v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Wednesday · 24 June 2026 End-of-day synthesis 4 watches · 18 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — Three CVSS-10 RCEs opened the day; a chainable pair of pre-auth OpenAM criticals closed it, making the identity stack the story two days running.

The morning opened on three independent CVSS-10 remote-code-execution bugs — a path-traversal-to-hook-overwrite in the Gogs Git server (CVE-2026-52813), anonymous NoSQL operator injection in published Budibase apps (CVE-2026-54350), and a default-unauthenticated LFI-to-RCE chain in internet-exposed motionEye camera boxes. Any one of them would headline a normal day.

By the First Watch the throughline had moved to identity. OpenAM ≤16.0.6 took a third advisory cluster in a single day: morning session-token theft via CDCServlet, then an afternoon pair that reads as one chain — an anonymous Liberty SOAP endpoint writes attacker-controlled data into any user's profile under the internal admin token (CVE-2026-45052), feeding a WebAuthn module that deserializes that same storage attribute into pre-auth code execution (CVE-2026-45051). It is the same Open Identity Platform stack that anchored yesterday's watch, so the auth tier under every federated relying party is the day's soft underbelly two days running. A quieter second motif ran through the GHSA batch — incomplete fixes that never moved the sink, in AVideo, OctoPrint, phpMyFAQ, and a jackson-databind PolymorphicTypeValidator bypass. The bright spot is that the entire OpenAM cluster collapses to a single 16.1.1 upgrade.

→ Operational priority for the night upgrade OpenAM to 16.1.1 — one bump closes the session-hijack, profile-write, and WebAuthn-RCE issues together — and confirm no user-writable LDAP attribute backs the WebAuthn storage field before trusting the patch; behind that, upgrade Gogs and pull motionEye and public Budibase apps off the internet.

18:00 ET · First Watch

OpenAM: pre-auth RCE via Java deserialization in WebAuthn authenticator storage (≤16.0.6)

OpenAM's WebAuthn module deserializes its authenticator-storage attribute with no type guard (CWE-502), so once that attribute is attacker-writable the WebAuthn flow instantiates a Java gadget and runs code as the application-server user — RCE on the identity provider (CVE-2026-45051, ≤16.0.6, fixed 16.1.1). The storage attribute is a free-form admin setting the product never warns must be server-managed, and the companion advisory below supplies exactly the anonymous-write primitive needed to make it attacker-controlled — read the two as a chain. This is the same Open Identity Platform stack that anchored yesterday's watch; upgrade to 16.1.1 and confirm no user-writable attribute backs the WebAuthn userAttribute.

OpenAM: anonymous Liberty SOAP endpoint writes any user's profile under the internal admin token (≤16.0.6)

OpenAM's Liberty ID-WSF SOAP receiver lets an unauthenticated attacker write persistent entries into any user's Liberty Discovery store and a shared root-realm branch, with the writes performed server-side under the internal admin token — bypassing the requester's LDAP and identity ACLs (CVE-2026-45052, CWE-285, ≤16.0.6, fixed 16.1.1). Liberty is a legacy protocol but is exposed in the shipped defaults, and an anonymous write into admin-privileged storage is the kind of primitive that feeds the WebAuthn deserialization RCE above. Patch to 16.1.1; if you can't, disable the Liberty Web Services endpoints — nothing modern consumes them.

OliveTin: shared text/template race contaminates shell commands across requests (CVSS 7.5)

OliveTin parses and executes its shell-command templates on a single package-level `text/template` instance shared across every request goroutine with no locking, so concurrent actions race: one user's arguments render into another user's command, or the Go runtime panics on a concurrent map write (CVE-2026-48708, CWE-362, CVSS 7.5, all versions). A web UI that runs shell commands and leaks arguments cross-request is a confused-deputy in any multi-user deployment. Restrict OliveTin to trusted operators and watch for a fixed release that gives each request its own template.

12:00 ET · Forenoon Watch

Cordyceps: CI/CD workflow-hijack pattern exposes 300+ GitHub repos at Microsoft, Google, Apache

Novee Security disclosed a class of CI/CD workflow flaw it calls Cordyceps — a "critical exploitable pattern" that lets an attacker hijack GitHub Actions workflows and take full control of the repository, found across 300+ repos at organizations including Microsoft, Google, and Apache. It is the same family as yesterday's actions/checkout pwn-request hardening: workflows that run attacker-influenced code with the job's full-scope token are the recurring CI/CD supply-chain wound, and a finding at this scale says the pattern is still widespread. Audit your workflows for triggers that execute untrusted PR content with write-scoped tokens (pull_request_target, untrusted checkout-then-build) and pin to the hardened actions/checkout release.

