v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Friday · 10 July 2026 End-of-day synthesis 4 watches · 71 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — A second coordinated multi-CVE batch — seven SiYuan advisories with three independent RCE chains — landed hours after this morning's YesWiki disclosure, while a compromised Injective Labs GitHub repo pushed a wallet-draining npm package into the wild.

YesWiki's thirteen-advisory batch from this morning got company this afternoon: SiYuan disclosed seven of its own, three of them independently RCE-capable through the same Electron nodeIntegration path. Between the two, that's twenty vulnerabilities against two note/wiki platforms in a single day.

The active-exploitation news is a compromised Injective Labs GitHub repo that shipped a wallet-key-stealing npm release — the same dropper-via-trusted-repo shape this series keeps tracking. PrestaShop's faceted-search module picked up a CVSS 10.0 unauthenticated RCE, File Browser landed two critical auth bugs in the same advisory batch, and mcp-atlassian disclosed three file-read/SSRF issues that matter directly if you run it as an MCP server for an AI agent — alongside a separate pair of bugs in Clauster and SafeInstall, both agent-tooling guardrails that fail open. CISA added two Joomla-extension file-upload RCEs to KEV today, Balbooa Forms and iCagenda, both due by the 13th.

The bright spot: RustSec and crates.io pulled a malicious exploration crate off the registry about an hour after it published, before any project depended on it.

→ Operational priority for the night patch SiYuan and YesWiki if you run either, rotate any secrets that touched a machine with @injectivelabs/[email protected] installed, and if you gate coding-agent installs with SafeInstall or run Clauster off loopback, check both configs before your agents run unattended overnight.

18:00 ET · First Watch

Injective Labs GitHub repo compromised, pushes wallet-key-stealing npm package (@injectivelabs/[email protected])

Attackers compromised the Injective Labs SDK GitHub repository and shipped a poisoned release, @injectivelabs/[email protected], with fake telemetry code that exfiltrates cryptocurrency wallet private keys and mnemonic seed phrases from anything importing it. Same TTP shape as the Laravel-Lang and GitHub-Releases-as-dropper campaigns this series has tracked before - a trusted maintainer account or repo gets popped, then the poisoned version rides the normal update path into every downstream project. If you or a dependency pull @injectivelabs/sdk-ts, pin off 1.20.21, audit for the version in lockfiles across your org, and rotate any wallet keys that touched a machine running it.

CISA KEV adds Balbooa Forms unrestricted file upload (CVE-2026-56291) - unauthenticated RCE

Newly-catalogued KEV entry: Balbooa's Joomla Forms extension accepts unauthenticated arbitrary file uploads with no dangerous-type check, letting an attacker drop an executable file and get full RCE with no login. CISA's three-day remediation clock is running (due 2026-07-13). Patch or pull Balbooa Forms off any internet-facing Joomla install now; there's no workaround short of disabling the form-upload feature.

CISA KEV adds iCagenda unrestricted file upload (CVE-2026-48939) - PHP code execution

Second KEV add of the day, same bug class: iCagenda's event-attachment feature accepts arbitrary file uploads with no type validation, so an attacker uploads a .php file and executes it directly. Due 2026-07-13 alongside the Balbooa Forms entry above - both are the same unrestricted-upload shape hitting Joomla-adjacent extensions on the same day, worth a single sweep of any Joomla site inventory for both plugins.

crates.io pulls `exploration` crate for malicious download-and-execute payload

A method inside the `exploration` crate attempted to download and execute a remote payload; RustSec and Socket's threat research team caught it and crates.io removed the single published version about an hour after it went live, before any real usage. No dependents on crates.io, so blast radius looks like zero, but it's the same fake-utility-crate pattern Rust's ecosystem has seen before - if you scaffold projects from unfamiliar crates.io names, check `cargo tree` for anything with a suspiciously generic name and near-zero download history before trusting it.

PrestaShop ps_facetedsearch: unauthenticated PHP object injection in filter cache to full RCE (CVE-2026-54159, CVSS 10.0)

ps_facetedsearch takes the price/weight slider value straight off the URL, serializes it into a filter-block cache, and reads it back with a raw `unserialize()` - a single crafted front-office request smuggles a gadget chain that writes a PHP webshell into the module directory. CVSS 10.0, unauthenticated, affects every version since 3.0.0 including the latest release. PrestaShop is a widely-deployed ecommerce platform; if you run it with the faceted-search module and a slider filter template, patch immediately - this is remote, no-auth, full-server-compromise territory.

