Supply Chain · Watch Tuesday · 26 May 2026 End-of-day synthesis 4 watches · 24 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — Late escalation at 21:00 ET adds a Yamcs algorithm-engine RCE, three pre-auth RCEs in FUXA, and a path traversal in the npm `tmp` transitive dep on top of the day's XWiki and LiteSpeed criticals.

The day was supposed to be locked at First Watch: XWiki criticals, the LiteSpeed cPanel KEV add, the Drupal Core SQLi deadline ticking down. Then between 19:00 and 20:30 ET the GHSA feed opened up — 24 fresh advisories in three hours, including a critical Yamcs RCE, three pre-auth RCEs in FUXA, a path traversal in the npm `tmp` transitive dep, and a Kirby CMS triple.

Three patterns to notice. First, Yamcs (CVE-2026-44632) joins a recent run of disclosures in aerospace open-source — the Janino-based algorithm engine compiles user-controlled text with no sandbox, so any user with the `ChangeMissionDatabase` privilege gets host RCE. Second, the FUXA chain (CVE-2026-43945/43946/43947) is what URL-substring authentication buys you: appending `?x=/socket.io` to any admin path bypasses the entire auth middleware and reaches Node-RED command nodes, even in Secure Mode. Third, the `tmp` npm advisory (CVE-2026-44705, fixed in 0.2.6) is the kind of transitive-dependency bug that hides in two-thirds of Node tooling — anything that passes user input into `prefix`, `postfix`, or `dir` is now writing files outside the tempdir. yeoman-environment 6.0.1 closed a sibling install-on-demand hole (CVE-2026-42089), and Fedify 2.2.3 patched a JSON-LD signature bypass that lets an attacker restructure a signed ActivityPub activity into a different one without invalidating its Linked Data Signature.

→ Operational priority for the night the XWiki and LiteSpeed criticals from First Watch are still the top items before sleep — the Drupal SA-CORE-2026-004 KEV deadline crosses at midnight UTC. Add Yamcs to the upgrade list if you run any aerospace stack on it, and run `npm ls tmp` across your build pipelines to map which transitive deps will pick up 0.2.6. The FUXA chain is severe but its install base is narrow; the Kirby triple matters mainly to Composer-managed PHP sites on 5.3.0–5.4.0.

21:00 ET · Last Watch

Critical · GHSA-524g-x36v-9wm6 · CVE-2026-44632 · org.yamcs:yamcs-core (CVSS 9.1) ·added 21:00 ET

Yamcs — Server-side Java code injection in algorithm engine, authenticated RCE on mission control hosts

Yamcs' `JavaExprAlgorithmExecutionFactory` dynamically compiles and evaluates user-supplied algorithm text via the embedded Janino compiler with no sandbox, no allowlist, and no escape — any authenticated user with the `SystemPrivilege.ChangeMissionDatabase` privilege can PATCH an existing algorithm's text and reach `java.lang.Runtime.exec()` on the host. Yamcs is the open-source mission control framework used by aerospace and rocketry teams; the privileged users who can trigger this are typically operators or MDB engineers, but the RCE primitive is the worst-case shape for any system that controls flight hardware. Upgrade to ≥ 5.12.7. If the upgrade window is longer than a day, audit who currently holds `ChangeMissionDatabase` and rotate any session tokens issued to non-essential accounts.

High · GHSA-p69w-mmfv-xrfj · GHSA-rg3m-cfq7-g6h6 · GHSA-fwcm-rqvw-j3p7 · CVE-2026-43945/43946/43947 · @frangoteam/fuxa < 1.3.1 ·added 21:00 ET

FUXA — pre-auth RCE chain: URL-substring auth bypass, runscript test-mode RCE, getTagValue auth bypass

