTTP
When line-desktop-mcp runs in HTTP mode it binds on all network interfaces with no authentication, letting any reachable host read LINE chat history and send messages as the logged-in desktop user.
- highCVE-2026-49286
CVE-2026-49286: pontedilana/php-weasyprint PHAR Deserialization via Case-Insensitive Stream Wrapper Bypass
A case-sensitive blocklist in php-weasyprint lets attackers pass a PHAR archive path using mixed-case like PHAR:// to bypass the output filename guard and trigger PHP object deserialization, leading t
- high
SolidInvoice: IDOR in Symfony LiveComponents Allows Cross-User API Token and Notification Settings Access
Any authenticated user inside a SolidInvoice company can read, revoke, or hijack another user's API tokens and notification credentials by supplying a victim's entity ID to unprotected Symfony LiveCom
- highCVE-2026-49293
CVE-2026-49293: js-toml CPU Exhaustion via Quadratic BigInt Parsing
Feeding js-toml a TOML file containing a very long hex, octal, or binary integer literal causes the parser to burn CPU quadratically, letting one HTTP request block a Node.js server for tens of second
- highCVE-2026-47066
CVE-2026-47066: hackney Alt-Svc Parser Infinite Loop (DoS)
A single-byte malformed Alt-Svc response header causes hackney's parser to spin in an infinite loop, pinning an Erlang scheduler at 100% CPU and permanently hanging the connection process.
- highCVE-2026-47071
CVE-2026-47071: hackney SOCKS5 TLS Upgrade Infinite Timeout
When hackney routes an HTTPS request through a SOCKS5 proxy, the TLS handshake after the tunnel is established has no timeout, so a malicious or compromised proxy can stall the handshake forever and p
- highCVE-2026-47073
CVE-2026-47073: erlang/hackney WebSocket Unbounded Memory Consumption
A malicious WebSocket server can drain all memory from any Erlang/Elixir process using hackney's WebSocket client, crashing the BEAM node with no authentication required.
- highCVE-2026-47067
CVE-2026-47067: hackney Atom-Table Exhaustion via URL Scheme Parsing
hackney's URL parser converts every URL scheme it sees into a permanent BEAM atom, so an attacker who can supply URLs with unique scheme prefixes can exhaust the VM's 1,048,576-atom limit and crash th
- highCVE-2026-48801
CVE-2026-48801: linkify-it O(N²) DoS in match() scan loop
Sending a large block of repeated email-like text to any app that uses linkify-it (including markdown-it with linkify enabled) causes the server to burn CPU for seconds per request, making denial-of-s
- highCVE-2026-48809
CVE-2026-48809: python-engineio Unauthenticated Memory Exhaustion (DoS)
An unauthenticated attacker can crash or slow down a python-engineio server by sending oversized messages that bypass the configured payload size limit, causing unbounded memory allocation.