File Browser: pre-authentication command injection via Hook Auth shell substitution (CVE-2026-54088)

File Browser's Hook Authentication feature delegates login checks to an external shell command and interpolates the submitted username/password into that command string with `os.Expand` and no sanitization - an unauthenticated attacker injects shell metacharacters at the login screen and gets arbitrary OS command execution before any credential is checked. Only affects deployments with Hook Auth configured, but on those it's a single crafted HTTP request to full compromise. Disable Hook Auth or patch immediately; if you can't patch today, front the login endpoint with input filtering on shell metacharacters as a stopgap.

File Browser: proxy-auth header forgery lets any request impersonate admin, auto-creates accounts for unknown usernames (CVE-2026-54089)

Companion File Browser advisory: when `auth.method=proxy` is configured - a common reverse-proxy deployment pattern - any attacker who reaches the server directly can forge the proxy-auth header to impersonate any user including admin, and specifying an unknown username auto-provisions a new account with no authorization check. Not exploitable on the default `auth.method=json` config, but proxy auth is common enough in production that it's worth checking. Confirm your deployment isn't running proxy auth reachable outside the trusted proxy path; if it is, patch now.

SiYuan: stored XSS in attribute-view asset cell renderer chains to Electron RCE (CVE-2026-50551, CVSS 9.9)

First of seven SiYuan advisories published today. The Attribute View (database) asset-cell renderer left two sinks unescaped - a neighbor-bug of an earlier fix that patched a different renderer but missed this one - and because the Electron desktop client runs with `nodeIntegration:true` and `contextIsolation:false`, stored XSS there reaches `require('child_process')` directly. siyuan-note/siyuan <=3.6.5; workspace data syncs normally, so a payload planted once fires on every device that opens the panel - patch before your next sync.

SiYuan: second stored-XSS-to-RCE sink in genAVValueHTML(), companion to today's other AV renderer bug (CVE-2026-54158, CVSS 9.9)

Same batch, same root cause, different function: `genAVValueHTML()` interpolates cell content raw across its text/url/phone/mAsset branches, with no equivalent of the escaping that protects block IAL attributes elsewhere in the kernel. Same Electron nodeIntegration path to host RCE as the sibling advisory above. siyuan-note/siyuan <=3.6.5; one upgrade covers both renderer sinks, but if you're patching manually, both files need the fix.

SiYuan: CSS-snippet `</style>` breakout is a third stored-XSS-to-RCE path, bypasses the enabledJS toggle (CVE-2026-54067, CVSS 9.9)

Third RCE-chain sink in today's SiYuan batch: a CSS snippet body containing `</style>` breaks out of its tag via `insertAdjacentHTML`, and because snippets sync via the workspace repository, a payload planted once fires on every device that pulls it - notably, this bypasses a user's `enabledJS:false` setting, running JS even when they deliberately turned it off. Same Electron nodeIntegration path to RCE as the other two. siyuan-note/siyuan <=3.6.5; three independent renderer sinks landing the same day says the escaping discipline needs a project-wide audit, not three point fixes.

SiYuan: kernel trusts every chrome-extension:// origin as admin, no auth required on desktop default (CVE-2026-54069)

SiYuan's kernel HTTP server exempts all `chrome-extension://` origins from authentication and grants them `RoleAdministrator` outright; combined with the empty default `AccessAuthCode` on desktop installs, any installed Chrome extension - including one compromised via its own supply-chain attack - gets fully authenticated admin API access to the local SiYuan kernel. siyuan-note/siyuan <=3.6.5, unfixed as of the latest commit on the fix branch. If you run SiYuan desktop, treat every browser extension you have installed as a potential path into your notes until this lands.

TSDProxy: forwards its own management-API auth token to every proxied backend, letting a backend replay it to bypass Tailscale auth entirely

When `identityHeaders` is enabled (the default), TSDProxy injects its internal `x-tsdproxy-auth-token` into every upstream request alongside identity headers - the same secret the management HTTP server uses to trust forwarded Tailscale identity claims. Any backend that receives it can replay the token from localhost to the management port with an arbitrary `x-tsdproxy-id`, fully bypassing Tailscale authentication. Requires the backend to reach 127.0.0.1:8080, which holds for same-host, host-network-mode, and shared-namespace deployments. tsdproxy; if identityHeaders is on, treat every proxied backend as able to reach your management API until this is fixed.

