csoonline.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-06.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-06 2026 | Patching fast and slow: Ruby devs delay to defend against supply chain attackSupply Chain | Ruby developers are facing a dilemma regarding patching a recent supply chain attack. The vulnerability, detailed in the linked article, impacts the Ruby ecosystem. Some developers are opting for a quick fix to immediately address the threat, while others are delaying to implement more thorough, long-term solutions. This split approach highlights the trade-offs between immediate security and robust system integrity in the face of evolving cyber threats. The content does not mention any specific bug bounty payout amounts. |
| 2026-06-04 2026 | Hugging Face Transformers RCE flaw enables stealthy compromise via AI model configsRCE | Library vulnerability in Hugging Face Transformers (CVE-2026-4372) allows attackers to achieve remote code execution by including a specially crafted `_attn_implementation_internal` parameter in model configuration files. This bypasses the `trust_remote_code=false` protection, enabling the execution of arbitrary Python code from attacker-controlled repositories without user prompts or runtime warnings, particularly impacting users with GPU-accelerated inference due to the optional `kernels` dependency. |
| 2026-06-02 2026 | HP Poly VoIP vulnerability sets the stage for executive voice deepfakesRCE | Writeup of CVE-2026-0826, a critical buffer overflow vulnerability in HP Poly VoIP phones, allows unauthenticated attackers to gain root access and perform eavesdropping or record audio for AI-enabled voice deepfakes. Discovered by Rapid7, the flaw in the SDP parsing code, even with ASLR enabled, enables exploit execution via Metasploit. This vulnerability highlights the growing threat of embedded device compromise for both traditional espionage and modern AI-driven fraud. |
| 2026-06-02 2026 | Attack targeting OpenAI Codex users exposes AI software supply chain risksSupply Chain | Analysis of codexui-android, a malicious npm package targeting OpenAI Codex users, reveals AI software supply chain risks. This package, downloaded thousands of times weekly, appeared legitimate but exfiltrated developer authentication tokens, including long-lived refresh tokens, by injecting malicious code into the distributed artifact, not the public GitHub source. This highlights a blind spot where build and distribution pipelines, rather than source code, become the attack vector, necessitating verification of package provenance and source code consistency. |
| 2026-06-01 2026 | Flowises MCP implementation can run ghost commandsRCE | Vulnerability in Flowise’s MCP stdio implementation, CVE-2026-40933, allows for one-click remote code execution in self-hosted deployments. Attackers can exploit a sandboxing failure in attacker-controlled MCP configurations, leading to server-side code execution with the privileges of the Flowise process, potentially granting root-level access in containerized environments. While Flowise has implemented several hardening measures, they have been found to be bypassable. The recommended complete mitigation is disabling MCP stdio by setting `CUSTOM_MCP_PROTOCOL=sse`. |
| 2026-05-30 2026 | Notepad vulnerabilities could enable arbitrary code execution on Windows systemsRCE | Library of information detailing two arbitrary code execution vulnerabilities, CVE-2026-48778 and CVE-2026-48800, affecting Notepad++ versions up to 8.9.6. These flaws, rated High (CVSS 7.8), allow local attackers to execute commands by manipulating `shortcuts.xml` and `config.xml` files. A third crash bug, CVE-2026-48770, was also patched. Exploitation requires the attacker to have write access to user profile directories or trick the user into opening a poisoned settings folder. |
| 2026-05-28 2026 | FastAPI-based AI tools exposed to authentication bypass by flaw in Starlette frameworkAPI Sec | Library update addressing CVE-2026-48710 in Starlette, the framework powering FastAPI, which allows authentication bypass via malformed Host headers. This flaw, rated as High by researchers at X41 D-Sec, can lead to SSRF and RCE in AI tools, model-serving infrastructure, and API gateways. A patch is available in Starlette 1.0.1 and later. |