Three coordinated FUXA disclosures landed together. The first is the chain anchor: the auth middleware excludes paths via `req.originalUrl.includes('/socket.io')`, so appending `?x=/socket.io` to any administrative URL bypasses Secure Mode and Node-RED auth in one shot — when Node-RED is configured with command-execution-capable nodes, this is unauthenticated RCE as root. The second is a confused-deputy bug in `/api/runscript` where setting `test:true` compiles attacker-supplied code instead of the stored script's body, with script IDs and names leaked through the unauthenticated `/api/project` info disclosure. The third is an authorization bypass on `/api/getTagValue` via a guest-token fallback that returns `true` when the referenced script doesn't exist. FUXA's install base is narrow (open-source SCADA/HMI), but the chain is the worst-case shape for any operational-technology environment that exposed it without a network filter. Upgrade to 1.3.1; until then, block external access to `/api/runscript`, `/api/getTagValue`, and `/nodered/*` at the reverse proxy.

High · GHSA-ph9p-34f9-6g65 · CVE-2026-44705 · tmp < 0.2.6 ·added 21:00 ET

npm `tmp` < 0.2.6 — path traversal via `prefix`/`postfix`/`dir` writes files outside the tempdir

The `tmp` npm package builds filenames as `<prefix>-<pid>-<random>-<postfix>` and composes the final path via `path.join(tmpDir, opts.dir, name)` with no validation; `path.join` normalises `../` sequences and silently escapes the configured base. Any application that flows untrusted input — request bodies, file metadata, repo names — into `tmp.file()` / `tmp.dir()` options without sanitisation can be coerced into writing attacker-controlled files at arbitrary process-writable paths. `tmp` is a top-tier transitive: it ships in CLI tools, test frameworks, image processors, and build pipelines. Run `npm ls tmp` across your tree, pin to ≥ 0.2.6, and audit any in-house code that constructs `tmp` option objects from external data. CVSS hasn't been assigned but the blast radius from a transitive perspective is wide.

High · GHSA-9hx7-c53c-v6x8 · GHSA-5fhx-9q32-q257 · GHSA-86rh-h242-j8xp · CVE-2026-44177/44175/44174 · getkirby/cms ·added 21:00 ET

Kirby CMS — coordinated triple: path traversal, stored XSS in list field, arbitrary method call on collections

Kirby published a three-CVE coordinated bundle. The unconditional one is CVE-2026-44177: a Users-collection path traversal that lets unauthenticated requests reach arbitrary PHP files; affects every Kirby 5.3.0–5.4.0 site regardless of configuration. The other two require an authenticated Panel user — CVE-2026-44175 is stored XSS in the list field/block that fires in frontend templates, and CVE-2026-44174 is an arbitrary-method-call primitive through the collection query API that can be chained into information disclosure or unintended writes depending on which methods are accessible. Kirby is widely deployed by agencies and freelance shops; if you run it, upgrade now (5.4.1 / 4.9.1) and treat any Panel user account who hasn't been recently audited as a potential pivot point for the two authenticated bugs.

High · GHSA-vv9j-gjw2-j8wp · CVE-2026-42089 · yeoman-environment (CVSS 8.6) ·added 21:00 ET

yeoman-environment < 6.0.1 — silent install of caller-supplied generator packages during CLI bootstrap

`installLocalGenerators()` in yeoman-environment 2.9.0–6.0.0 calls `repository.install()` against caller-supplied package names with no user confirmation; downstream consumers that accept project configuration from untrusted sources (CLI scaffolds run against attacker-controlled `.yo-rc.json`, generator hubs pulling from third-party catalogs) get arbitrary npm installs and arbitrary code execution during bootstrap. The shape is the same as the Laravel-Lang / Shai-Hulud package-spoofing campaigns earlier in the week — the attacker doesn't compromise a package, they convince your tool to install one of theirs. Upgrade to 6.0.1, which adds an interactive confirmation prompt. If you ship a CLI built on Yeoman, treat every project descriptor that names a package as untrusted input until you've reviewed the path.