Authorizer: /authorize never validates redirect_uri, leaks OAuth2 access/id/refresh tokens straight to an attacker-controlled URL (CVE-2026-54072)

An earlier fix added redirect_uri validation to most Authorizer handlers, but `/authorize` itself was left out - with `response_type=token` or `id_token`, the server appends the live access_token, id_token, and refresh_token as query params and 302s to whatever `redirect_uri` the request supplied, no allowlist check. The only prerequisite is a `client_id`, obtainable unauthenticated from the public `/graphql?query={meta{client_id}}` endpoint. authorizer; this is a complete token-theft primitive requiring nothing but a link - patch now, and rotate any tokens that may have already leaked through it.

SiYuan: unauthenticated endpoint runs arbitrary SELECTs against the notes SQLite DB via template injection (CVE-2026-54068)

`/api/icon/getDynamicIcon` is explicitly excluded from auth in the kernel router; called with `type=8` and a known block ID, it executes a Go template that exposes `querySQL`/`queryBlocks`, letting an unauthenticated network-adjacent attacker run arbitrary SELECTs and exfiltrate all note content, tags, and asset references. siyuan-note/siyuan <=3.6.5 - sixth item in today's batch.

SiYuan: incomplete fix leaves double-URL-encoded path traversal in /assets/*path, exposes AccessAuthCode hash and sync keys (CVE-2026-54066)

The earlier fix for CVE-2026-41894 patched the `/export/` route's double-URL-encoding traversal but left the identical bug in `/assets/*path`; in publish mode (anonymous read-only, default port 6808) an unauthenticated attacker reads arbitrary files under WorkspaceDir, including `conf/conf.json` with the AccessAuthCode hash, API token, and sync keys. siyuan-note/siyuan <=3.6.5 - if you patched the earlier CVE and considered it closed, this is the same class reopened in a sibling route.

SiYuan: Bazaar marketplace README renderer's sanitizer blocklist misses modern event-handler attributes (CVE-2026-54070)

Seventh and last of today's SiYuan advisories: the Bazaar package README sanitizer uses a fixed event-handler blocklist copied from a legacy w3schools list, so modern handlers like `onpointerover` and `onbeforetoggle` pass through untouched into `innerHTML` with no client-side DOMPurify and no CSP header from the kernel. siyuan-note/siyuan <=3.6.5; a malicious Bazaar package listing is enough - no install required, just viewing the README. Seven advisories against one app in a single disclosure batch; treat SiYuan as unsafe for untrusted workspace sync or Bazaar browsing until the fix branch ships.

mcp-atlassian: confluence_upload_attachment skips path validation, lets an MCP client or prompt-injected agent read and exfiltrate any server file

`confluence_upload_attachment` passes the client-supplied `file_path` straight to `open()` with no `validate_safe_path()` call - the exact check its sibling `download_attachment()` already has. Any MCP client, or an AI agent manipulated via prompt injection, reads arbitrary files the server process can access and exfiltrates them as a Confluence attachment; a working PoC pulled `C:\Windows\System32\drivers\etc\hosts` in the report. mcp-atlassian, fix is a one-line `validate_safe_path()` add - if you run mcp-atlassian as an MCP server for Claude or another agent, this is worth patching today given the prompt-injection angle.

mcp-atlassian: attachment-upload tools resolve the client's file path on the server over remote transport, not the caller's machine

Companion to the advisory above: attachment-upload tools are meant to read a file from the caller's own environment, but over HTTP/SSE transport the client-supplied path resolves and reads on the server instead - a remote client ends up reading the server's files, or another tenant's data in multi-tenant deployments. Local stdio deployments are unaffected since the server already runs as the caller. mcp-atlassian; if you expose mcp-atlassian over a remote transport rather than stdio, treat this and the sibling advisory as the same patch.

mcp-atlassian: earlier SSRF fix resolves the attacker header's hostname once at validation time, then re-resolves at connect time with no IP pinning - classic DNS-rebinding TOCTOU

The prior fix for the `X-Atlassian-{Jira,Confluence}-Url` header SSRF added a middleware-time hostname check, but the outbound request later re-resolves the same hostname at connect time with no pinning - a DNS-rebinding attacker returns a public IP for the validation lookup and `169.254.169.254` or an internal IP for the connection lookup, defeating the guard on the already-patched build. mcp-atlassian; if you applied the earlier SSRF patch and considered it closed, it isn't - same bug, one step later in the request lifecycle.

