v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Monday · 06 July 2026 End-of-day synthesis 4 watches · 9 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — Zebra disclosed a CVSS-9.3 soundness bug in Zcash's Orchard shielded-pool circuit at 21:00 ET, a late critical escalation onto a day that had already produced four separate critical dev-and-agent-tooling disclosures.

Morning and Forenoon Watch were quiet — nothing from GHSA, KEV, or the RSS beat cleared the bar. Then, in the six hours before First Watch, four disclosures landed back to back: Langroid's CVSS-10 eval() sandbox escape, 9router's plaintext credential-store exposure, a zip-slip bug in npm's decompress, and Coder's 18-advisory coordinated batch headlined by cross-workspace agent rebinding.

Late escalation at 21:00 ET: Zebra disclosed a CVSS-9.3 soundness bug in the halo2_gadgets circuit underlying Zcash's Orchard shielded pool, letting a malicious prover forge the diversified-address-integrity check that binds a proof to the correct viewing key — a different failure class than anything else today, landing in cryptographic circuit code rather than a web app. The same late window also turned up an authenticated SQL injection in OpenRemote's datapoint export, a four-advisory Craft CMS batch headlined by unsandboxed Twig execution via the Referer header, a local-privilege-escalation bug in Linuxfabrik's monitoring plugins, and a Zellic-audited permission bug in uutils' mkfifo.

→ Operational priority for the night if you depend on halo2_gadgets, orchard, or zcash_primitives, watch for the Zebra patch before trusting any Orchard proof validation; everyone else, the 18:00 priorities still stand — take 9router offline, pin Langroid past 0.65.4, check decompress versions, and queue the Coder upgrade — with OpenRemote, Craft CMS, and Linuxfabrik patches added to tomorrow's list.

21:00 ET · Last Watch

Zebra's halo2_gadgets circuit has a soundness bug letting a malicious prover forge Orchard's viewing-key binding

A missing copy constraint in halo2_gadgets' variable-base scalar multiplication gadget let a malicious prover submit a valid Orchard Action proof with an under-constrained base point, bypassing the check that binds the action to the correct incoming viewing key — and therefore to the correct nullifier and spend-validating key (CVSS 9.3). This is a circuit-soundness bug in Zcash's shielded-pool stack (zebrad, halo2_gadgets, orchard, zcash_primitives), a different failure class from today's earlier web-app and agent-tooling bugs — the exposure is forged proofs the network would otherwise trust. No patched version is listed yet; if you depend on any of these crates, treat Orchard proof validation as unverified until a fix lands.

OpenRemote's datapoint export API is SQL-injectable through user-controlled asset names

The crosstab datapoint export endpoint concatenates asset display names directly into a PostgreSQL query, so an authenticated user who can create or rename an asset can inject SQL that gets streamed back through the export's ZIP/CSV response. In multi-tenant deployments this can leak data across tenant boundaries if the database role can read shared manager tables. Upgrade to openremote-manager 1.26.0+; audit who can rename assets in the meantime.

Craft CMS discloses four advisories, headlined by unsandboxed Twig execution via the Referer header

Control-panel users with entry-edit permissions can get unsandboxed Twig code to execute during entry saves by controlling the Referer header on a signed redirect URL — the code path uses renderObjectTemplate() instead of the sandboxed variant, effectively authenticated RCE. The same batch adds a stored XSS via structure-entry titles in table view, a DOM XSS where a poisoned GitHub issue title fires in an admin's session through the CraftSupport widget, and a Twig-sandbox-allowlisted dataUrl() function that lets a low-privilege permission read arbitrary server files — including .env — via outbound system email. Patch to the fixed versions in each advisory; treat the Referer-driven Twig path as RCE, not a redirect bug.

Linuxfabrik Monitoring Plugins allow local privilege escalation via an embedded command

A monitoring plugin embeds a command in a way a local user can hijack to escalate privileges — the classic embedded-command-injection shape. Only matters where the monitoring agent runs on shared or multi-tenant hosts with untrusted local users; patch before the next agent update cycle on those boxes.