High · GHSA-9rfg-v8g9-9367 · CVE-2026-42462 · @fedify/fedify (CVSS 7.0) ·added 21:00 ET

Fedify < 2.2.3 — JSON-LD signature bypass via `@graph` / `@reverse` restructuring of signed activities

Linked Data Signatures sign the canonical RDF graph of a JSON-LD document, but JSON-LD has multiple syntactic forms that flatten to equivalent or near-equivalent graphs — moving a signed `Activity` into a `@graph` and promoting its embedded `object` to the top level (or applying `@reverse` to flip edges) preserves the signature while changing how every ActivityPub implementation interprets the payload. In practice an attacker can take a Mastodon-style `{ "type": "Undo", "object": { "type": "Announce" } }` and have downstream servers process the `Announce` instead of the `Undo`. Patched in @fedify/fedify 2.2.3. If you run a Fediverse server on Fedify, upgrade now and audit any signed activities that arrived between the disclosure window and the patch.

18:00 ET · First Watch

Critical · CISA KEV · CVE-2026-48172 · LiteSpeed cPanel Plugin ·added 18:00 ET

LiteSpeed cPanel Plugin privilege escalation — newly added to KEV, any cPanel user → root

CISA added CVE-2026-48172 to KEV today (2026-05-26) with a 2026-05-29 due date. The LiteSpeed cPanel Plugin exposes a user-end interface that any cPanel account can use to execute arbitrary scripts with root privileges — the entire trust boundary between an unprivileged cPanel customer and the host server collapses. The threat model is worst-case for shared-hosting providers and any organization running multi-tenant cPanel deployments: one compromised customer login or one rogue tenant equals root on the underlying server, which means cross-tenant data access and pivot into the hosting control plane. Apply LiteSpeed's 2026-05-21 security update per the vendor's blog (linked in the KEV entry) immediately. Audit cPanel reseller environments first; those are the highest-blast-radius hosts.

Critical · GHSA-qrvh-r3f2-9h4r · CVE-2026-33137 · XWiki Platform ·added 18:00 ET

XWiki Platform — unauthenticated XAR import via REST creates or updates any document

`POST /wikis/{wikiName}` performs a XAR import with no authentication or authorization check, allowing an unauthenticated attacker to create or update arbitrary documents in the target wiki. XAR is XWiki's full-fidelity export/import format and includes scripts, attachments, and rights configuration — effective takeover of any internet-exposed XWiki instance. Patched in 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1. Upgrade now; if you cannot, add a reverse-proxy rule blocking POST requests to `/wikis/{wikiName}[/]` until the upgrade lands. Treat any XWiki instance reachable from outside the corporate network as compromised until you can prove from access logs that no anonymous POST hit that endpoint.

Critical · GHSA-xq3r-2qv5-vqqm · CVE-2026-23734 · XWiki Platform ·added 18:00 ET

XWiki Platform — path traversal in ssx/jsx endpoints exposes xwiki.cfg and other config files

A URL like `/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false` reads arbitrary files off the XWiki webapp — including `xwiki.cfg`, which holds database connection strings and administrative secrets on most installations. Reproducible on Tomcat instances per the advisory. Combined with today's unauthenticated XAR import (CVE-2026-33137), an attacker can both read your DB creds and write any document on the wiki in the same hour. Patched in 18.0.0-rc-1, 17.10.3, 17.4.9, 16.10.17. Patch now and rotate the XWiki database credential afterward — assume it's been read if your instance was internet-reachable.

High · GHSA-rh28-mqj4-8x59 · CVE-2026-48048 · XWiki Platform ·added 18:00 ET

XWiki Platform — Livetable still leaks password hashes one bit at a time (incomplete patch)

The patch for GHSA-5cf8-vrr8-8hjm was insufficient — slightly modified parameters against `LiveTableResults` still allow bit-by-bit reconstruction of a user's password salt and hash in 768 requests. CVSS 7.5, network/no-auth/no-UI. The third-party attribution issue stings: defenders patched once, declared the bug closed, and the original report still works. Upgrade to XWiki 18.0.0-rc-1, 17.10.13, 17.4.9, or 16.10.17, or apply the upstream patch to `XWiki.LiveTableResultsMacros` manually. Audit web logs for repeated LiveTableResults requests from a single source over a short interval — that's the exfil signature.

