v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Tuesday · 07 July 2026 Live · last refresh 12:00 ET · Forenoon Watch 2 watches · 17 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

12:00 ET · Forenoon Watch

EGroupware discloses three advisories in one batch — an auth-bypass RCE, an admin eval() RCE, and a mail-compose LFI

An authorization check in SmallPartMediaRecorder::ajax_upload() trusts a user-controlled participant_role value instead of the server-side course ACL, so a crafted upload request bypasses the teacher-only gate; combined with a separate file-read primitive, that chain reaches full RCE and is exploitable pre-auth if self-registration is enabled. A second bug lets an authenticated admin get OS-level RCE by uploading a malicious .xet eTemplate file — Widget::expand_name() escapes double quotes before eval() but never escapes backticks, and PHP executes backtick-wrapped shell commands inside double-quoted eval strings. A third, unrelated bug in mail compose treats file:// URIs as "not http" and passes them straight to file_get_contents(), reading arbitrary server files into outgoing mail. Patch to the fixed release now — if self-registration is on, treat this as pre-auth RCE and take the instance offline until patched.

XWiki's /skin/ endpoint allows path traversal to arbitrary file read — but only under Jetty 12+

On Jetty 12 and later, XWiki's /skin/ action doesn't strip double-URL-encoded traversal sequences, so a request like /xwiki/bin/skin/..%252f..%252f...%252fetc/passwd walks out of the webapp and reads arbitrary files the Jetty process can access, including XWiki's own Hibernate/config files. The bug is app-server-specific — Tomcat and Jetty <12 aren't affected — which is an easy detail to miss if you patch XWiki but never check what's serving it. Upgrade to 17.10.5 / 18.2.0, or drop to Jetty <12 as a stopgap if you can't upgrade immediately.

New API's default SSRF filter never resolves hostnames, and a companion CSRF bug lets attackers rebind account email

New API ships with ApplyIPFilterForDomain off by default, so its SSRF guard checks a notification URL's domain against allow/block rules but never resolves the hostname to an IP — an authenticated user can point a Webhook/Bark/Gotify notification at an internal service or a cloud metadata endpoint and read the response through timing or error behavior. The same release fixes a CSRF bug where email/WeChat account-binding used GET requests, letting a cross-site link silently rebind a logged-in user's account email (kept to medium because the default SameSite=Strict cookie config blunts it). Upgrade to v0.12.0-alpha.1, which flips the IP filter on by default and moves binding endpoints to POST.

Kiwi TCMS's account-confirmation link is an open redirect — a phishing vector wearing a trusted hostname

The account-confirmation endpoint's next parameter isn't validated, so an unauthenticated attacker can hand out a Kiwi-TCMS-hosted URL that redirects to any external domain — the value to an attacker is the trusted internal hostname, not the code execution. A lower-severity companion bug lets TestCase/TestPlan extra_link fields render javascript: URIs verbatim before 16.1, though the default CSP blocks it unless you've weakened that header. Kiwi TCMS is usually an internal QA tool, so this is a social-engineering risk more than a direct-compromise one — patch to 16.1+ and don't relax the default CSP.

Cilium's LocalRedirectPolicy lets an in-cluster user hijack Service traffic across namespaces

CiliumLocalRedirectPolicy's addressMatcher accepts an arbitrary ClusterIP, so anyone who can create the policy resource can redirect traffic bound for a Service in a different namespace — the namespace-scoping serviceMatcher is supposed to enforce normally doesn't apply here. Deleting a policy created this way can also corrupt Cilium's internal service state and break service translation entirely for the affected Service. If your RBAC lets tenants create CiliumLocalRedirectPolicies, that's effectively cross-namespace network access — patch to 1.19.4 / 1.18.10 / 1.17.16; there's no workaround.

GoFiber's helmet middleware has never actually set the HSTS header — a protocol-vs-scheme typo made the check permanently false

helmet.go checks c.Protocol() == "https" to decide whether to send Strict-Transport-Security, but Protocol() returns the HTTP version string ("HTTP/1.1", "HTTP/2.0"), never a scheme — the intended call was Scheme(). The comparison is always false, so the entire HSTS block has been dead code since it shipped, regardless of HSTSMaxAge configuration. If you rely on gofiber/fiber's helmet middleware for HSTS, verify with a live response header check rather than trusting your config — this one silently did nothing.

Linuxfabrik's monitoring plugins pick up a second advisory in as many days — predictable /tmp paths for SQLite databases

Companion bug to this morning's privilege-escalation advisory in the same plugin set: check scripts create SQLite databases at static, predictable paths under /tmp, so any local user can pre-plant a symlink and have a root-run monitoring script (via sudo) write to an arbitrary target path. Same operator note as this morning applies — this only bites shared or multi-tenant hosts with untrusted local users, but a root-sudo monitoring agent is exactly the kind of thing worth patching on the next agent update rather than waiting.

ONNX's Upsample version converter crashes on a 107-byte crafted model with zero inputs

The Upsample 6→7 version-converter adapter checks that width_scale/height_scale attributes are present but reads node->inputs()[0] without checking the input count is non-zero, so a minimal crafted ONNX model null-derefs the converter process. It's a DoS on whatever pipeline runs convert_version() over untrusted models — a model-conversion service, a CI step — rather than an RCE, and it's the same bug class as a previously reported Cast-adapter crash, just a different operator.