| 2026-05-21 2026 | Unpatched ChromaDB flaw leaves servers open to remote code executionRCE | Vulnerability, ChromaToast (CVE-2026-45829), in ChromaDB's API server allows unauthenticated remote code execution by exploiting a race condition where malicious AI models hosted on Hugging Face are fetched and loaded before authentication is checked. This critical flaw, affecting versions 1.0.0 to 1.5.8, enables attackers to gain shell access with the server's permissions, potentially accessing sensitive data. Researchers advise using the Rust implementation or restricting network access until a patch is available. |
| 2026-05-21 2026 | Drupal admins rushing to patch maximum severity SQL injection vulnerabilitySQLi | Library updates address CVE-2026-9082, a critical SQL injection vulnerability in Drupal's core database abstraction API, particularly affecting PostgreSQL users. This flaw allows anonymous users to perform information disclosure, privilege escalation, or remote code execution. The patch also includes crucial upstream security fixes for Symfony and Twig dependencies, necessitating updates for all Drupal environments. Administrators are strongly advised to patch immediately and consider auditing access permissions for Twig template updates. |
| 2026-05-16 2026 | Expired domain leads to supply chain attack on node-ipc npm packageSupply Chain | Library for Node.js Inter-Process Communication compromised via expired domain and email takeover. Malicious versions of the popular `node-ipc` npm package (9.1.6, 9.2.3, 12.0.1) were published, bundling credential-stealing malware designed to exfiltrate sensitive data from CI/CD tools, cloud services, Kubernetes, and more via DNS TXT queries. The attack leveraged a dormant maintainer account whose associated domain had expired and was subsequently re-registered by attackers. |
| 2026-05-14 2026 | AI agent finds 18-year-old remote code execution flaw in NginxRCE | Tool for finding vulnerabilities, this LLM-powered system discovered four bugs in Nginx, including CVE-2026-42945, a critical heap buffer overflow in the `ngx_http_rewrite_module` that allows for remote code execution by exploiting specific rewrite directive configurations. This flaw, impacting Nginx versions 0.6.27 to 1.30.0 and Nginx Plus, was patched in later releases. Additional vulnerabilities CVE-2026-42946, CVE-2026-42934, and CVE-2026-40701 were also identified, leading to denial of service, memory leaks, or data modification. |
| 2026-05-14 2026 | PraisonAI vulnerability gets scanned within 4 hours of disclosureAPI Sec | Writeup of CVE-2026-44338, an authentication bypass in PraisonAI's legacy Flask API server, details how internet scanners began probing vulnerable instances within four hours of disclosure. The flaw, affecting versions 2.5.6 to 4.6.33, stems from default authentication being disabled in `api_server.py`, allowing unauthenticated access to agent workflows. Researchers identified the "CVE-Detector/1.0" user-agent as a sign of early reconnaissance targeting specific PraisonAI endpoints. |
| 2026-05-13 2026 | Fortinet fixes two critical RCE flaws in FortiAuthenticator and FortiSandboxRCE | Patches addressing two critical RCE vulnerabilities, CVE-2026-44277 in FortiAuthenticator (improper access control) and CVE-2026-26083 in FortiSandbox (missing authorization), have been released by Fortinet. These flaws allow unauthenticated attackers to execute arbitrary code via specifically crafted requests. Fortinet also provided updates for other flaws, including CVE-2025-53844, CVE-2025-53870, and CVE-2025-53680 in FortiOS and FortiAP products. |
| 2026-05-13 2026 | May Patch Tuesday roundup: Critical holes in Windows Netlogon DNS and SAP S/4HANARCE | Report detailing Microsoft's May Patch Tuesday, highlighting critical vulnerabilities in Windows Netlogon (CVE-2026-41089) and Windows Server DNS Client (CVE-2026-41096), both with CVSS 9.8 scores. It also addresses a severe remote code execution flaw in Microsoft Dynamics 365 On Premises (CVE-2026-42898), a privilege escalation in the Microsoft SSO plugin for Jira/Confluence (CVE-2026-41103), and an SQL injection in SAP S/4HANA Enterprise Search (CVE-2026-34260). |
