v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Wednesday · 08 July 2026 End-of-day synthesis 4 watches · 33 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — Five unrelated AI-agent and MCP-adjacent tools — Langflow, Open WebUI, ha-mcp, ckan-mcp-server, and Serena — disclosed authorization or authentication gaps on the same day, the clearest sign yet that agentic tooling is shipping with the auth debt web frameworks paid off a decade ago.

Today opened heavy and stayed heavy: three same-day CISA KEV adds (two unrelated Joomla page-builder RCEs, plus Adobe ColdFusion), a 17-package payment-SDK typosquat campaign against Paysafe/Skrill/Neteller, and eleven Better Auth advisories in one release. The afternoon added two more criticals in the same shape — Nuclio's cron-trigger controller shells out with unsanitized event data, and BishopFox's own Joro proxy tool turns out to have no auth behind its wildcard-CORS local API.

The thread that ran under all of it, though, was agentic AI tooling. Langflow's KEV add let any user execute someone else's flow by guessing an ID; Open WebUI shipped five advisories for trusting LLM-adjacent content as renderable HTML; ha-mcp and ckan-mcp-server both left management routes wide open behind an MCP server's tool-call auth; and this evening Serena's AI-coding-agent dashboard turned out to run an unauthenticated Flask API on a fixed port that DNS rebinding can chain into full RCE. Five different projects, one missing habit — auth on the API surface, not just the feature that looks like the product.

The bright spot: KEDA, Kite, and Flask-Security-Too all shipped narrow, well-scoped fixes for authorization gaps found the same way — a missing check on one code path, not a design flaw. Operational priority for the night: if you run any agent framework, MCP server, or local dev-tool dashboard, verify every route requires auth — not just the ones shaped like tool calls.

18:00 ET · First Watch

Nuclio's cron-trigger CronJob spec injects unsanitized event headers/body into a shell command — persistent RCE

Nuclio's controller builds a curl invocation for every cron-triggered function and drops it straight into a Kubernetes CronJob's /bin/sh -c args; an attacker-controlled event header key breaks the quoting, and the event body survives Go's strconv.Quote enough to smuggle $() command substitution (CVSS 10.0). Because the payload is baked into the CronJob spec rather than a request handler, the RCE persists across restarts until the CronJob itself is edited or deleted — this is function-as-a-service infrastructure executing on behalf of whoever can reach the trigger config, not just the invoked function. Patch to the fixed commit and audit any existing cron-triggered NuclioFunctions for CronJob specs that already contain unexpected shell metacharacters.

BishopFox's Joro proxy tool ships wildcard CORS with no auth on its local plugin-upload API — unauthenticated RCE from a browser tab

Joro's default proxy mode listens on 127.0.0.1:9090 with Access-Control-Allow-Origin: * and zero authentication; because plugin uploads use the CORS-safelisted multipart/form-data type, any page the operator's browser visits can upload a native plugin and trigger a restart with no preflight (CVSS 9.6). It's the classic "localhost binding is not a security boundary" mistake, made worse because it's a red-team/pentest proxy tool — compromising the operator's Joro instance compromises whatever engagement they're running. Upgrade past the 2026-06-01 fix commit and don't rely on loopback binding as your only control for any local tool with a browser-reachable API.

Serena's AI-coding-agent dashboard runs an unauthenticated Flask API on a fixed port — DNS rebinding chains into full RCE

Serena's built-in dashboard starts by default on a hardcoded, predictable port (24282) with no auth, no CSRF protection, and no Host-header validation, so a DNS-rebinding attack from any webpage the victim visits can write to the agent's persistent memory store — which the agent then reads and acts on autonomously. Chained with Serena's default-enabled execute_shell_command (shell=True), that memory-poisoning path becomes full RCE just from visiting a malicious page while the agent is running (CVSS 8.3). This is the same "local API, no auth" shape that's now hit multiple agentic-AI tools this year — upgrade to 1.5.2, and if you run any agent framework with a local dashboard, verify it isn't reachable via DNS rebinding by default.

Dutch government portal library NL Portal ships two IDOR bugs at once — task tampering plus cross-user document/decision reads

NL Portal's task-submission resolver never checked whether the task ID in the request belonged to the calling user, so any authenticated portal user could complete, overwrite, and read back another citizen's in-flight form data (CVSS 8.1) — while a sibling bug in the same library let any logged-in user pull another user's document content and decision records by ID, a gap that's existed since the resolver's first commit in 2022. NL Portal backs Dutch municipal e-government services, so this is citizen PII exposure, not an abstract API bug. Upgrade to 3.0.1+, and if you can't patch immediately, block the submitTaakV2 mutation and the affected document/decision queries at the gateway.

