Supply Chain · Watch Wednesday · 27 May 2026 End-of-day synthesis 4 watches · 40 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — CISA closes the day with KEV adds for Nx Console and TanStack — turning the npm credential-stealing wave into a federal-mandate clock — while Yamcs hands aerospace operators two critical mission-control RCEs.

The 18:00 First Watch led with the LiquidJS template-engine RCE and two malicious npm packages quietly harvesting Claude artifacts and OpenAI tokens. The 21:00 Last Watch arrived to find CISA had put the federal seal on the day's npm campaign — Nx Console and TanStack went onto the Known Exploited Vulnerabilities list with a 2026-06-10 due date, and Daemon Tools Lite came along on a tighter 3-day clock. The day's narrative is now federally mandated.

Late escalation at 21:00 ET: GHSA shipped its largest single batch of the day in the same hour CISA was publishing. Yamcs — the mission-control framework used by ESA and the CCSDS reference stack — caught two RCEs in its script-algorithm engines, one of them (CVE-2026-46562, CVSS 9.8) effectively unauthenticated in the default deploy because the bundled `guest` user is `superuser=true`. Kata Containers runtime-rs disclosed a guest-root-to-host-root escape that uses raw FUSE_SYMLINK against a virtiofsd running `--sandbox none --seccomp none` to drop a payload into `/etc/cron.d`. IBM's `compliance-trestle` turns a malicious OSCAL profile into arbitrary file write via cache path traversal, FUXA SCADA leaks full server-side scripts and device configs to an unauthenticated guest, and Pimcore adds a CustomReports share-bypass. Symfony followed its First Watch triple with four more advisories from the same hardening pass — including a real SQL injection in `PdoAdapter::doClear`.

→ Operational priority for the night if you run Nx Console on any developer workstation or TanStack packages anywhere in a CI/CD lockfile, treat the trusted-publisher chain as compromised and rotate every npm, GitHub, GitLab, AWS, and Anthropic credential that touched a build in the last week — the KEV deadline is 2026-06-10. If you run Yamcs anywhere, take the MDB Override API off the network and check you have a real `security.yaml` before morning; the default deploy is an unauthenticated RCE. If you run Kata runtime-rs with virtio-fs and treat your guests as less trusted than your host, upgrade past commit `ffa59ce3aa78` tonight.

21:00 ET · Last Watch

Critical · CISA KEV · CVE-2026-48027 · Nx / Nx Console · added 2026-05-27 · due 2026-06-10 ·added 21:00 ET

CISA KEV: Nx Console malicious extension publication — credential harvester served to anyone who installed the compromised version

CISA late-night KEV add for the Nx Console extension compromise: a malicious version was published to the VS Code marketplace, fetched an obfuscated second-stage payload, and harvested credentials from disk and process memory. This is the federal-mandate version of the npm wave that already headlined today's watch (mouse5212 / codexui) — same shape, different surface. Federal civilians have until 2026-06-10 to mitigate; treat anyone whose workstation pulled Nx Console in the affected window as needing a full token rotation (npm, GitHub, GitLab, AWS, Anthropic) and a credential-history audit, not just an extension reinstall.

Critical · CISA KEV · CVE-2026-45321 · TanStack · added 2026-05-27 · due 2026-06-10 ·added 21:00 ET

CISA KEV: TanStack npm packages republished with credential-stealing malware under the trusted publisher identity

Companion KEV add to Nx Console: TanStack — the publisher behind TanStack Query, Router, Table, Form — had malicious versions published to npm under its trusted identity, with credential-stealing payloads embedded. TanStack is a top-tier React-ecosystem dependency; the blast radius is anything that npm-installed a TanStack package in the affected window, especially CI runners. The two KEV adds tonight (Nx + TanStack) together name the campaign that today's Socket / Aikido reporting has been triangulating around — this is no longer 'a wave of malicious npm publications', it is a CISA-named federal-priority incident. Pin TanStack versions to the last known-good in your lockfile and rotate any token that ran an install since the disclosure window opened.

Critical · GHSA-vmwp-vh32-rj75 + GHSA-2g95-6x5q-xjwj · org.yamcs:yamcs-core < 5.12.7 · CVE-2026-46562 / CVE-2026-46621 ·added 21:00 ET

Yamcs ships two RCEs in mission-control script engines — unauthenticated Nashorn (CVSS 9.8) and authenticated Jython (CVSS 9.1) — `org.yamcs:yamcs-core` < 5.12.7

Yamcs is the open-source mission-control framework used by ESA and the CCSDS reference stack — it talks to spacecraft. Two RCEs landed at the same time: `ScriptAlgorithmExecutorFactory` constructs a Nashorn `ScriptEngine` without a `ClassFilter` and feeds user-supplied algorithm text straight to `eval()`, and the Jython equivalent does the same with no sandbox. In Yamcs's default config (no `security.yaml`) the built-in `guest` user has `superuser=true`, which means CVE-2026-46562 is effectively unauthenticated. The Jython variant (CVE-2026-46621) needs the `ChangeMissionDatabase` privilege but reaches `java.lang.Runtime` directly. Upgrade to 5.12.7 immediately. If you can't upgrade in the next hour, take the MDB Override API (`/api/mdb/{instance}/realtime/algorithms/{name}`) off the network and check `security.yaml` exists with a real user model — default-deploy operators are the highest-risk population.

