Labs

Short research notes on newly disclosed vulnerabilities: the problem, the payload, and the fix.

• highCVE-2026-52812

  CVE-2026-52812: Gogs LFS Cross-Tenant Object Disclosure via Dedupe Shortcut

  A flaw in Gogs Git LFS lets any user with write access to one repository claim ownership of a private repository's stored file by uploading garbage bytes under a known OID, then download the original

• criticalCVE-2026-52813

  CVE-2026-52813: Gogs Path Traversal in Organization Name leading to RCE via Git Hooks

  Gogs accepts organization names containing ../ sequences without sanitization, letting any registered user write files to arbitrary filesystem paths and ultimately execute arbitrary commands on the se

• highCVE-2026-45048

  CVE-2026-45048: OpenAM Authenticated Privilege Escalation via Session RPC Token Disclosure

  A missing ownership check in OpenAM's session management endpoint lets any logged-in user fetch the active session token of any other user, including admins, enabling full privilege escalation.

• highCVE-2026-45049

  CVE-2026-45049: OpenAM CDCServlet Session Token Exfiltration via Unvalidated goto Redirect

  OpenAM's cross-domain SSO servlet will POST a logged-in user's raw session token to any URL supplied in the goto parameter, letting an attacker steal the session by tricking the victim into visiting a

• criticalCVE-2026-54350

  CVE-2026-54350: @budibase/server Anonymous NoSQL Operator Injection via Query Templates

  Any anonymous visitor of a published Budibase app can read or overwrite every document in the backing database by injecting MongoDB operators through an unescaped query parameter, with no login requir

• highCVE-2026-53925

  CVE-2026-53925: Glances Arbitrary File Write via secure_popen Operator Injection in AMP Configuration

  Glances lets AMP module commands reach an internal shell-operator parser without any sanitization, so anyone who can write to glances.conf can overwrite arbitrary files or chain commands on the host.

• highCVE-2026-55441

  CVE-2026-55441: mise Tera exec() Injection via Untrusted Task-Include Files

  Cloning a repo that contains only a mise-tasks/ folder and running any task-listing command executes arbitrary OS commands silently, because mise renders Tera templates in task files before checking w

• highCVE-2026-54512

  CVE-2026-54512: jackson-databind PolymorphicTypeValidator Bypass via Generic Type Parameters

  jackson-databind's type allow-list can be completely bypassed by smuggling a dangerous class inside the generic parameter of a permitted container type, enabling arbitrary class instantiation and pote

• highCVE-2026-54513

  CVE-2026-54513: jackson-databind BasicPolymorphicTypeValidator Array Subtype Allowlist Bypass

  A flaw in jackson-databind's polymorphic type validator lets attackers slip a disallowed class past the allowlist by wrapping it in an array, defeating the security control that was supposed to block

• highCVE-2026-54134

  CVE-2026-54134: OctoPrint File Exfiltration via Upload Parameter Injection

  A flaw in OctoPrint's upload pipeline lets an authenticated attacker smuggle internal-only file path fields into any upload request, tricking the server into moving arbitrary host files into the publi

• highCVE-2026-55488

  CVE-2026-55488: motionEye Absolute Path Traversal in Media File Handlers

  motionEye's media playback and download endpoints accept a user-supplied filename that can be an absolute path, letting anyone with access read arbitrary files off the server.

• critical

  motionEye LFI to Unauthenticated RCE Chain (CVSS 9.8)

  Four chained bugs in motionEye let a network attacker read any file on the server, steal the admin password hash, upload a malicious script via a tar restore, and execute it without any credentials, r