DSpace ships four advisories at once — an admin-gated path traversal chains into Velocity-template RCE

DSpace's LDN (COAR Notify) service reads inbound-message templates without restricting the path, so a DSpace administrator can point it at an arbitrary file and have it interpreted as an Apache Velocity template — chaining into reflection-based RCE (CVSS 8.0 for the RCE half). Two more path-traversal bugs ride along in the same batch: an ORE harvester that doesn't validate URI scheme (local file read via file://) and a Curation Task reporter that writes output to attacker-chosen paths. All four require existing DSpace admin credentials, so this is privilege-escalation-to-RCE rather than an unauth bug — upgrade to 8.4/9.3/10.0, or disable LDN if you can't upgrade yet, since that closes the RCE path on its own.

Zalando's Skipper proxy silently skips OPA body inspection on chunked and HTTP/2 requests missing content-length

Skipper's opaAuthorizeRequestWithBody filter produces an empty body for Rego policy evaluation whenever a request omits Content-Length — true for HTTP/1.1 chunked encoding and HTTP/2 by default — so any policy gating on input.parsed_body (field allow/deny lists, payload schema checks) silently authorizes requests it was written to block, while the full attacker payload still reaches the upstream (CVSS 8.7). No fixed release exists yet. If you rely on Skipper + OPA for body-content authorization, treat chunked and HTTP/2 traffic as unfiltered until a patch ships — consider forcing Content-Length at the edge or disabling the affected filter.

lxml_html_clean's sanitizer misses javascript: URLs on namespaced attributes like xlink:href

Cleaner's link-rewriting only scrubs URL schemes on attribute names in a fixed allow-list, which has never included prefixed names like xlink:href or srcset — so <a xlink:href="javascript:..."> survives sanitization under the documented safe_attrs_only=False config and executes on click in any SVG-aware browser (CVSS 8.2, same defect class as the 2021 formaction gap). Anything using lxml_html_clean to sanitize untrusted HTML with lenient attribute handling is exposed to stored XSS through this one attribute. Upgrade to 0.4.5, and if you can't yet, strip xlink:href and srcset yourself as a stopgap.

React framework Waku ships CSRF on server-action dispatch plus an open redirect in the same beta

Waku's RSC dispatcher invokes 'use server' actions without checking Origin or Sec-Fetch-Site, so a cross-origin page can POST with text/plain (no preflight) and trigger any state-mutating server action using the victim's cookies (CVSS 6.5); a second bug in the unstable_redirect() helper reflects arbitrary input into the Location header unescaped, enabling phishing redirects. Both hit the same 1.0.0-beta.0 release, and both are the kind of framework-level gap every app built on the framework inherits silently. No fixed version yet — validate Origin/Sec-Fetch-Site in server actions yourself and avoid passing user input directly to unstable_redirect() until it ships.

Rust ring-buffer crate oneringbuf exposes a use-after-free through its public IntoRef trait

oneringbuf's IntoRef::into_ref returns a DroppableRef whose Clone copies a raw owning pointer without incrementing the internal live-handle counter, so safe external code cloning it beyond the expected count breaks the crate's own lifetime bookkeeping and Drop later frees memory still in use. It's a soundness hole in a safe-Rust API rather than a directly attacker-triggered exploit path, but any consumer that clones the exposed handle inherits the UAF. Upgrade to 0.8.0.

Trapster's DNS honeypot handler crashes on a single malformed compression-pointer packet — no cycle or depth bound

Trapster's DNS label decoder recurses once per RFC 1035 compression pointer with no cycle detection or depth limit, so one crafted unauthenticated UDP packet drives it past Python's recursion limit and the resulting exception escapes unhandled into the event loop, killing that packet's proxy task (CVSS 5.3, availability only). A low-rate flood is enough to sustain CPU burn and log flooding against the honeypot's DNS listener. Upgrade to the fixed release before relying on this component to reliably log DNS-scanning activity.