High · CISA KEV · CVE-2026-8398 · Daemon / Daemon Tools Lite · added 2026-05-27 · due 2026-05-30 ·added 21:00 ET

CISA KEV: Daemon Tools Lite ships embedded malicious code — 3-day federal due date

A different shape from the npm wave but on the same KEV batch: Daemon Tools Lite (Windows ISO/disc mounting utility) published with embedded malicious code. The 3-day federal due date (2026-05-30 vs 2026-06-10 for the npm two) signals CISA thinks the in-the-wild use is more advanced. Less relevant to most engineering shops, but if Daemon Tools Lite is on any user endpoint in your fleet, uninstall now and run an EDR sweep — don't wait for the patch.

High · GHSA-2gv2-cffp-j227 · github.com/kata-containers/kata-containers · runtime-rs virtio-fs path · CVE-2026-47243 ·added 21:00 ET

Kata Containers runtime-rs: guest-root to host-root escape via raw FUSE_SYMLINK against virtiofsd running `--sandbox none --seccomp none`

If you run Kata Containers with the runtime-rs virtio-fs path (the QEMU and Cloud Hypervisor configurations both verified), host `virtiofsd` runs as root with `--sandbox none --seccomp none`. A root user inside the guest can send raw `FUSE_SYMLINK` requests with absolute host paths and have them honoured outside the shared directory — the PoC creates a symlink in `/etc/cron.d` and cron then runs a guest-controlled payload as host root. Classic guest-to-host escape, no kernel bug required, just a misconfigured daemon. Upgrade past commit `ffa59ce3aa78` (2026-05-19 patch on `main`) or switch to runtime-go if you can't roll out tonight. Audit `configuration-qemu-runtime-rs.toml` for the affected `shared_fs = "virtio-fs"` setting first to know your blast radius.

High · GHSA-g3vg-vx23-3858 · pip compliance-trestle < 3.12.2 / ≤ 4.0.2 · CVE-2026-45725 ·added 21:00 ET

IBM compliance-trestle Remote Fetcher: malicious OSCAL profile → cache path traversal → arbitrary file write → RCE

IBM's `compliance-trestle` (used in regulated-industry continuous-compliance pipelines) builds its cache file path from the URL path component without sanitising `../`. A remote OSCAL profile that references a URL with traversal causes the HTTP response body to land anywhere on disk — `/etc/cron.d/`, `~/.ssh/authorized_keys`, the usual list. Anyone whose compliance pipeline pulls profiles from a registry that can be poisoned is one malicious profile away from arbitrary file write as the trestle service account. Upgrade to 3.12.2 or above the 4.0.2 patch line; in the meantime, restrict trestle to fetch only from internal mirrors and audit `cache.py` for any local fork that diverged from upstream.

High · GHSA-q3w6-q3hc-c5x6 · npm fuxa-server = 1.3.0 · CVE-2026-47717 · CVSS 7.5 ·added 21:00 ET

FUXA SCADA: `GET /api/project` returns full server-side scripts and device configuration to an unauthenticated guest even with `secureEnabled: true`

FUXA is an open-source web-based SCADA/HMI. When no JWT is presented to `/api/project`, the server auto-issues a valid guest token, the verifier accepts it, and `getProject()` returns the full project including server-side scripts, device configurations, alarms, and tag definitions. The `_filterProjectPermission` step strips UI elements but not the sensitive configuration. Anyone on the network with `curl` gets the full SCADA project. The fix is a one-liner — actually require a real token on that endpoint — but if you have FUXA 1.3.0 exposed to anything wider than a control-network VLAN, treat it as already exfiltrated and refresh device credentials accordingly.

High · GHSA-jwcc-gv4m-93x6 · composer pimcore/pimcore ≤ 12.3.5 · CVE-2026-45704 ·added 21:00 ET

Pimcore CustomReports share-bypass: listing filters by share rules, detail endpoint only checks the generic `reports` permission — read any report by name

A backend user who can see the Reports module but was not granted access to `poc-secret-report` does not see it in their report list — and can still fetch it directly by name through the detail endpoint, which only checks the generic feature permission. Classic two-paths-one-resource authorization gap. Upgrade past 12.3.5; review Pimcore audit logs for report-by-name reads from users whose share lists don't contain those reports.