Clauster: non-loopback deployments serve the dashboard unauthenticated when auth.enabled defaults to false, effectively RCE via claude remote-control bridges

A Clauster instance bound to a non-loopback address (0.0.0.0 or a LAN IP) serves its full dashboard and API with zero authentication whenever `auth.enabled` is left at its default `false` - even if the operator set a password, believing the instance is protected. An unauthenticated network attacker can spawn or stop `claude remote-control` bridges in any project directory, edit CLAUDE.md, and read bridge logs; since bridges run Claude Code against the host's project directories, that's effectively remote code execution in those projects. Loopback-only deployments are unaffected. If you run Clauster bound to anything but 127.0.0.1, set `auth.enabled=true` explicitly and don't trust the default.

SafeInstall: agent guard shell parsing misses case-variant launchers and redirected commands, so a coding agent can run raw package installs without policy evaluation

SafeInstall's CLI guard, meant to intercept and approve/deny package-manager commands before a coding agent runs them, fails to recognize case-variant launcher names, leading file-descriptor redirections, and some shell-wrapper option combinations - a crafted command slips through with no guard decision at all, and package-manager create/init scaffolding commands bypass the approval flow entirely. safeinstall <=0.10.1; exploitation needs the agent to act on attacker-influenced instructions, which is exactly the prompt-injection scenario these guards exist to stop. If you rely on SafeInstall to gate what a coding agent can install, this is a real gap - patch before trusting it against untrusted repo content.

melange/apko: package integrity check verifies the signed control-section hash but never the data section, allowing file substitution after the fact (CVE-2026-54174)

Apko verified the control section (`.PKGINFO` etc.) hash against the signed APKINDEX but never checked the data section hash - the actual installed files. An attacker who compromises a mirror, poisons a cache, or sits in the middle of a package fetch can substitute arbitrary file contents while the signed control hash still checks out clean. melange/apko; this is a textbook supply-chain integrity gap - if you build images with apko, treat any mirror or cache you don't fully control as untrusted until the data-section check ships.

BabelDOC: vendored PDF parser deserializes untrusted pickle data from a crafted CMap name, arbitrary code execution on a malicious PDF (CVE-2026-54071)

BabelDOC's vendored `cmapdb.py` strips only NUL bytes from a PDF-controlled CMap name before passing it to `os.path.join()` and `pickle.loads()`; because `os.path.join()` discards preceding path components on an absolute segment, a hex-encoded absolute path in the `/Encoding` name redirects deserialization to any attacker-writable `.pickle.gz` file, and processing the PDF executes arbitrary Python with the BabelDOC process's privileges. babeldoc; if you run BabelDOC against PDFs from outside your org, treat this like any other untrusted-file-parser RCE and sandbox the process.

NotrinosERP: authenticated HRM "Documents" upload writes the client filename verbatim into a web-served directory, .php extension executes as code

An authenticated user with the HR `SA_EMPLOYEE` permission can upload a file through the employee Documents tab; the handler moves it into a web-served directory using the client-supplied filename with its original extension intact, so a `.php` upload lands under the web root and runs as code. NotrinosERP; requires an authenticated HR-scoped account, so this is an insider or compromised-account RCE path rather than fully unauthenticated - still worth patching before trusting any lower-privilege HR account.

Excelize: unbounded row-index allocation in the worksheet parser lets a crafted .xlsx OOM or panic the process

`checkSheet` allocates memory sized off a row index read straight from the worksheet XML with no upper bound, so a crafted spreadsheet with a huge declared row index drives unbounded allocation and either OOM-kills or panics the parsing process. excelize; if you parse user-uploaded .xlsx files with this library, treat it the same as any untrusted-file-parser DoS - cap memory or run parsing in an isolated worker.

