Labs
Short research notes on newly disclosed vulnerabilities: the problem, the payload, and the fix.
- critical
motionEye Unauthenticated Admin Credential Theft via Path Traversal
A path traversal bug in motionEye's media playback handler lets a zero-credential attacker read the server's config file, steal the admin password hash, and immediately replay it for full admin access
- highCVE-2026-48126
CVE-2026-48126: Algernon Host Header Path Traversal to Arbitrary File Read and Lua RCE
A missing validation on the HTTP Host header in Algernon's domain mode lets any unauthenticated attacker read files outside the web root and, in common configurations, execute shell commands on the se
- highCVE-2026-48507
CVE-2026-48507: Snipe-IT Bulk User Edit Incorrect Authorization
A low-privileged Snipe-IT user with only the 'users.edit' permission can bulk-disable the 'activated' and 'ldap_import' flags on every admin account, locking all administrators out of the instance wit
- highCVE-2026-54329
CVE-2026-54329: Snipe-IT Cross-Tenant Accessory Injection via Mass Assignment
A low-privileged user in one company can silently create accessory records under a different company by passing a foreign company_id to the Accessories API, breaking multi-tenant inventory isolation.
- criticalCVE-2026-45051
CVE-2026-45051: OpenAM WebAuthn Authenticator Java Deserialization RCE
OpenAM's WebAuthn authentication module deserializes a Java object read directly from a user-controlled LDAP attribute with no class filtering, allowing an attacker who can write to that attribute to
- criticalCVE-2026-45052
CVE-2026-45052: OpenAM Liberty Discovery SOAP Improper Authorization
An unauthenticated attacker can send a raw SOAP request to OpenAM's Liberty Web Services endpoint and permanently write records into any user's LDAP identity profile, because the server performs those
- highCVE-2026-48708
CVE-2026-48708: OliveTin Concurrent Template Parsing Race Condition
OliveTin reuses a single shared Go template object across all goroutines with no locking, so two concurrent action executions can swap each other's shell command templates, running the wrong command w
- highCVE-2026-45794
CVE-2026-45794: OpenAM Push Notification Unsafe Java Deserialization via SNS Callback
A flaw in OpenAM's anonymous SNS push callback endpoint lets an attacker plant a crafted JSON blob in the server's token store, causing OpenAM to load attacker-named Java classes and deserialize attac
- highCVE-2026-46498
CVE-2026-46498: OpenAM Arbitrary OAuth2 Token Minting via CTS Namespace Confusion
A logic flaw in OpenAM's token store lets a low-privileged attacker plant a crafted JSON blob and have it accepted as a valid OAuth2 bearer token, granting access to any resource with attacker-chosen
- highCVE-2026-46560
CVE-2026-46560: OpenAM RADIUS Client Authentication Bypass via Response Spoofing
OpenAM's RADIUS client never validates the server response, so any attacker who can race or spray a forged Access-Accept UDP packet to the client port gains a full session as any RADIUS user without k
- criticalCVE-2026-48714
CVE-2026-48714: i18next-http-middleware Prototype Pollution via Dotted Missing-Key
A bypass in i18next-http-middleware's missing-key guard lets attackers send a crafted translation key like '__proto__.polluted' over HTTP, which downstream backends split and walk directly into Object
- criticalCVE-2026-48713
CVE-2026-48713: i18next-fs-backend Prototype Pollution via Crafted Missing-Key String
A crafted translation key containing __proto__ sent to the i18next missing-key persistence endpoint can overwrite properties on JavaScript's global Object prototype, potentially crashing the app or by