Medium · GHSA-332x-r494-54fq (composer pimcore/pimcore ≤ 12.3.6) + GHSA-g794-3fmp-753h (pip asyncssh = 2.22.0) ·added 21:00 ET

Pimcore WordExport ignores per-element view permission and AsyncSSH 2.22.0 expands `%u` in AuthorizedKeysFile with path-traversal usernames

Two same-shape control-plane bugs. Pimcore's `WordExport` flow checks `word_export` feature permission but not per-document view permission, so a low-priv user can export the contents of a page they're not allowed to view — useful as a data-leak primitive if you rely on Pimcore for content workflows. AsyncSSH 2.22.0 expands `AuthorizedKeysFile authorized_keys/%u` with the raw SSH username during pre-auth config reload, so a connecting client supplying a username like `../foo` causes the server to read an authorized-keys file outside the intended directory — if the attacker can land their key anywhere on disk (writable upload, world-readable home dir, etc.) they authenticate as `../foo`. Pin AsyncSSH to a known-good and audit any deployment that uses `%u` in an `AuthorizedKeysFile` pattern.

Medium · GHSA-6qh9-h6wf-jgqc + GHSA-6439-2f28-8p8q + GHSA-j8gj-9rm5-4xhx + GHSA-vqc8-7275-q272 · symfony < 5.4.52 / 6.4.40 / 7.4.12 / 8.0.12 ·added 21:00 ET

Symfony continuation: SQL injection in `PdoAdapter::doClear`, HEAD bypasses `methods: ['GET']` on `#[IsGranted]`, CAS handler trusts Host header for service URL, Mime parameter-name CRLF header injection

Four more Symfony advisories pile on top of the First Watch's `server:log`/X509/Mime triple, all from the same hardening pass. The pick of the litter is `PdoAdapter::doClear($prefix)` building `DELETE … WHERE id LIKE '{prefix}%'` by string concatenation — anyone whose application accepts an external prefix into the cache adapter has a real SQL injection on the cache table. The HEAD-bypasses-`methods: ['GET']` issue is the kind of attribute-API surprise that's easy to miss in review (the Symfony router serves HEAD via the GET handler, so `#[IsGranted('ROLE_ADMIN', methods: ['GET'])]` silently skipped the check for HEAD). `Cas2Handler` derives the CAS `service` URL from `Request::getSchemeAndHttpHost()`, allowing cross-service ticket replay if `framework.trusted_hosts` isn't set. Mime parameter names weren't validated, giving the classic CRLF header injection primitive in `Content-Disposition` parameter names. Same upgrade target as the First Watch triple — 5.4.52 / 6.4.40 / 7.4.12 / 8.0.12. If you upgraded earlier today for the `server:log` deserialization issue you're already done; double-check that the cache adapter and HTTP-kernel components went too. Three of the four credit `Claude Mythos Preview (via Project Glasswing)`.

18:00 ET · First Watch

Critical · OX Security via The Hacker News · 2026-05-27 ·added 18:00 ET

Malicious npm `mouse5212-super-formatter` exfiltrates files from Claude AI's `/mnt/user-data` directory to GitHub

First confirmed npm package purpose-built to target Anthropic's working directory: `mouse5212-super-formatter` reads `/mnt/user-data` — the dedicated path Claude products use for uploads and outputs — and pushes whatever it finds out via a GitHub repository acting as the dropper and exfil channel. The blast radius is anyone running Claude Code, Cowork mode, or any first-party Anthropic developer surface that exposes that directory while running `npm install` against an untrusted manifest. The TTP rhymes precisely with the Laravel-Lang + GitHub-Releases campaigns from earlier this week — GitHub as both dropper and C2 — so treat this as a continuation of that family, not a one-off. Audit dev machines and CI for the package name; if it's present anywhere, treat any files in the Claude working directories on that host as exfiltrated.

Critical · Aikido · 2026-05-27 ·added 18:00 ET

`codexui-android` npm package quietly exfiltrating OpenAI auth tokens for a month before detection

Polished Codex remote-UI npm package, active development, thousands of weekly downloads — sustained exfiltration of OpenAI auth tokens for over a month before Aikido flagged it. This is the worst-case shape for package poisoning: looks legitimate, has real users, has been live long enough that anyone who pulled it during May should assume their OpenAI keys are compromised. Anyone who has used `codexui-android` in any environment needs to rotate OpenAI API keys tonight and audit recent API usage logs for unauthorized calls. Pair with the `mouse5212` Claude finding above: AI dev tooling now has its own targeted package-poisoning subgenre.

Critical · GHSA-gf2q-c269-pqgc · CVSS 10.0 · liquidjs < 10.26.0 ·added 18:00 ET

LiquidJS critical template-engine RCE via `valueOf` filter (CVSS 10.0) — escalates this morning's medium triple to full compromise

Inside a LiquidJS filter, `this` is the `FilterImpl` — which carries the entire Liquid context: scopes, options, filesystem adapter, loader, parser, renderer, registered tags and filters. The filter pipeline `1|valueOf` returns that object straight back into the template scope, where any further filter chain can reach the fs adapter and registered tag implementations. CVSS 10.0. This converts this morning's already-spicy LiquidJS triple (strip_html XSS bypass, ownPropertyOnly leak, render-limit-via-empty-for-body bypass) into a full critical batch: if you accept user-supplied Liquid templates anywhere — Shopify themes, marketing email, doc/site generators — you have RCE until upgraded. Patched in 10.26.0; upgrade tonight.