High · GHSA-6m7c-xfhp-p9fh · CVE-2026-28445 · Typebot ·added 18:00 ET

Typebot — Rating Block custom-icon stored XSS bypasses the isUnsafe sandbox in builder preview

Typebot's Rating Block renders the `customIcon.svg` field through Solid's `innerHTML` directive with no sanitization, executing arbitrary HTML/JS in the builder's DOM context (builder.typebot.io) when a workspace collaborator previews a malicious bot. The `isUnsafe` Web Worker sandbox that protects Script blocks during preview is bypassed entirely because the payload runs in the builder app itself, not the preview iframe. CVSS 8.7 with Scope:Changed because the embed JS component pierces into the builder's auth context. Patched upstream; upgrade and audit any workspaces that accept imported templates from outside collaborators or community sources.

Medium · GHSA-vgwr-23fq-pr7g · CVE-2026-48047 · XWiki Platform ·added 18:00 ET

XWiki Platform — subwiki-admin path traversal allows arbitrary file write via malicious WebJar extension

Path traversal that lets an attacker write arbitrary files — including overwriting `xwiki.properties` to set the superadmin password — but requires the attacker to first have subwiki admin rights and to publish a malicious WebJar in a repository the instance trusts. Lower severity than the day's two unauthenticated XWiki criticals because of the access prerequisite, but still belongs in the same upgrade window. Patched in 16.10.17, 17.4.9, 17.10.3, 18.0.0RC1. No workaround other than tightening who you grant subwiki admin and script rights to.

Medium · GHSA-hqmv-v56g-4m47 · CVE-2026-39964 · Typebot ·added 18:00 ET

Typebot.io — stored XSS via `javascript:` URI in text bubble links

The viewer's text-bubble link renderer sets `<a href>` directly from stored bot content with no scheme filter — `javascript:` URIs pass through SolidJS unchanged. Because the viewer is typically embedded in a third-party site, the attacker's JS runs in the *host page's* origin, which is the wrong end of the security boundary if that host page has session cookies or analytics. Companion bug to today's higher-severity Rating Block sandbox bypass; both fixes ship together. Upgrade Typebot embed JS and audit any bots authored by lower-trust collaborators.

Medium · GHSA-g2g4-47gv-p72v · CVE-2026-26028 · CryptPad ·added 18:00 ET

CryptPad — Diffmarked.js sanitizer bypass via `srcdoc` on iframes/video/audio

CryptPad's sanitizer treats `<iframe>` as 'restricted' rather than 'forbidden' and only validates the `src` attribute, ignoring `srcdoc` entirely — feed in a benign `blob:` src plus a malicious `srcdoc` and you render unrestricted HTML inside the supposed sandbox. The intended bounce-sandbox protection is defeated; an attacker can embed external links, images, or interactive content inside what looks to the victim like trusted document content. Classic 'we validated the obvious attribute and missed the other one' shape. Patch upstream; if you self-host CryptPad for sensitive workgroups, audit any user-uploaded markdown content for `srcdoc` strings in the interim.

Medium · GHSA-hfpv-mc5v-p9mm · CVE-2025-66407 · Weblate ·added 18:00 ET

Weblate — Create Component SSRF returns full HTTP responses via Mercurial backend

The Create Component flow accepts an unvalidated repository URL. With the Mercurial backend selected, Weblate fetches the URL server-side and exposes the full response body to the requesting user — turning Create Component into a fully-readable SSRF primitive that can hit cloud metadata endpoints (IMDSv1, GCP, Azure) and internal HTTP services. `file://` requests don't always return content but leak filesystem layout via error messages. Patched upstream. Authorized users only, but in cloud environments any authorized user reaching IMDS is a credential disclosure path — patch promptly and confirm IMDSv2 is enforced on the Weblate host.