| 2026-05-12 2026 | Mistral AI SDK TanStack Router hit in npm software supply chain attackSupply Chain | Writeup of a software supply chain attack targeting numerous npm and PyPI packages, including Mistral AI's SDK and the TanStack Router ecosystem. The TeamPCP threat group exploited GitHub Actions weaknesses and maintainer misconfigurations, leveraging the Mini Shai-Hulud malware to steal developer credentials and install a destructive 'dead man's switch' component. The attack highlights vulnerabilities in implicit trust within software usage networks and affects hundreds of packages, potentially compromising enterprise credentials. |
| 2026-05-11 2026 | Malicious Hugging Face model masquerading as OpenAI release hits 244K downloadsSupply Chain | Library of techniques for defending against malicious Hugging Face models masquerading as legitimate OpenAI releases. This incident highlights the emerging threat of AI repositories as a software supply chain attack vector, with one model, Open-OSS/privacy-filter, reaching 244,000 downloads before removal. The attack involved a malicious loader.py script that delivered infostealer malware targeting browser credentials, cryptocurrency wallets, and system information, bypassing traditional security controls and suggesting links to npm typosquatting and PyPI campaigns. |
| 2026-05-07 2026 | Ollama vulnerability highlights danger of AI frameworks with unrestricted accessAPI Sec | Library for running AI models on local hardware, Ollama, suffers from CVE-2026-7482, dubbed Bleeding Llama. This vulnerability, an out-of-bounds heap read in the model quantization pipeline, allows unauthenticated attackers to craft malicious GGUF files. Uploading these files via the API endpoint triggers a leak of sensitive process memory, including system prompts, user messages, environment variables, API keys, and proprietary code. Exploitation requires only three API requests to exfiltrate this data. Mitigation involves updating to Ollama version 0.17.1, using authentication proxies, and implementing IP access filters and firewalls. |
| 2026-05-05 2026 | Supply-chain attacks take aim at your AI coding agentsAISupply Chain | Library for identifying and mitigating AI coding agent supply-chain risks, including techniques like "slopsquatting" and LLM Optimization abuse used in the PromptMink campaign by North Korean APT group Famous Chollima. It details malicious packages targeting AI agents on registries like NPM and PyPI, featuring persuasive descriptions, legitimate functionality lures, and the use of compiled payloads and obfuscation for evasion. The library addresses how AI agents can be manipulated into installing malicious dependencies, as observed with hallucinated package names and overly convincing documentation designed to influence LLM recommendations. |
| 2026-05-05 2026 | AI finds 20-year-old bugs in PostgreSQL and MariaDBAI | Analysis of critical vulnerabilities discovered by AI in PostgreSQL and MariaDB, including CVE-2026-2005 (PostgreSQL pgcrypto heap buffer overflow), CVE-2026-2006 (PostgreSQL missing validation), and CVE-2026-32710 (MariaDB JSON_SCHEMA_VALID() buffer overflow). These flaws, some dating back over 20 years, enable remote code execution and have been patched by maintainers. |
| 2026-04-30 2026 | Max-severity RCE flaw found in Google Gemini CLIRCE | Library update fixes a critical remote code execution (RCE) vulnerability in Google Gemini CLI. Disclosed by Novee Security, this flaw (related to CWE-77 and CWE-78) allowed attackers to inject malicious configurations and execute arbitrary commands on the host system, particularly in CI/CD environments processing untrusted input. Patched versions 0.39.1 and 0.40.0-preview.3, along with the run-gemini-cli GitHub Action fix (v0.1.22), address the vulnerability by removing implicit workspace trust and enforcing stricter tool allowlisting, aligning non-interactive execution with interactive safeguards. |
| 2026-04-29 2026 | Critical GitHub RCE bug exposed millions of repositoriesRCESupply Chain | Writeup of CVE-2026-3854, a critical command injection vulnerability in GitHub's Git push processing, specifically within the X-STAT component. This flaw, found by Wiz researchers using AI-augmented tooling, allowed authenticated users to execute arbitrary commands server-side, leading to potential remote code execution and full compromise of GitHub Enterprise Server instances, exposing millions of repositories. Patches were released for GitHub.com and Enterprise Server. |