Critical · GHSA-mxfr-6hcw-j9rq · CVSS 9.8 · langroid < 0.63.0 ·added 18:00 ET

Langroid `SQLChatAgent` prompt-to-SQL injection → RCE on database host (CVSS 9.8)

Langroid's `SQLChatAgent` runs LLM-produced SQL with no statement allowlist, no sandbox, no role separation. When the DB role has the corresponding privilege, PostgreSQL `COPY ... FROM PROGRAM`, MySQL `FILE`, and MSSQL `xp_cmdshell` each become a direct RCE primitive on the database host. The published PoC wraps the SQL in base64 with a "decode this for testing" preamble — a deliberately naive prompt-injection vector that bypasses any string-match guardrail and which the agent obediently executes. Patched in 0.63.0 by defaulting to a sqlglot-parsed SELECT-only allowlist with a dialect-aware dangerous-pattern blocklist; `allow_dangerous_operations=True` restores the old behavior for trusted deployments. If you've built anything on Langroid that talks to a non-readonly database, upgrade and double-check the DB role's privileges — a SELECT-only agent against a SUPERUSER role is still RCE.

High · GHSA-m7v2-7gxm-vc2v + GHSA-qpmx-3rfj-7rhv + GHSA-ph86-p8f6-f9r2 · symfony < 5.4.52 / 6.4.40 / 7.4.12 / 8.0.12 ·added 18:00 ET

Symfony hardening triple: `server:log` unauthenticated PHP `unserialize()` on 0.0.0.0:9911, X509 mTLS DN-spoofing, Mime\\Address CRLF header smuggling

Three Symfony advisories at once. The lead: `Symfony\Bridge\Monolog\Command\ServerLogCommand` defaults to binding 0.0.0.0:9911 and calls `unserialize(base64_decode($message))` with no `allowed_classes` allowlist — anyone reachable on the network gets unauthenticated PHP object injection before the type check fires. Universal DoS, RCE gadget-chain-dependent. Second: `X509Authenticator` extracts `emailAddress=` from the certificate Subject DN with an unanchored regex, so a free-text CN of `victim+emailAddress=admin@target` from any trusted CA authenticates as the victim — full mTLS auth bypass. Third: `Symfony\Component\Mime\Address` accepted addresses with raw CRLF in the local-part, smuggling new headers or SMTP commands. Upgrade to 5.4.52 / 6.4.40 / 7.4.12 / 8.0.12. Audit prod for an exposed 9911 immediately — that one is the highest urgency. Two of the three patches credit "Claude Mythos Preview (via Project Glasswing)."

High · GHSA-rw47-hm26-6wr7 · CVSS 7.2 · crowdsec <= 1.7.7 ·added 18:00 ET

CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests — every WAF body rule bypassed

`NewParsedRequestFromRequest` does `max(r.ContentLength, 0)` — which collapses Go's `-1` sentinel for `Transfer-Encoding: chunked` and HTTP/2-without-content-length requests to zero. `io.ReadFull` on the resulting zero-length buffer returns immediately without touching the body, and every downstream Coraza rule targeting `REQUEST_BODY` / `BODY_ARGS` / `JSON` / `XML` / `ARGS_POST` runs against an empty buffer and silently fails to match. Bypassed requests are forwarded as `allow` with no WAF log entry. Every body-scanning rule you depend on is off for any client that switches to chunked encoding. No configuration option mitigates the issue. Upgrade past 1.7.7 when the patch lands; until then add an nginx-level rule to either de-chunk or reject chunked traffic to the AppSec backend.

High · GHSA-chqv-56wv-7564 · CVSS 7.4 · deno < 2.7.8 ·added 18:00 ET

Deno TLS retry copies stale upgrade hook on `autoSelectFamily` fallback — application data sent in plaintext

When `autoSelectFamily` is enabled (the Node-compat default) and the first address-family attempt fails, the socket reinitialization path reuses the TLS upgrade hook bound to the original failed handle. The replacement TCP connection is never upgraded to TLS, but the application has no signal of that, and anything written before the `secureConnect` event goes over the wire in cleartext — `Authorization: Bearer ...`, request bodies, the lot. An on-path attacker who can drop the first SYN (drop IPv6 on a dual-stack host, manipulate DNS) deterministically triggers the fallback. Patched in Deno 2.7.8. The class of bug rhymes with the Node.js autoSelectFamily issue from earlier this year; assume any TLS + autoSelectFamily code path on either runtime needs an explicit test for early-write plaintext.