Mistune: quadratic-time parsing in parse_link_text enables algorithmic-complexity DoS on crafted Markdown

A crafted Markdown input drives `parse_link_text` into quadratic-time behavior, so a modestly-sized attacker-supplied document can consume disproportionate CPU during rendering. mistune; if you render user-supplied Markdown server-side (READMEs, comments, wiki content), rate-limit or size-cap input before parsing.

mint (Elixir): unbounded streams map growth via PUSH_PROMISE frames with no follow-up HEADERS, memory-exhaustion DoS

A second mint advisory beyond today's earlier five: a malicious HTTP/2 server sends PUSH_PROMISE frames that never get a follow-up HEADERS frame, and mint's internal streams map grows unbounded tracking them, driving memory exhaustion on the client. mint (erlang); same family as this morning's CONTINUATION-frame flood bug - if you're patching mint to 1.9.0 for that one, this is covered by the same upgrade.

Tesla (Elixir): atom exhaustion via untrusted URL scheme

Tesla converts the URL scheme into an Erlang atom without bounding the input space, and atoms are never garbage-collected on the BEAM - an attacker who controls the URL passed to Tesla can exhaust the atom table across repeated requests with novel schemes, eventually crashing the VM. tesla (erlang); sixth Tesla/mint advisory in today's disclosure batch, all fixed in the same 1.18.3 release as the five from this morning's pass.

sigstore-go: multi-transparency-log threshold defense-in-depth doesn't actually require multiple independent logs (CVE-2026-49834)

Verifiers configured with `WithTransparencyLog(N>1)` expected that no single compromised log could satisfy the threshold, but the counting logic tallies verified witnesses per-entry rather than per-log-authority - a single compromised transparency or CT log can forge or verify multiple times across chains and satisfy the multi-log policy alone. Doesn't affect Cosign, which sets threshold=1. sigstore-go, patched in v1.1.5; if you built a verifier assuming N-log defense-in-depth, confirm you're past 1.1.5 rather than trusting the threshold config as written.

Windmill: scoped API tokens can read script content outside their allowed path via scripts/list_search

A resource-scoped API token is meant to be limited to a path prefix, but `GET /api/w/{workspace}/scripts/list_search` returns script `path` and `content` for every script in the workspace with no per-row scope filtering - the route-level middleware checks the token's domain/action but not its path segment. windmill <=1.714.1, unknown patch version yet; if you issue path-scoped tokens to limited-trust callers, this endpoint currently ignores that boundary.

Excon: redirect handling doesn't redact additional sensitive headers beyond Authorization

Excon strips the Authorization header on cross-origin redirects but leaves other sensitive/risky headers (custom API-key or session headers) untouched, so they still ride along to the redirect target. excon; audit any Excon-based client for custom auth headers beyond the standard Authorization if it follows redirects to less-trusted hosts.

SecureHeaders: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input

SecureHeaders builds CSP directive values from caller-supplied strings for `sandbox`, `plugin_types`, and `report_to` without escaping, so an app that feeds untrusted input into those config options can have its own CSP policy injected/weakened by an attacker. secure_headers; only exploitable if you dynamically construct these directives from user input - static config is unaffected.

CredSweeper: recursive archive size-limit bypass lets a crafted nested archive evade the deep scanner's cap

CredSweeper's deep scanner enforces a size limit on archive contents, but nested/recursive archives can be crafted to bypass that cap, letting a malicious archive avoid credential scanning it should otherwise trigger. credsweeper; if you rely on CredSweeper to catch leaked secrets in uploaded archives, don't treat archive-depth scanning as a hard guarantee until patched.

GoBGP: confederation validation panics on an empty AS_PATH attribute

A second GoBGP advisory today alongside the CapLen boundary bug in this morning's pass: confederation validation logic panics when it receives a BGP update with an empty AS_PATH attribute, crashing the process. gobgp/v4 <=4.5.0; a route-reflector or peer sending a malformed empty AS_PATH is a DoS vector on any GoBGP speaker that accepts routes from less-trusted peers.

psd-tools: arbitrary file write via smart-object filename in a crafted PSD

psd-tools writes smart-object contents to disk using a filename embedded in the PSD file with no path sanitization, so a crafted PSD can write outside the intended output directory. psd-tools; if you process user-uploaded PSD files server-side, treat this as a path-traversal writer until fixed.

Rattler: package cache path traversal via conda package build string

Rattler derives a cache path from a conda package's build string without validating it, so a crafted package with a path-traversal build string can write outside the intended cache directory during install. rattler; if you build tooling on Rattler for conda package resolution, treat untrusted package sources as able to write outside the cache path until patched.