Laravel admin panel Sharp skips authorization on its Quick Creation Command endpoints

Sharp's Quick Creation Command create/store endpoints never checked whether the authenticated user actually had create permission on the target entity, so any logged-in user could retrieve the form or submit new records for entities they shouldn't be able to create. Upgrade to 9.22.3, or disable quickCreationCommandHandler() on sensitive entity lists until you do.

async-tar mis-applies a buffered PAX size header to the wrong entry — tar stream desync enables content smuggling

async-tar 0.6.0 applies a buffered PAX size extension to an intervening GNU longname/longlink or PAX header instead of the actual next file entry, desyncing the parser's read cursor relative to a POSIX-correct tar implementation like GNU tar. An attacker who controls a tar stream an async-tar consumer extracts can craft an x → L → file sequence where what async-tar extracts differs from what other tools see reading the same archive — classic smuggling setup for anything that scans or signs a tarball before a different tool unpacks it. Upgrade to 0.6.1 and don't trust that two tools agree on a tar stream's contents without checking.

China-linked threat cluster exploits an unpatched Roundcube flaw to backdoor US/Canadian university mail servers

A China-linked group is exploiting a known Roundcube vulnerability against academic institutions to steal credentials and deploy backdoors, per BleepingComputer. It's not a novel supply-chain vector, but it rhymes with today's pattern: unpatched self-hosted software as the entry point, this time for espionage rather than commodity malware. Confirm your Roundcube instances are current — this isn't a new CVE, it's active exploitation of an old one.

12:00 ET · Forenoon Watch

Hidden authentication backdoor found in multiple Tenda router firmware builds — grants admin access to the web panel

A hidden authentication backdoor has turned up in multiple Tenda router firmware builds, granting access to the device's web management panel without going through the documented login flow. Undocumented backdoors in consumer/SOHO router firmware are a durable botnet-recruitment primitive once the affected models are fingerprinted — this is the same shape that's fed prior IoT botnet waves. Check Tenda's advisory for the affected models and firmware versions, patch, and pull any exposed management interfaces off the public internet in the meantime.

KEDA's PostgreSQL scaler builds libpq connection strings with incomplete escaping — tenant fields can inject extra parameters

KEDA's PostgreSQL scaler builds libpq connection strings by concatenating key=value pairs, and its escaping function only triggers when a literal space is present — other whitespace and control characters in a tenant-controlled field (host, port, username, dbname, sslmode) pass through unescaped. In multi-tenant KEDA setups where ScaledObject fields come from user input, that's enough to inject extra libpq connection parameters into the scaler's DB connection. No fixed version is listed yet (the vulnerable range is open-ended below 2.20.0); until one ships, don't source those PostgreSQL scaler fields from untrusted input.

Flask-Security-Too's WebAuthn reauthentication path skips the cross-user check its OAuth path already has

Flask-Security-Too 5.8.0–5.8.1 marks a session reauthentication-fresh after any valid WebAuthn assertion, without checking the credential belongs to the currently logged-in user — the cross-user check added for the OAuth reauth path (GHSA-97r5-pg8x-p63p) was never mirrored onto WebAuthn. Anyone holding a WebAuthn credential registered to any account on the deployment can satisfy another user's freshness gate, defeating step-up auth for sensitive actions. Upgrade off 5.8.0/5.8.1, and since this is the second reauth-freshness bug in this app, audit any other reauth paths (SMS, backup codes) for the same missing check.

aiosmtplib doesn't reject CR/LF in email addresses — SMTP command injection via sender/recipient fields

aiosmtplib's mail(), rcpt(), vrfy(), and expn() write caller-supplied email addresses straight onto the SMTP control connection without rejecting embedded CR/LF, so an attacker-influenced address can smuggle extra SMTP command lines past the client. Anything that forwards user-supplied addresses into aiosmtplib — signup flows, contact forms, notification systems — is exposed to SMTP command injection. Validate and strip CR/LF from addresses at your application boundary; don't wait on the upstream fix.

Kite's cluster overview route is registered before RBAC middleware — any authenticated user can read unauthorized clusters

Kite registers its /api/v1/overview route ahead of RBACMiddleware and only checks that the caller holds some role, so any authenticated low-privileged user can select an unauthorized cluster via the x-cluster-name header and pull its aggregate inventory and capacity data. It's a route-ordering bug rather than a logic bug — the RBAC check exists, it's just applied too late to matter. If you run Kite for multi-cluster visibility, patch and then specifically verify route-registration order rather than assuming the middleware fix covers every endpoint.

netfoil ships three advisories at once — a DNS filter bypass, an unvalidated log-injection point, and an LRU cache leak

netfoil ships three advisories in one release: its domain-name filter can be bypassed by crafting a DNS request with multiple questions where only the first is legitimate, attacker-controlled domain names are written to logs without character validation, and a resource leak in the LRU cache lets a local attacker force enough memory growth to trigger a systemd-imposed restart. The filter bypass is the one that matters operationally — it defeats the tool's core job — the other two are hardening gaps. Upgrade to the fixed release (>= 0.3.0) and re-verify any DNS-filtering policy you depend on netfoil for.