High · GHSA-wc7j-g8wx-m2qx + GHSA-36fc-7wjg-mfvj · pimcore/pimcore <= 12.3.6 ·added 18:00 ET

Pimcore expansion: unauthenticated WebDAV `MOVE` deletes assets + six unrestricted `unserialize()` sinks (gadget-chain RCE if any data source is writable)

Today's Pimcore SQL-injection batch grew into a cluster. The WebDAV controller forgets to attach an authentication plugin, so `MOVE /asset/webdav{path}` reaches `Tree::move()` which deletes the source asset before resolving the current user — unauthenticated attacker who can guess two existing asset paths in the same directory can wipe content. Separately, six core paths (Authentication session token, Site DAO, CustomLayout DAO, TmpStore DAO, WebDAV delete log, Dashboard helper) call `unserialize()` without `allowed_classes`. Pimcore's dependency tree (Guzzle, Symfony, Monolog, Doctrine) provides plenty of gadget chains, so any one of today's SQL injections — or a file write into the WebDAV delete log — chains to PHP object-injection RCE. Combined with today's earlier SQL injections, Pimcore is now the most dangerous PHP cluster of the day. Patch order: SQL injections → WebDAV MOVE → unserialize wrappers.

High · GHSA-xm76-r88j-vm3g · CVSS 7.5 · automad/automad <= 2.0.0-beta.27 ·added 18:00 ET

Automad `/_api/user-collection/create-first-user` returns every admin bcrypt hash + TOTP secret to unauthenticated requests

The "first user" setup endpoint stays publicly reachable after initial config and returns full serialized user data — bcrypt hashes for every admin (the salt is in the hash, so offline brute force is trivial against any weak password), the TOTP secret on beta.27, and the absolute filesystem path of the config directory. Any reachable Automad install is exposed, no prior account or network position required. Upgrade to 2.0.0-beta.28. If an Automad instance has ever been publicly reachable, rotate every admin password and TOTP seed tonight — the hashes were potentially harvested before the disclosure dropped.

High · GHSA-qvjf-922g-pj44 · getkirby/cms <= 4.9.0 and 5.0.0–5.4.0 ·added 18:00 ET

Kirby CMS — `javascript:` URI XSS in `(link:)` KirbyTag, `(image: link:)` parameter, image block, and `Html::a/link`

Fifth Kirby disclosure in this batch (after today's path traversal + arbitrary REST method + stored XSS, plus yesterday's pages.access bypass). Four first-party renderers don't filter the `javascript:` URI scheme out of `<a href>` output: the `(link:)` KirbyTag, the `link:` parameter of `(image:)`, the built-in image block link, and the `Html::a()` / `Html::link()` helpers when called with user input. Any Panel editor with update access to a `textarea` or `blocks` field can plant `(link: javascript:fetch('/api/...'))` and pivot to full Panel session XSS against any admin who clicks. Panel itself is unaffected — attack surface is the site frontend. If you upgraded Kirby this morning for the path traversal you're already covered; if not, this is the fifth reason to roll forward tonight.

High · GHSA-r7g9-xpmj-5fcq + GHSA-hh27-hf48-9f5q · liquidjs < 10.26.0 ·added 18:00 ET

LiquidJS additional DoS sinks: `strip_html` quadratic ReDoS + `date` filter (`%5000000d`) unbounded pad bypassing `renderLimit`

Two more LiquidJS DoS sinks landed alongside today's critical `valueOf` RCE. The `strip_html` regex `<script[\s\S]*?<\/script>|<style[\s\S]*?<\/style>|<.*?>|` does O(N²) backtracking on `'<script'.repeat(N)` — a single ~350 KB request stalls the event loop ~10 seconds. Separately, the strftime `date` filter parses width specifiers like `%5000000d` and forwards them to `padStart()` with no `memoryLimit` / `renderLimit` consultation, producing megabytes of output and unbounded CPU from a tiny template. Both bypass the controls documented as DoS mitigations. Patched together in 10.26.0 with the critical RCE — one upgrade covers the full batch.

12:00 ET · Forenoon Watch

Critical · ·added 12:00 ET

CISA KEV: LiteSpeed cPanel Plugin Privilege Escalation (CVE-2026-48172)

LiteSpeed's cPanel plugin exposes a privilege escalation that lets any cPanel user account execute arbitrary scripts as root via the user-facing plugin interface. CISA added this to the KEV catalog yesterday with a three-day remediation deadline of 2026-05-29 — that's tomorrow. Apply the vendor patch from May 21 (https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/); if you can't patch tonight, review cPanel audit logs for unexpected shell invocations since May 21.

Critical · ·added 12:00 ET

Yamcs RCE via Janino Expression Engine (GHSA-524g-x36v-9wm6, CVE pending, CVSS 9.1)

Yamcs mission-control software (yamcs-core < 5.12.7) allows authenticated users with the ChangeMissionDatabase privilege to achieve RCE by injecting arbitrary Java code into algorithm definitions that are dynamically compiled via the Janino expression engine — no sandbox enforced. CVSS 9.1. Yamcs is used in spacecraft and satellite ground systems; the privilege requirement narrows the attack surface to insiders and compromised operator accounts, but that's still the highest-risk threat model for mission-critical infrastructure. Upgrade to 5.12.7; audit who holds ChangeMissionDatabase in your deployment.