The Hacker News asks what changes when AI is writing the code that enters your supply chain

A framing piece rather than a new incident: the argument is that dependency provenance (SolarWinds, Log4Shell, XZ) was the first five years of supply-chain security, and AI-generated code inside the build pipeline is the next layer of the same problem — nobody chose those lines either. Worth a read for the framing, not for new technical detail; the Langroid and Coder disclosures already on this page are the concrete version of the same argument.

06:00 ET · Morning Watch

Langroid's Neo4j and SQL chat agents let LLM output execute unvalidated queries — three advisories, two critical

Langroid's Neo4jChatAgent passes LLM-generated Cypher straight to the database without validation — the same prompt-to-query injection shape already fixed once in SQLChatAgent (CVE-2026-25879), and that SQL fix itself turns out bypassable via quoted or schema-qualified pg_read_file calls. A third bug lets handle_message() execute attacker-supplied tool JSON without verifying the sender, so any untrusted input the agent reads — a scraped page, a retrieved document — can trigger tool calls directly. If you're running Langroid agents against either database backend, don't rely on the blocklist; sandbox the DB user's permissions and treat every tool call as needing its own sender check.

Coder ships 17 advisories in one release — OIDC account takeover, session-token leaks, and route hijacking across the platform

Coder's 2.34.4 release (backported to 2.33.10 / 2.32.9 / 2.29.19) closes eight high-severity holes at once: OIDC email-verification bypass enabling account takeover, workspace-agent session tokens leaked to arbitrary external hosts via `coder open app`, tailnet route hijacking through unvalidated agent-supplied AllowedIPs, SSH config injection via `coder config-ssh`, and a user-admin role that could reset the owner's password. Nine more medium fixes ride along, including subdomain routing that trusted an unauthenticated X-Forwarded-Host header and several unbounded-upload DoS vectors. Anyone self-hosting Coder for dev environments should patch to the latest point release now — the OIDC and session-token bugs are directly exploitable for account and workspace takeover.

9router's login rate limiter trusts client-supplied X-Forwarded-For — brute-force bypass on top of yesterday's critical pair

A third 9router bug: the dashboard's login rate limiter keys off the attacker-controlled X-Forwarded-For header, so rotating the header on every attempt resets the lockout counter and defeats brute-force protection entirely. Combined with yesterday's unauthenticated API-key leak and full database export/import, and given 9router ships a default dashboard password, this closes the loop — an internet-facing instance can be brute-forced into an admin session with nothing standing in the way. Same guidance as yesterday: take internet-facing 9router instances offline or firewall to trusted IPs until a patch lands.

OpenRemote's KNX XXE fix was incomplete, and a companion bug leaks user data across tenant realms

The patch for CVE-2026-40882 didn't fully close the XXE in KNXProtocol.startAssetImport() — an unprotected XMLInputFactory still allows arbitrary file read via a crafted KNX asset import. Separately, UserResourceImpl discloses user information across tenant realms, so a user in one OpenRemote realm can enumerate account details from another. Multi-tenant OpenRemote deployments should treat realm isolation as broken until both land, and re-verify any "fixed" XXE actually restricts external entity resolution rather than just re-scoping it.

Craft CMS batch: DOM XSS via GitHub issue titles, plus stored XSS and file-disclosure fixes

The CraftSupport widget renders linked GitHub issue titles into the control panel without sanitization, giving DOM XSS to anyone who can title an issue on a connected repo. Three medium fixes ride along: stored XSS via Structure entry titles in table view, a server-side file-read through a sensitive-file-disclosure bug, and an authenticated endpoint that leaks signed asset-transform preview links to CP users lacking view permission. Upgrade to the patched 5.x/4.x point releases; until then, treat GitHub issue titles on any repo linked into CraftSupport as untrusted input.

CERT/CC: Tenda router firmware ships an undocumented admin backdoor that bypasses password checks

Several Tenda firmware versions embed an authentication backdoor (CVE-2026-11405) that lets an attacker skip password verification and reach the device's web management interface directly. This is a vendor-shipped hidden access path, not a post-compromise implant — anyone running affected Tenda hardware should assume the management interface is reachable by anyone who knows the mechanism, not just the admin. Check CERT/CC's advisory for affected models and firmware versions, and pull management interfaces off the public internet regardless of patch availability.

Dragonfly's scheduler gRPC endpoint is SSRF via unauthenticated, attacker-controlled PeerHost

The DownloadTinyFile RPC in Dragonfly's scheduler (v1 and v2) trusts an attacker-supplied PeerHost field with no authentication, letting a caller direct the scheduler to fetch from arbitrary internal addresses. In a Kubernetes image-distribution deployment that's a scheduler-as-SSRF-proxy into the cluster network. Patch to the fixed version, and restrict which peers can reach the scheduler's gRPC port in the meantime.

uutils (Rust coreutils) audit surfaces five more edge-case bugs, including rm -rf ./ deleting directory contents

Continuing the Zellic assessment commissioned by Canonical: uu_rm's dot-protection can be bypassed with `./` or `.///` path variants, silently deleting the current directory's contents instead of refusing; uu_mv expands symlinks during cross-device moves, risking resource exhaustion; uu_cp -R reads device nodes as streams instead of recreating them, destroying device semantics; and uu_printenv silently skips environment variables containing invalid UTF-8, letting malformed env vars evade inspection tooling. None are remotely exploitable, but if you're tracking Ubuntu's GNU-to-Rust coreutils migration, this is exactly the class of subtle behavioral drift that breaks scripts and security tooling in production.