A fifth Open WebUI advisory in the same batch: low-privileged users can upload an HTML file and get stored XSS on open

A fifth Open WebUI advisory from the same July 7 batch: low-privileged users can upload an HTML file through /api/v1/files/ and get back a file ID that, when opened, renders the file's embedded JavaScript in the browser — stored XSS independent of this morning's markdown/iframe bugs. Default visibility limits the blast radius to the uploader and admins, but it's the same pattern as the rest of the batch: user-supplied content rendered as trusted HTML. The same upgrade closes this one too — if you already patched for the morning's advisories, confirm you're on the release version rather than just the commit that fixed the markdown bug.

rama's ServeDir HTML directory listing doesn't escape file names — stored XSS if attacker controls served file names

rama's ServeDir HTML directory listing renders file names and URI path segments without HTML-escaping when DirectoryServeMode::HtmlFileList is enabled, so an attacker who can create a file or directory name in a served directory can inject script into the listing page. Low severity — it requires attacker control over served file names — but directory-listing features are an XSS surface teams routinely forget to threat-model. Avoid HtmlFileList mode on any directory where names originate from untrusted uploads.

PHP Webauthn library's fake-credential generator defaults to a predictable seed, undoing its own username-enumeration defense

The Webauthn library's SimpleFakeCredentialGenerator — its built-in defense against username enumeration — derives decoy credentials from a secret that defaults to empty, making the decoys predictable and enumeration possible again whenever an app doesn't explicitly configure a secret. It's an unsafe-default footgun rather than a direct exploit: check whether your WebAuthn integration passes a real secret into the fake-credential generator, since the library gives no warning if it doesn't.

09:00 ET · Morning Watch

CISA adds two unrelated Joomla page-builder plugins to KEV on the same day — both unauthenticated file-upload RCE

JoomShaper's SP Page Builder (CVE-2026-48908) and the unrelated Joomlack Page Builder (CVE-2026-56290) both joined the KEV catalog today for the identical failure: an unauthenticated user can upload a file with a dangerous extension and get PHP execution. Two different vendors converging on the same page-builder-upload shape in one KEV batch means it's worth auditing every Joomla extension you run for upload-type validation, not just these two. Both carry a July 10 remediation deadline — patch or take the extensions offline if you can't confirm the fix is in.

CISA adds Langflow's user-controlled flow-ID authorization bypass to KEV

CVE-2026-55255 lets any authenticated Langflow user execute someone else's flow simply by supplying that victim's flow ID in the request — no ownership check on the object reference. Langflow is a visual builder for LLM pipelines, so "execute another user's flow" means running their configured tools, credentials, and data connections on your behalf. Confirmed exploited in the wild per today's KEV add; patch to the fixed release and treat any multi-tenant Langflow deployment as needing an audit of who ran what over the last month.

CISA adds Adobe ColdFusion path traversal to KEV — arbitrary code execution

CVE-2026-48282 is a path-traversal bug in Adobe ColdFusion that reaches arbitrary code execution in the context of the running process. ColdFusion RCE chains have a long history of being weaponized fast once public, and CISA's KEV add confirms this one's already exploited. Patch per APSB26-68 now; ColdFusion instances facing the internet without it should be considered compromised until proven otherwise.

Coordinated npm/PyPI campaign typosquats Paysafe, Skrill, and Neteller SDKs to steal developer secrets

Socket found 17 malicious packages across npm and PyPI impersonating official SDKs for Paysafe, Skrill, and Neteller — payment processors, so the bait is aimed squarely at fintech and e-commerce integrators. The packages exfiltrate developer secrets on install, the standard typosquat-dropper shape, but the payment-SDK targeting is more deliberate than the usual random-popular-package spray. Grep your lockfiles for these exact package names against Socket's IOC list; don't just check for "looks similar," check for present.