Context · GHSA-fgmm-w5cx-vrfw · CVE-2026-35202 · Pterodactyl ·added 18:00 ET

Pterodactyl — broken database lock in Client API allows resource limit bypass

The Pterodactyl Client API calls `$server->databases()->lockForUpdate()` without a terminal query method, which Laravel silently treats as a no-op. Concurrent requests all see the database count under the limit and proceed, letting users exceed their assigned allocation. Severity: low. Not a security boundary breach so much as a billing/quota issue, but the bug shape — chained query-builder method that looks like it does something but doesn't — is worth circulating to anyone writing Laravel code. Patched upstream; audit your own Eloquent codebases for naked `lockForUpdate()` calls without a terminal `count()` or `get()`.

12:00 ET · Forenoon Watch

Critical · CISA KEV · CVE-2026-9082 · Drupal SA-CORE-2026-004 ·added 12:00 ET

Drupal Core SQL injection — KEV due date is tomorrow (2026-05-27)

SQL injection in Drupal Core via the database abstraction API; exploited path goes privilege escalation to remote code execution. CISA added this on 2026-05-22 with a federal remediation deadline of 2026-05-27 — that is tomorrow. The KEV window closes in under 24 hours for federal agencies and their contractors, making this the most time-sensitive item on today's watch. Apply SA-CORE-2026-004 now. If you run Drupal behind a WAF, confirm the WAF rule for SQL injection actually fires against the specific parameter path Drupal's DB API exposes; some rule sets miss abstraction-layer injection patterns.

High · CISA KEV · CVE-2026-42897 · Microsoft Exchange Server ·added 12:00 ET

Exchange Server OWA cross-site scripting — KEV due 2026-05-29

Stored or reflected XSS in Outlook Web Access allows arbitrary JavaScript execution in the victim's browser session when specific interaction conditions are met. CISA added this on 2026-05-15 with a due date of 2026-05-29 — three days from now. Exchange on-premise exposure plus XSS equals credential harvest or session token theft, especially for orgs that use OWA as a mail gateway with persistent sessions. Apply the MSRC patch; if you can't ship it this week, use the Exchange Emergency Mitigation Service (EEMS) to apply the interim config and restrict OWA to known-good IP ranges.

High · CISA KEV · CVE-2025-34291 · Langflow ≤ v1.9.2 ·added 12:00 ET

Langflow CORS misconfiguration enables cross-origin RCE via refresh token theft

Langflow ≤ v1.9.2 ships with an overly permissive CORS policy and a refresh token cookie marked SameSite=None; a malicious webpage a developer visits can silently issue cross-origin requests, steal the refresh token, and call authenticated API endpoints — including code execution endpoints. Langflow is an AI pipeline orchestrator that many teams self-host on internal networks with implicit trust and no auth proxy in front. That trust model makes this worse than the CVSS base score suggests: one phishing click from a developer with Langflow admin access hands the attacker a code execution primitive on your AI infrastructure. Upgrade to ≥ v1.9.3. If you can't patch immediately, enforce CORS origin allowlisting in your reverse proxy and restrict Langflow to an authenticated VPN segment.

High · CISA KEV · CVE-2026-34926 · Trend Micro Apex One (on-premise) ·added 12:00 ET

Trend Micro Apex One dir traversal enables attacker-controlled code push to all managed endpoints

Pre-authenticated directory traversal on the Apex One management server allows a local attacker to modify a key configuration table and inject code that the server then distributes to every managed agent in the fleet. The blast-radius shape is the same as the Falcon sensor incident pattern: compromise the management plane once, reach every protected endpoint simultaneously. 'Pre-authenticated local attacker' on a management server that is often accessible across the enterprise LAN is a realistic threat model. Apply the Trend Micro KA-0023430 patch. Audit whether your Apex One management port is reachable from workstations or developer subnets — it should only be accessible from privileged admin jump hosts.