Critical · ·added 12:00 ET

XWiki dual critical: unauthenticated XAR import + pre-auth config file read (GHSA-qrvh-r3f2-9h4r, GHSA-xq3r-2qv5-vqqm)

XWiki Platform shipped two critical advisories today. First: POST /wikis/{wikiName} performs XAR package import with no authentication or authorization checks — an unauthenticated attacker can create or overwrite wiki documents, and XAR packages that include Groovy/Velocity macros represent unauthenticated code execution. Second: the ssx/jsx static resource endpoints accept a resource parameter with a leading slash that enables path traversal, allowing unauthenticated read of WEB-INF/xwiki.cfg (database credentials, encryption keys). Both vulnerabilities are patched in 16.10.17, 17.4.9, 17.10.3, and 18.0.1. If you can't patch now, add a proxy rule to block POST to /wikis/ and restrict access to the ssx/jsx endpoints.

High · ·added 12:00 ET

Glassworm developer supply chain botnet disrupted by CrowdStrike, Google, and Shadowserver

CrowdStrike, Google, and the Shadowserver Foundation jointly disrupted Glassworm — a developer-targeting supply chain botnet active since at least early 2025 that delivered malicious packages and IDE extensions. Its C2 used Solana blockchain transactions and BitTorrent DHT to survive traditional domain-based takedowns. Infrastructure is now down, but packages seeded over 16+ months may still be present in registries, developer environments, and CI caches. Run a dependency audit against known Glassworm package IOCs (CrowdStrike blog pending); pay particular attention to packages installed between Q1 2025 and today.

High · ·added 12:00 ET

FUXA industrial SCADA: three pre-auth RCE/disclosure vulnerabilities (GHSA-rg3m-cfq7-g6h6, GHSA-fwcm-rqvw-j3p7, GHSA-p69w-mmfv-xrfj)

FUXA (open-source SCADA/HMI, v1.3.0) received three advisories covering the same attack surface: unauthenticated RCE via test-mode auth bypass on /api/runscript, unauthenticated tag value disclosure via /api/getTagValue, and a pre-auth RCE chain via path confusion in the authentication middleware that achieves root execution even with Secure Mode enabled. Three pre-auth routes to code execution in SCADA software is a cluster worth treating as a single campaign until proven otherwise. FUXA is frequently internet-exposed in maker/small-OT deployments. Place it behind a VPN or firewall immediately; patch to 1.3.1 when released.

High · ·added 12:00 ET

Kirby CMS 5.3.0–5.4.0: pre-auth path traversal + PHP inclusion, arbitrary REST method call, stored XSS (GHSA-9hx7-c53c-v6x8, GHSA-86rh-h242-j8xp, GHSA-5fhx-9q32-q257)

Kirby CMS 5.3.0–5.4.0 received three advisories today: pre-authentication path traversal with PHP file inclusion during user lookup (affects all sites on those versions, no config conditions required), arbitrary method invocation via REST API search and collection query parsing, and stored XSS via list field content in the panel. The path traversal is the lead — the advisory says all Kirby sites on 5.3.0–5.4.0 are affected regardless of setup. Upgrade to 5.4.1.

High · ·added 12:00 ET

yeoman-environment installs npm packages without user confirmation (GHSA-vv9j-gjw2-j8wp, CVSS 8.6)

yeoman-environment 2.9.0–6.0.0 installs missing local generator packages from caller-supplied names via installLocalGenerators() without user confirmation. In CI pipelines or monorepos where project configuration is partially user-controlled, this becomes a vector for arbitrary npm package installation during scaffolding. Supply-chain relevant: an attacker who can influence the generator name in shared config can route arbitrary code into developer environments. Upgrade to 6.0.1; audit any CI jobs invoking yeoman generators with external config input.

Medium · ·added 12:00 ET

tmp npm package path traversal via unsanitized prefix/postfix (GHSA-ph9p-34f9-6g65)

The `tmp` npm package (widely used for temporary file/directory creation) allows path traversal via unsanitized prefix or postfix parameters, enabling directory escape from the intended temp location. Exploitability depends on whether callers pass user-controlled input into tmp's prefix/postfix — library code typically doesn't, but CLI tools and test harnesses sometimes do. GHSA rates this high; in most deployments the realistic blast radius is medium. Review any code that passes dynamic values to tmp options.