OpenRun: redirect-URL validation bypass using `//host`-style paths leads to open redirect

OpenRun's redirect-target validation doesn't account for protocol-relative `//host` paths, which browsers treat as a full redirect to `host` - an attacker crafts a link that passes the app's own validation but sends the user off-site. openrun; classic open-redirect shape, useful in phishing chains that ride on a trusted domain's redirect.

pypdf: possible infinite loop processing threads/articles in the writer

pypdf's writer can enter an infinite loop when processing certain thread/article structures in a crafted PDF, hanging the process. pypdf; if you write or merge PDFs from untrusted input server-side, wrap the operation with a timeout until this is patched.

Sylius: IDOR on Shop Payment Request API endpoints

Sylius's Shop Payment Request API endpoints don't verify the requesting user owns the referenced payment request, letting an authenticated customer view or act on another customer's payment request by ID. sylius/sylius; third Sylius advisory in two disclosure batches this week - patch alongside the cart and payment-method bugs from this morning's pass.

12:00 ET · Forenoon Watch

YesWiki: unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action, no ACL check (CVE-2026-52766, CVSS 9.1)

The most severe item in today's YesWiki batch: `{{erasespamedcomments}}` deletes every page tag in an attacker-supplied `suppr[]` array with zero authorization check, and YesWiki's default allow-by-default ACL (`default_write_acl='*'`) means any anonymous visitor on a fresh install can wipe the front page, admin pages, or anyone else's content outright. CVSS 9.1, no auth or interaction required. yeswiki/yeswiki <4.6.6; patch now, or restrict write ACLs off the '*' default until you do.

YesWiki: authenticated PHP object injection via `unserialize()` in Bazar CSV import (CVE-2026-52777)

`CSVManager::importEntry()` calls `unserialize(base64_decode($entry))` on CSV import data with no `allowed_classes` restriction, and the follow-up `array_map('strval', ...)` exercises `__toString` on every element too, doubling the gadget-chain surface. yeswiki/yeswiki <4.6.6; a working gadget chain in any project dependency turns this into RCE, so treat it as critical even without a public PoC yet.

YesWiki: authenticated admin SSTI in Bazar semantic-template field escalates to confirmed RCE (CVE-2026-52762)

First of thirteen YesWiki advisories published in one coordinated disclosure batch today. Bazar's semantic-template field runs admin-supplied Twig through server-side rendering with no sandbox - confirmed exploitable from a harmless {{7*7}}==49 probe all the way to an interactive shell via a Twig payload invoking a system callable. Requires an authenticated admin to plant the payload, but it then fires on any public request to the semantic endpoint; composer yeswiki/yeswiki <4.6.6, and if you can't upgrade immediately, audit Bazar form configs for unexpected Twig in bn_sem_template.

YesWiki: unauthenticated ActivityPub signature-verification bypass via truthy `openssl_verify()` return (CVE-2026-52767, CVSS 8.2)

Another item in today's YesWiki batch: `HttpSignatureService` negates `openssl_verify()`'s return with a bare `!`, and PHP's `-1` (internal verify error) is truthy, so `!(-1)` is `false` and the signature check silently passes exactly when OpenSSL failed to verify. Any condition that forces `openssl_verify` to error becomes a full signature-bypass on public ActivityPub inbox routes. yeswiki/yeswiki >=4.6.2,<4.6.6; the fix needs an explicit strict comparison against `0`, not a workaround.

YesWiki: unauthenticated SSRF via ActivityPub `Signature.keyId` fetched before verification (CVE-2026-52769, CVSS 8.3)

Companion ActivityPub bug in the same YesWiki batch: the public `POST /api/forms/{formId}/actor/inbox` route parses the `Signature` header's `keyId` as a URL and issues a server-side GET to it before any cryptographic check, giving an unauthenticated attacker blind SSRF into internal services and cloud metadata (169.254.169.254) - the only precondition is ActivityPub enabled on one Bazar form. yeswiki/yeswiki >=4.6.2,<4.6.6; disable ActivityPub on public instances until patched, or firewall outbound requests from the app server.

YesWiki: unauthenticated SQL injection via public Bazar entry-listing numeric `query`/`queries` filters (CVE-2026-52770, CVSS 7.5)

Public Bazar entry-listing API escapes numeric-field filter values but never quotes or validates them before they reach SQL, giving an unauthenticated attacker boolean-blind injection and the ability to infer database contents from response differences. yeswiki/yeswiki <4.6.6, same disclosure batch as today's other YesWiki advisories.