| 2026-04-29 2026 | More fake extensions linked to GlassWorm found in Open VSX code marketplaceSupply Chain | Writeup on GlassWorm malware campaign, detailing the discovery of 73 new fake extensions impersonating trusted tools on the Open VSX code marketplace. These extensions, designed to evade detection with benign initial code and bundled native binaries, act as loaders to download the GlassWorm malware. Researchers highlight the systemic security gap in IDE extension management compared to software packages, lacking integrity verification and leading to credential theft. Recommendations include treating extensions as high-risk dependencies, disabling auto-updates, using SCA tools that cover extensions, and implementing strict approval processes. |
| 2026-04-28 2026 | Critical Cursor bug could turn routine Git into RCERCESupply Chain | Library for securing AI-augmented IDEs against RCE vulnerabilities, exemplified by CVE-2026-26268 in Cursor IDE. This flaw, which allowed arbitrary code execution via malicious Git repositories and AI agent interaction with Git hooks and bare repositories, is patched in Cursor version 2.5. The exploit leverages Git's documented features, making detection challenging due to its integration into normal development workflows. |
| 2026-04-23 2026 | Bitwarden CLI password manager trojanized in supply chain attackSupply Chain | Writeup of Bitwarden CLI supply chain attack, where attackers published a trojanized version 2026.4.0 to npm. This malicious version, containing `bw_setup.js` and `bw1.js`, targeted cloud and development credentials, including GitHub, npm, AWS, and GCP tokens, and weaponized them for further access. The attack leveraged a compromised GitHub Action in Bitwarden's CI/CD pipeline, similar to incidents affecting Checkmarx KICS and Trivy, attributed to the TeamPCP group. Remediation involves revoking compromised tokens and keys, rotating secrets, and inspecting GitHub Actions workflows. |
| 2026-04-23 2026 | Microsoft issues out-of-band patch for critical security flaw in update to ASP.NET CoreAPI Sec | Library update CVE-2026-40372 introduces a critical flaw in ASP.NET Core's Data Protection Library on Linux, macOS, and Windows. A bug in the .NET 10.0.6 package causes incorrect HMAC validation, allowing attackers to forge payloads and decrypt protected tokens and cookies. This requires rebuilding embedded applications, expiring affected tokens, and rotating credentials. |
| 2026-04-21 2026 | Prompt injection turned Googles Antigravity file search into RCEAI | Tool: Prompt injection allows RCE in Google's Antigravity IDE, bypassing Secure Mode. Researchers exploited a flaw in the `find_my_name` tool, which used the `fd` utility. By injecting command-line flags into the `Pattern` parameter, attackers could transform file searches into arbitrary code execution, even through indirect prompt injection from untrusted source files. This bypasses Secure Mode because the native tool invocation occurs before security boundary checks. |
| 2026-04-13 2026 | Seven IBM WebSphere Liberty flaws can be chained into full takeoverRCE | Writeup on seven IBM WebSphere Liberty flaws, including CVE-2026-1561 for pre-authentication RCE via SAML Web SSO, CVE-2025-14915 for privilege escalation via AdminCenter, and others related to hardcoded keys and insecure archive extraction, that can be chained for full server compromise and remote code execution. |
| 2026-04-13 2026 | Critical flaw in Marimo Python notebook exploited within 10 hours of disclosurePython | Writeup of CVE-2026-39987, a critical pre-authentication RCE vulnerability in Marimo Python notebooks, which allows unauthenticated attackers to gain a full shell and execute arbitrary commands. Exploited within 10 hours of disclosure, this flaw affects Marimo versions prior to 0.23.0 and enables credential theft in under three minutes. The vulnerability stems from an unauthenticated terminal WebSocket endpoint, highlighting risks in AI-adjacent developer tools like MLflow and Langflow. |