Medium · ·added 12:00 ET

Fedify LD-Signature bypass via JSON-LD named-graph restructuring (GHSA-9rfg-v8g9-9367, CVSS 7.0)

Fedify (ActivityPub framework for TypeScript/JavaScript) allows LD-Signature verification to be bypassed by restructuring a signed JSON-LD document into a named graph — the signature covers the original document shape but validation passes on the restructured form. Relevant to fediverse deployments using Fedify for ActivityPub federation. CVSS 7.0. Upgrade to the patched version; if you use Fedify for inter-instance trust decisions, treat incoming activities as untrusted until you've confirmed your version.

06:00 ET · Morning Watch

High · GHSA-rr59-xxvx-96qr · CVE-2026-44210 · Kata Containers ·added 06:00 ET

Kata Containers — virtiofsd argument injection via default-enabled pod annotations gives full host filesystem read/write

Kata's default configuration enables the `io.katacontainers.config.hypervisor.virtio_fs_extra_args` annotation, which lets any pod creator inject arguments into the virtiofsd process — `-o source=/ --no-announce-submounts --sandbox=none` re-points the shared directory at the host root. Combined with the also-default `kernel_params` annotation to enable the agent debug console, an attacker who can create a pod gets host /etc/shadow read and write. GHSA tagged it medium, but on multi-tenant clusters where namespace tenants can set pod annotations this is a VM escape with no exploit chain required — treat it as high. Set `enable_annotations = []` (or an explicit allowlist that excludes the virtiofs and kernel_params keys) in `configuration.toml` and roll the node pools.

High · GHSA-36hh-x5p5-jgc8 · CVE-2026-44974 · @hapi/content < 6.0.2 ·added 06:00 ET

@hapi/content — duplicate-parameter smuggling in Content-Disposition/Content-Type enables upload-filter bypass

The two parsers resolve duplicate parameters opposite ways: `Content.disposition()` keeps the last, `Content.type()` keeps the first. Any upstream component (WAF, reverse proxy, alternate parser) that resolves the other way creates a smuggling primitive — the canonical payload is `Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php"` to bypass extension allowlists. Patched in 6.0.2. The shape rhymes with the recent Express/multer disclosures: every layer in the upload chain has to resolve duplicate parameters the same way or you have a bypass. Upgrade, and if you have a homegrown allowlist filter in front of @hapi/content, grep it for `header.split` and confirm it normalises duplicates before the framework sees them.

High · GHSA-h4ph-crvj-9h92 + GHSA-3234-gxc3-pq6f · CVE-2026-44741 / CVE-2026-44739 · pimcore/admin-ui-classic-bundle ·added 06:00 ET

Pimcore — two SQL injections in admin-classic-bundle (translation grid date filter + custom reports column config)

Two distinct SQL injections in the Pimcore admin UI dropped together. The translation-grid one (GHSA-h4ph) takes the user-supplied `property` field from filter JSON straight into a `UNIX_TIMESTAMP(DATE(FROM_UNIXTIME(...)))` expression with no allowlist. The custom-reports one (GHSA-3234) lets anyone with the `reports_config` permission supply SQL that is concatenated into the executed query — the keyword denylist blocks UPDATE/DELETE/DROP but happily allows UNION SELECT, and the endpoint helpfully returns DB error messages, making error-based exfiltration trivial. Both require an authenticated admin-area session, so blast radius is internal users / compromised editor accounts, not unauth — but the reports one only needs the relatively common `reports_config` permission. Upgrade pimcore/admin-ui-classic-bundle, and audit which roles actually need `reports_config` while you're in there.

Medium · GHSA-2qv6-9wx5-cwv4 + GHSA-9x9p-qf8f-mvjg + GHSA-8xx9-69p8-7jp3 · liquidjs ·added 06:00 ET

LiquidJS triple — `strip_html` newline-bypass XSS, `{% render %}` ownPropertyOnly leak, `{% for %}` empty-body DoS (now part of today's critical LiquidJS batch)

Three medium findings against LiquidJS in one batch, and the first one matters operationally: `strip_html`'s catch-all regex `<.*?>` does not match across line terminators, so `<img\nsrc=x\nonerror=alert(1)>` passes through unchanged into the rendered HTML. Anyone using `strip_html` as a sanitizer (and many do — it's documented that way) has stored or reflected XSS. The other two are narrower: `Context.spawn()` re-derives `ownPropertyOnly` from the instance option instead of propagating the per-render override, so a per-call lockdown leaks prototype properties inside `{% render %}` partials; and `renderLimit` is bypassable with an empty `{% for %}` body — the per-iteration time check is only consulted when the body has at least one template node, observed wedging an event-loop thread for 2.26 s under a 50 ms limit. Upgrade LiquidJS. If you use `strip_html` anywhere user-controlled, swap to DOMPurify (or escape) until you have the patched version in production. Update from First Watch: these three were rolled into today's critical LiquidJS RCE batch — see the GHSA-gf2q + GHSA-r7g9 + GHSA-hh27 entries above.