06:00 ET · Morning Watch

Gogs path-traversal in organization names → RCE via overwritten Git hooks (CVSS 10.0)

Gogs accepts `../` sequences in organization names and writes repositories along the traversal, so an attacker can plant a nested repo whose `hooks/` config lands on top of another repo's — turning into remote code execution on the next Git operation (CVE-2026-52813, CVSS 10.0, unsanitized `os.MkdirAll` in `internal/database/org.go`). A self-hosted Git server is the source of truth for everything downstream of it; RCE there is code-execution adjacent to every pipeline that pulls from it. A companion advisory (CVE-2026-52812) lets a writer bind their repo to another tenant's LFS object and exfiltrate private bytes — patch both; if you run Gogs, treat upgrading as today's first job and audit org names for traversal sequences.

Budibase anonymous NoSQL operator injection via published-app query templates (CVSS 10.0)

Budibase substitutes user parameters into the raw JSON body of a query and then `JSON.parse`s it, while the validator rejects only Handlebars markers and never escapes JSON metacharacters — so a value carrying a closing quote and extra keys lifts attacker-controlled operators like `{$exists:true}` into a Mongo filter (CVE-2026-54350, CVSS 10.0). On a published app the query path is reachable anonymously, widening `find`/`updateMany` filters to dump or rewrite whole collections. Upgrade `@budibase/server` and, until patched, take public apps offline or constrain backing datasources to read-only.

motionEye LFI → pass-the-hash admin → config restore → RCE; unauth if surveillance password unset (CVSS 9.8)

motionEye chains an absolute-path LFI in the picture-download endpoint, acceptance of request signatures computed from the stored SHA-1 password hash (pass-the-hash, no cracking), an unsafe tarball config-restore, and unauthenticated action execution into full RCE (CVSS 9.8). When the normal surveillance-user password is left empty — the default — the entire chain is reachable unauthenticated, and a second advisory (GHSA-phv5-334h-mxcw) reads the config file to lift the admin hash directly. These are internet-exposed camera/NVR boxes; pull them off public networks now and upgrade once a fixed release lands, since the maintainer notes command execution is partly by-design.

jackson-databind PolymorphicTypeValidator bypasses reopen deserialization gadget instantiation

Two new jackson-databind advisories defeat `PolymorphicTypeValidator`, the safeguard most teams rely on after the long tail of Jackson deserialization RCEs: a denied class smuggled as a generic type parameter of an allowed container is validated only on the raw class name (CVE-2026-54512), and `allowIfSubTypeIsArray()` allowlists `EvilType[]` without checking the element type (CVE-2026-54513) — both at CVSS 8.1. jackson-databind is one of the most transitively-depended-upon libraries in the JVM ecosystem, so a PTV bypass re-opens gadget-instantiation risk for any app that enabled polymorphic typing behind a validator it believed was sufficient. Bump to the patched `jackson-databind` (and the new `tools.jackson.core` coordinate) across your dependency tree, and don't treat PTV as a reason to leave default typing on.

mise: arbitrary command execution from task-include files in an untrusted repo, no trust prompt

mise gates `mise.toml`/`.tool-versions` behind its trust check, but task-include dirs (`mise-tasks/`, `.mise/tasks/`) are loaded on a path that never reaches it, and the tera environment rendering each task field has `exec()` registered — so `{{ exec(command='…') }}` in a task field runs the moment tasks are merely listed (CVE-2026-55441, CVSS 8.6). A config-less repo means no trust prompt ever fires, and read-only triggers (`mise tasks`, tab-completion via `mise run`) are enough — the victim only has to `cd` into a cloned repo. This is the developer-machine supply-chain shape: cloning a poisoned repo is code execution. Upgrade mise and be wary of shell completion in freshly-cloned directories until you have.

OpenAM session hijacking via CDCServlet + cross-user session-token disclosure (≤16.0.6)

Open Identity Platform's OpenAM ships two session-credential exposures: the CDSSO servlet can be coerced to POST a logged-in user's raw session token to an attacker URL (CVE-2026-45049, CVSS 8.3), and the session-management RPC endpoint returns active session credentials for arbitrary users with no ownership check, letting a low-privileged account harvest higher-privileged sessions (CVE-2026-45048, CVSS 8.5). OpenAM sits under the auth path for everything federated behind it, so token theft here is lateral movement into every downstream relying party. Affected through 16.0.6, fixed in 16.1.1 — upgrade and review CDSSO exposure.