Zellic's uutils coreutils audit for Canonical turns up a permission-reset bug in mkfifo, plus lower-severity issues in cut and mknod

When uutils' mkfifo fails because the target already exists, it skips the early return and falls through to fs::set_permissions anyway — silently resetting a pre-existing file's permissions to the default FIFO mode, which can relax permissions on sensitive owner-only files like SSH private keys (CVSS 7.1). The same Zellic assessment commissioned by Canonical also flags a cut -s -z -d '' mode that emits records it should filter, and a mknod SELinux-labeling race that leaves mislabeled device nodes behind after failed cleanup. None are remote-exploitable, but if uutils stands in for GNU coreutils on security-sensitive hosts, watch for the advisory's fixed versions (0.6.0 for mkfifo, 0.7.0 for cut).

18:00 ET · First Watch

9router ships two critical, unauthenticated bugs: full plaintext API-key leak and complete database export/import

9router — a self-hosted LLM API gateway/dashboard — exposes /api/usage/stats with zero authentication, returning every connected provider's API key in plaintext (CVSS 10.0), while a companion bug lets anyone hit /api/settings/database to export the full credential store or overwrite it wholesale (CVSS 9.9). Any team running 9router to front multiple LLM providers has effectively published every upstream API key and can have its entire config replaced by an attacker in one POST. There's no patched version listed yet — take any internet-facing 9router instance offline or firewall it to trusted IPs immediately.

npm's decompress package has a zip-slip / path-traversal flaw letting a crafted archive read or write files outside the extraction directory

The decompress npm package (and its @xhmikosr/decompress fork) resolves hardlink and symlink entries during extraction with a naive string-prefix path check, so a crafted tar/zip can read arbitrary files the process can access or write outside the target directory — and because file modes are applied as mode & ~umask, an entry can also create a setuid/setgid file (CVSS 9.1). This is the classic supply-chain shape: anything that unpacks a downloaded archive during install, build, or CI trusts the archive contents implicitly, and decompress sees exactly that use. Upgrade to @xhmikosr/decompress 11.1.3+ (10.2.1+ on the 10.x line); the original unmaintained decompress <= 4.2.1 has no fix and should be replaced outright.

Langroid discloses four LLM-tool-execution bugs in one batch, including a CVSS-10 eval() sandbox escape to RCE

Langroid's TableChatAgent sandboxes LLM-generated Python by setting eval()'s locals to {} but never scrubs __builtins__ from globals, so any tool call reaching pandas_eval() gets full access to __import__('os').system() — unauthenticated RCE, CVSS 10.0. The same batch shows the SQLChatAgent's pg_read_file blocklist regex is still bypassable via quoted or schema-qualified function names (reopening a file-read RCE a prior CVE claimed to fix), the Neo4jChatAgent variant of the same defect lets prompt-injected Cypher read or destroy graph data, and a fourth bug lets a user bypass use=False,handle=True tool gating by sending raw tool JSON directly. The pattern across all four: agent frameworks that let LLM output reach eval, SQL, or Cypher without a real allowlist are one crafted prompt away from RCE — pin past 0.65.4, and if you've built a similar tool-calling agent, audit for the same eval()/regex-blocklist shape before you ship it.

Coder discloses 18 advisories in one coordinated batch, headlined by cross-workspace agent rebinding and two OIDC account-takeover bugs

Coder — the remote dev-workspace platform many teams run as their CI/dev environment control plane — published 18 advisories within a single hour, the worst letting a user-controlled app ID rebind a workspace app to a different workspace's agent (CVSS 8.7), alongside two independent OIDC bugs (email-based user matching, plus an email_verified type-coercion bypass) that both enable account takeover. Layered on top: SSH config injection via coder config-ssh, session-token leakage to arbitrary hosts through coder open app, tailnet route hijacking via unvalidated AllowedIPs, and a user-admin role that can reset the owner's password. This is dev-environment infrastructure, not a toy app — if you self-host Coder, treat this as a full-platform patch day, not a pick-and-choose one, and rotate OIDC-linked sessions after upgrading.