High · CISA KEV · CVE-2026-41091 (EoP) · CVE-2026-45498 (DoS) · Microsoft Defender ·added 12:00 ET

Microsoft Defender double-add on KEV — EoP link-following and DoS, due 2026-06-03

CISA added two Defender CVEs on 2026-05-20: CVE-2026-41091, a link-following vulnerability enabling local privilege escalation, and CVE-2026-45498, an unspecified denial-of-service. Both carry a 2026-06-03 remediation deadline. The May Patch Tuesday rollup covers both; the operational risk is incomplete patch propagation — hosts that appear clean in dashboard polling may have had the rollup fail silently. Spot-check patch status on a sample of endpoints using a method independent of your patch management agent (e.g., WMI query or direct registry check) to confirm the update actually applied.

Context · CISA KEV · CVE-2008-4250, CVE-2009-1537, CVE-2009-3459, CVE-2010-0249, CVE-2010-0806 ·added 12:00 ET

CISA adds five CVEs from 2008–2010 to KEV — ancient exploitation toolkits still active in 2026

On 2026-05-20, CISA added five vulnerabilities from the 2008–2010 era to KEV: MS08-067 (CVE-2008-4250, the Windows Server Service buffer overflow that spread Conficker), CVE-2009-1537 (DirectX QuickTime parser RCE), CVE-2009-3459 (Adobe Reader 9 heap overflow), and two Internet Explorer use-after-free bugs including CVE-2010-0249 (the 'Aurora' zero-day used against Google). CISA only adds CVEs to KEV when active exploitation is confirmed; seeing 15–18-year-old CVEs enter the list in 2026 is a signal that embedded systems, ICS networks, or severely neglected legacy estates with pre-Vista Windows and legacy Adobe Reader are being actively targeted. If your environment has any segment still running Windows XP, Server 2003, or Windows Vista-era software stacks — including OT devices, medical equipment, or ATM-class hardware — treat this batch as confirmation that those segments are under active exploitation pressure.

Context · Aikido Security Blog · 2026-05-26 ·added 12:00 ET

Aikido: developer machines are the new #1 supply chain attack surface — EDR and MDM miss the real risk

Aikido interviewed security teams at Omnea, Cognism, Glasswall, Raisin, and a UK public-sector org about why developer machines have become the primary supply chain attack vector. The common thread: EDR catches known malware signatures and MDM enforces disk encryption and screen lock, but neither sees what npm install is doing in a home directory, what .env files contain secrets committed accidentally, or what a malicious devDependency is exfiltrating during a build step. This is the same attack surface the 2026-05-24 campaigns (TrapDoor, Shai-Hulud, Laravel-Lang) all targeted — developer machines as the entry point into CI/CD and registry credentials. Analytical piece, no immediate CVE. Worth forwarding to your AppSec or platform-engineering team as supporting rationale for dev machine hardening and package audit tooling.

06:00 ET · Morning Watch

Context · Pipeline · fetchers (GHSA 0 · KEV catalog unchanged since 05-22 · RSS 2 already-triaged) ·added 06:00 ET

Morning Watch: no fresh GHSA, KEV, or registry-poisoning disclosures in the watch window

The Morning fetchers found zero new GHSA advisories in the 26-hour window, zero new KEV adds since the 2026-05-22 catalog release (catalog version 2026.05.22, unchanged from yesterday's passes), and two RSS items — The Hacker News' Lazarus RemotePE writeup and weekly recap — that the 2026-05-25 First Watch already triaged in full. The day did not stay quiet: the Forenoon pass added six KEV items (Drupal, Exchange, Langflow, Apex One, Defender double-add, vintage batch), and the First Watch picked up a coordinated four-CVE XWiki disclosure plus a fresh LiteSpeed cPanel KEV add. Retained as the pipeline-state record for the morning.