Algernon Host-header path traversal in --domain mode → arbitrary file read and Lua execution

When Algernon runs with `--domain` (silently enabled by `--letsencrypt`), it `filepath.Join`s the document root with the client-supplied `Host` header and never validates it, so `Host: ..` walks above the web root — arbitrary file read, directory listing, and server-side execution of any `.lua` file in the parent dir (CVE-2026-48126, CVSS 8.2, ≤1.17.7). The TLS convenience flag turning on the vulnerable mode is the trap: operators enabling Let's Encrypt get the traversal for free. Upgrade past 1.17.7.

AVideo: incomplete fix of CVE-2026-33482 — single '&' still reaches the sh -c sink

The patch for AVideo's ffmpeg command-injection (CVE-2026-33482) added `$(){}` and `&&` to the denylist but left the single `&` background operator intact, so the same `execAsync()` `sh -c` sink is still reachable for OS command execution (CVE-2026-55173, CVSS 8.1, verified at HEAD). Denylist sanitizers that patch the reported metacharacter and stop are the recurring failure mode — the entry point and sink never moved. Don't deploy from HEAD expecting the original fix to hold; wait for a release that allowlists or removes the shell invocation.

Glances: secure_popen honours >, |, && in AMP commands → arbitrary file write and command execution

Glances' `secure_popen()` interprets `>`, `|`, and `&&` without validating targets, and AMP module `command`/`service_cmd` values from `glances.conf` flow straight into it — anyone who can write the config gets arbitrary file write and command chaining (CVE-2026-53925, CVSS 7.8). Notably it is not mitigated by `--disable-config-exec`, which only blocked backtick execution, so the prior CVE-2026-33641 hardening leaves this open. Treat `glances.conf` as a privileged file and upgrade; the AMP path is the bypass.

OctoPrint: file exfiltration via upload-endpoint query params — incomplete fix of CVE-2025-48067

A user with the `FILE_UPLOAD` permission can move host files OctoPrint can read into the upload folder and then download them, exposing config secrets or removing runtime files to break restart (CVE-2026-54134, ≤1.11.7 and 2.0.0rc1/rc2). This is the second pass at the same bug — the 1.11.2 fix for CVE-2025-48067 was incomplete. Upgrade once the corrected release ships and keep `FILE_UPLOAD` off semi-trusted accounts.

Filament admin-panel batch: unauth temp file upload, ImageColumn/ImageEntry stored XSS, login timing enumeration

Filament shipped three coordinated advisories: the login form inherits Livewire's file-upload trait, exposing unauthenticated temporary uploads that can exhaust disk or inflate storage (CVE-2026-48500); `ImageColumn`/`ImageEntry` render raw DB values, enabling stored XSS where inputs aren't validated (CVE-2026-48167); and the login page leaks account existence via timing (CVE-2026-48166). Filament is a widely-embedded Laravel admin panel, so the XSS executes in the privileged admin view. Upgrade the affected `filament/*` packages together.

phpMyFAQ: four API write endpoints miss userHasPermission() — incomplete fix of CVE-2026-24421

CVE-2026-24421 added `userHasPermission()` to phpMyFAQ's BackupController but the same check was never applied to four other public-API write endpoints, which gate only on the shared API token and not the user's role — so any token holder can perform admin operations (CVE-2026-49205, CVSS 6.5). Another incomplete-fix item: the original patch addressed one controller, not the class of bug. Upgrade and audit API token scope.

Slim: reflected XSS in HtmlErrorRenderer via HttpException setTitle/setDescription

Slim's `HtmlErrorRenderer` renders `HttpException::setTitle()`/`setDescription()` without escaping, so apps that feed request-derived data into those (e.g. echoing a search term in an error) get reflected XSS — and it fires even with `displayErrorDetails=false` (CVE-2026-48157, CVSS 6.1). Stock Slim with built-in plain-text exceptions isn't exploitable; only custom error titles/descriptions are. Fixed in 4.15.2 — upgrade, or escape untrusted data before passing it to the error renderer.

Snipe-IT: bulk user-edit lets users.edit holder toggle activated/ldap_import and lock out admins

A tail of yesterday's Snipe-IT advisory batch: a non-admin holding only the granular `users.edit` permission can bulk-edit the `activated` and `ldap_import` flags, disabling every admin's login and password-reset path — a denial-of-administration rather than RCE (CVE-2026-48507, CVSS 7.1). Same multi-tenancy/permission-boundary theme that ran through the Snipe-IT cluster. Apply the fixed release; the patch is a single commit.