Medium · GHSA-cqh3-jg8p-336j + GHSA-w5r6-mcgq-7pq4 + GHSA-p2rj-mrmc-9w29 · yamcs-core ·added 06:00 ET

Yamcs — auth-module hardening triple: LDAP injection, no /auth/token rate limit, IAM user enumeration

Three follow-ups to yesterday's critical Yamcs RCE (GHSA-524g, Janino-engine code injection). The LDAP one (GHSA-cqh3) is the spiciest — `LdapAuthModule` does no RFC 4515 escaping when interpolating the username into the search filter, so `username=*` plus a known valid password authenticates as the first user the LDAP search returns. Horizontal privilege escalation if any operator account has been compromised. The other two are a missing rate limit on `POST /auth/token` (unlimited brute force, no lockout, no CAPTCHA) and missing `SystemPrivilege.ControlAccess` checks on `listUsers`/`getUser`/`listGroups`/`getGroup` — any authenticated user can enumerate the full IAM directory. Together they make Yamcs the cleanest example this week of "once you have a foothold, the auth module hands you the rest of the box." Patch in order: LDAP injection first, then the token endpoint, then the IAM checks. If you're running Yamcs in a satellite-ops context (which is where it usually lives), this whole batch is operational priority.

Medium · GHSA-vhjm-w67q-g75c · CVE-2026-44979 · @hapi/wreck < 18.1.1 ·added 06:00 ET

@hapi/wreck — Proxy-Authorization header leaks across cross-hostname redirects

Companion finding to the @hapi/content disclosure: on a 3xx redirect to a different host, wreck strips `Authorization` and `Cookie` but forwards `Proxy-Authorization` intact. Forward-proxy credentials leak to whatever host the redirect points at. Mitigated by the fact that redirect-following is opt-in (`redirects` defaults to false), so the affected set is callers that explicitly set `Wreck.defaults({ redirects: N })`. Patched in 18.1.1. Treat this and GHSA-36hh-x5p5-jgc8 as a coordinated @hapi hardening batch and bump both together.

Medium · GHSA-7g26-2qgj-chfg · CVE-2026-44587 · carrierwave (Ruby) ·added 06:00 ET

CarrierWave — content_type_denylist regex metacharacters not escaped, denylist silently doesn't match

String entries in `content_type_denylist` are interpolated straight into a regex without `Regexp.quote` or anchors. A denylist entry like `application/x-msdownload` matches the right string, but anything containing a regex metacharacter (`+`, `.`, `(`) silently fails to match the literal content type the developer intended to block. The advisory points out that `content_type_denylist` is officially deprecated, but it's still widely used, and "the denylist appears configured but is functionally empty" is the worst-case shape for a security control. Switch to `content_type_allowlist`, or audit your denylist entries for unescaped metacharacters and wrap them in `Regexp.escape`.

Medium · GHSA-2xw4-v2wx-hqq9 · CVE-2026-44176 · getkirby/kirby ·added 06:00 ET

Kirby CMS — `pages.access` permission not enforced when rendering page drafts (follow-up to yesterday's Kirby triple)

Fourth Kirby disclosure in the current batch (after yesterday's path traversal + XSS + arbitrary-method triple). Sites that disable `pages.access` for a role to keep them out of the page tree still allow authenticated users of that role to render page drafts directly. Affects sites only if you intentionally lock down `pages.access`; write actions are unaffected. Patched alongside the rest of the Kirby batch — if you upgraded yesterday for the path traversal, you already have this fix.

Medium · GHSA-f659-372h-6x3x · CVE-2026-41207 · netty-incubator-codec-ohttp ·added 06:00 ET

netty-incubator-codec-ohttp — HPKE export/HKDF can silently return all-zero key material on failure

Classic crypto-failure-handling bug: `HKDF_expand` and `EVP_HPKE_CTX_export` return an all-zero byte array on failure rather than NULL or an exception, and the output feeds straight into `OHttpCrypto.createResponseAEAD`. A silent failure produces a deterministic, attacker-predictable AEAD key. The incubator-package qualifier limits the affected set, but if you're running OHTTP in production using this codec, treat the key material derivation as untrusted until the patched version is in. The right shape for any code that builds on top: check return values, prefer fail-closed over zero-fill.

Context · Morning Watch · 2026-05-27 10:00 UTC ·added 06:00 ET

Morning shape: KEV catalog steady, RSS feeds quiet — disclosure pipeline carrying the morning

No new CISA KEV additions in the last 24 hours (the most recent add remains 2026-05-26 LiteSpeed cPanel, already on yesterday's watch). Socket, Phylum, Bleeping Computer, and The Hacker News produced nothing matching the supply-chain keyword set in the watch window. Aikido republished yesterday's developer-machines-as-attack-surface essay — already triaged. The morning's signal is therefore entirely disclosure-side: a coordinated @hapi hardening batch, a Kata Containers VM escape that GHSA undersold, a Yamcs auth-module sweep that turns yesterday's RCE into a full compromise primitive, and a LiquidJS strip_html XSS that breaks a widely-misused sanitiser. Forenoon and First Watch will tell us whether anything active landed during US business hours.