| 2026-04-10 2026 | Claude uncovers a 13yearold ActiveMQ RCE bug within minutesRCE | Writeup detailing CVE-2026-34197, a 13-year-old RCE vulnerability in Apache ActiveMQ Classic, uncovered by Anthropic's Claude. The flaw, exploitable via the Jolokia API and a malicious Spring XML file, allows arbitrary system command execution. Researchers used AI to build an exploit chain in minutes, highlighting the potential for AI in vulnerability discovery. This critical flaw affects ActiveMQ Classic versions prior to 5.19.4 and several 6.x releases, with an unauthenticated variant possible in some 6.x versions due to CVE-2024-32114. |
| 2026-04-10 2026 | Attackers Exploit Critical Langflow RCE as CISA Sounds AlarmRCE | Library for detecting and mitigating remote code execution in Langflow, particularly CVE-2026-33017. This vulnerability allows unauthenticated attackers to execute arbitrary Python code by submitting malicious workflow data via the `build_public_tmp` endpoint. Attackers have weaponized this flaw within hours of disclosure, leading to credential exfiltration and potential software supply chain compromise. Runtime detection is crucial, focusing on exploit behavior like shell command execution and data exfiltration over HTTP, rather than specific CVE signatures. |
| 2026-04-10 2026 | Telnet Vulnerability Opens Door to Remote Code Execution as RootRCE | Writeup on CVE-2026-32746, a critical vulnerability in GNU inetutils telnetd allowing pre-authentication remote code execution as root. Triggered by a buffer overflow in the LINEMODE Set Local Characters (SLC) handler, exploitation can lead to full system compromise on affected legacy infrastructure, networking equipment, and embedded systems. The flaw enables arbitrary memory writes via a corrupted pointer after exceeding a fixed buffer. Migrating to SSH, disabling telnetd, or blocking port 23 are recommended workarounds. |
| 2026-04-02 2026 | Fortinet hit by another exploited cybersecurity flawRCE | Analysis of CVE-2026-21643, a critical SQL injection vulnerability in FortiClient EMS, detailing its exploitation for remote code execution and data exfiltration. This flaw, present in version 7.4.4 with multi-tenant mode enabled, allows unauthenticated attackers to craft HTTP requests to access admin credentials, endpoint data, and certificates. The vulnerability remains a top application security risk, underscoring the need for organizations to patch immediately and consider zero-trust architectures to mitigate such threats. |
| 2025-08-14 2025 | SSRF attacks explained and how to defend against them | CSO OnlineSSRF | Reference detailing Server-Side Request Forgery (SSRF) attacks, explaining how attackers trick servers into unauthorized requests. It distinguishes SSRF from CSRF, highlighting SSRF's impact on the web server itself, citing the Capital One breach and Microsoft Exchange CVEs (like CVE-2021-26855) as examples. The reference differentiates basic SSRF, where data is returned, from blind SSRF, which focuses on performing actions. Mitigation strategies include restricting protocols, using allowlists over denylists, and never blindly trusting user input, especially for URL parameters. |
| 2025-04-25 2025 | Critical Commvault SSRF could allow attackers to execute code remotelySSRF | Writeup of CV-2025-34028, a critical SSRF vulnerability in Commvault Command Center, allowing pre-authenticated remote code execution. Researchers discovered this flaw in the deployWebpackage.do endpoint, which an attacker can exploit by providing a malicious ZIP file containing a .JSP to achieve RCE. This vulnerability affects specific versions of Commvault and has been patched in update 11.38.20, with isolation of the Command Center from external networks suggested as a workaround. |
| 2025-04-10 2025 | Hackers attempted to steal AWS credentials using SSRF flaws within hosted sitesSSRF | Analysis of a March 2025 campaign targeting AWS credentials, exploiting Server-Side Request Forgery (SSRF) flaws in websites hosted on EC2 instances. Attackers leveraged CWE-200 (Exposure of Sensitive Information) and CWE-918 (SSRF) by targeting the vulnerable Instance Metadata Service version 1 (IMDSv1). Recommendations include migrating to IMDSv2, implementing WAF rules to block metadata endpoint access, and filtering requests from specific IP addresses within ASN 34534. |