Better Auth ships 11 advisories in one release — two critical OAuth/OIDC bugs, plus seven high-severity plugin flaws

Better Auth's oidc-provider and mcp plugins accepted refresh-token requests without verifying the requesting client, so a token issued to one OAuth client could be replayed by another to mint fresh access tokens (CVSS 9.1). A separate critical in the SSO plugin lets provider registration point at unvalidated OIDC endpoints, giving an attacker SSRF against the auth server's internal network (CVSS 9.6). Seven more high-severity bugs ride along in the same release: alg=none and plain PKCE accepted by default in oidcProvider, stored XSS via javascript: redirect_uri, OAuth auto-link account takeover on unverified pre-registered email, unauthorized org-invitation acceptance, refresh-token-rotation family forking and authorization-code races under concurrent redemption, and an SCIM provider-takeover via missing owner binding. If you're running Better Auth's OAuth/OIDC or SCIM plugins, this is a same-day upgrade, not a backlog item — the refresh-token and SSRF bugs are both directly exploitable for account and infrastructure compromise.

Goploy's project handlers trust a body-supplied row ID across namespaces — IDOR chains straight into RCE

Goploy's project and project_file handlers take the target row ID from the request body without checking it belongs to the caller's namespace, so any authenticated user can act on another team's deployment project — including the code-execution paths deployment tools expose by design (CVSS 9.6). A companion path-traversal bug in /deploy/fileDiff allows arbitrary file read, which is enough on its own to fully compromise the server hosting the deploy pipeline. Goploy sits at the point where compromise means an attacker can push to production; patch immediately and check deploy logs for cross-project actions you didn't initiate.

Open WebUI's markdown renderer trusts LLM output enough to reach account takeover and RCE via functions

MarkdownTokens.svelte renders an unescaped token from chat content, so text that reaches the markdown pipeline — including model output an attacker influenced via prompt injection or a shared conversation — executes as stored XSS in the viewer's session, and Open WebUI's admin "functions" feature turns that into RCE and full account takeover. Two sibling bugs put the same stored-XSS shape in iframe citations and iframe embeds in response messages, and a fourth is a blind SSRF in the image-edit endpoint. The common thread is LLM-generated or LLM-adjacent content getting rendered as trusted HTML — if you self-host Open WebUI, patch now and treat any instance with the functions feature enabled as high-value until you do.

uutils coreutils: --suffix alone silently fails to enable backup mode, diverging from GNU and losing data

Another find from the Zellic assessment commissioned by Canonical: cp/install/mv/ln accept --suffix but, unlike GNU coreutils, don't implicitly turn on backup mode when it's passed alone — the flag is silently ignored and the original file is overwritten instead of backed up. No exploit path, but it's a silent-failure class of bug in exactly the tools scripts and security tooling assume behave like GNU. If you're validating Ubuntu's Rust coreutils migration, add --suffix-without-backup to your regression matrix.

ratex-parser panics on malformed LaTeX input two different ways — both process-abort DoS, not memory corruption

A \verb command with a multibyte delimiter causes ratex-parser to slice a string on a non-UTF-8 byte boundary, which Rust turns into a panic and process abort rather than memory corruption. A second bug allows unbounded parser recursion on crafted input, same end result. Both are DoS-only, but if you're parsing untrusted LaTeX or math markup server-side — doc-conversion pipelines, math-rendering services — either one takes down the worker process; patch before you expose the parser to user-supplied input.

ha-mcp's add-on settings and policy routes are reachable at the bare root path with no authentication

ha-mcp — an MCP server for Home Assistant add-ons — exposes its settings and policy endpoints at the unauthenticated root path, so anyone who can reach the port can read or change add-on configuration and policy without credentials. This is the same class of bug the MCP-server ecosystem keeps producing: auth gets added to the tool-call layer but forgotten on the management/config routes underneath it. If you're running any MCP server as a network service rather than over local stdio, verify every route requires auth, not just the ones that look like tool calls.

Three unrelated tools disclose SSRF the same day, all from the same root cause: incomplete URL/hostname validation

@aborruso/ckan-mcp-server's base_url parameter allows reaching internal networks and is itself a bypass of a fix for an earlier CVE; oasdiff doesn't honor --allow-external-refs=false on its git-revision load path, permitting SSRF or local-file read through a crafted OpenAPI spec; and Weblate's outbound URL guard misses some transitional IPv6, multicast, and semi-private IPv4 ranges. None are novel techniques — each is a validation list that didn't cover every private-range edge case — but three landing the same day is a reminder that "block private IPs" is never actually a complete allowlist. If you maintain an SSRF guard anywhere, test it against IPv6-mapped IPv4, multicast, and link-local ranges specifically; those are the ranges that keep getting missed.