YesWiki: second-order SQL injection in page-delete API via unescaped page tag read-back (CVE-2026-52771, CVSS 8.3)

A classic second-order injection: page tags are escaped correctly on INSERT but read back unescaped into a `DELETE FROM ..._links WHERE to_tag='$tag'` query, so a low-privilege user can store a SQL-fragment tag, make the page non-orphaned via `{{include}}`, then hit the delete endpoint for time-based blind exfiltration from any table. yeswiki/yeswiki >=4.2.0,<4.6.6; if you write similar store-then-reuse logic elsewhere, this is the shape to grep for.

YesWiki: authenticated SQL injection via `ReactionManager::deleteUserReaction()` URL path parameters (CVE-2026-52775, CVSS 8.8)

`ReactionManager::deleteUserReaction()` concatenates the `idreaction` and `id` URL path parameters straight into a SQL LIKE clause; any authenticated user gets injection. It's a sibling of the earlier unauthenticated `FormManager::create()` SQLi (CVE-2026-46670) - same raw-concatenation root cause, different component. yeswiki/yeswiki <4.6.6; grep the codebase for the same pattern rather than assuming this is the last one.

mint (Elixir): unbounded CONTINUATION frame accumulation enables memory-exhaustion DoS (CVE-2026-49754)

Mint's HTTP/2 client accumulates CONTINUATION frames into an uncapped per-connection buffer once a HEADERS frame omits END_HEADERS, so a malicious server can drive memory to arbitrary size over a single connection and kill the BEAM process - the same CONTINUATION-flood class that hit multiple HTTP/2 stacks previously. mint (erlang) >=0.2.0,<1.9.0; upgrade before trusting any third-party HTTP/2 endpoint.

Tesla (Elixir): decompression bomb via uncapped response-body decompression

Tesla's DecompressResponse/Compression middleware decompresses response bodies with zlib and no output-size cap, and stacking `content-encoding` tokens (gzip, gzip, gzip, gzip) multiplies the amplification exponentially - a tiny attacker-controlled response expands into gigabytes of BEAM heap. tesla (erlang) >=0.6.0,<1.18.3; reachable without the caller doing anything wrong anywhere Tesla follows redirects to untrusted hosts.

Tesla (Elixir): `Authorization` header leaks on cross-origin redirect via case-sensitive filter

`FollowRedirects` strips Authorization before following a cross-origin redirect, but the filter compares against the lowercase string `authorization` while Tesla preserves header casing verbatim - set the header with its RFC 7235 canonical `Authorization` casing and the strip never fires, leaking bearer tokens to the redirect target. tesla (erlang) >=0.6.0,<1.18.3; audit any service that sets this header non-lowercase.

libp2p gossipsub: CPU DoS via oversized IHAVE/IWANT control message arrays (CVE-2026-49866, CVSS 7.5)

gossipsub iterates every message ID in an IHAVE/IWANT control frame synchronously with no cap - a 4MB frame fits roughly 180,000 IDs and blocks the Node event loop about 200ms per call. IWANT has no per-peer rate limiter at all, so a single peer continuously streaming max-size frames holds the event loop above 80% utilization indefinitely; IHAVE needs about 10 Sybil peers to achieve the same stall. @libp2p/gossipsub <16.0.0.

YesWiki: SQL injection via `recentchanges` action `period` argument bypasses GET-parameter allowlist (CVE-2026-52763)

Second item in today's YesWiki batch: the `{{recentchanges period="..."}}` action-argument form skips the whitelist that its GET-parameter twin enforces, so `period` flows unvalidated into a `WHERE time >= '...'` clause and supports UNION-based injection that leaks rows straight into the rendered page. yeswiki/yeswiki <4.6.6; patch alongside the rest of today's batch.

YesWiki: stored XSS in Bazar form-field templates via unescaped `field.label`/`field.hint` (CVE-2026-52772, CVSS 4.7)

Sibling of an earlier partial fix (commit e6b66aa): Bazar form-field templates still apply `|raw('html')` to `field.label` and `field.hint` in attribute/label contexts, so an admin-authored field definition executes stored XSS in every visitor's browser, including unauthenticated ones. yeswiki/yeswiki <4.6.6.

YesWiki: reflected XSS via archived-revision `time` parameter, exploitable without auth on default installs (CVE-2026-52773, CVSS 6.1)

The archived-revision view reflects the `time` GET parameter into a hidden input unescaped, and MySQL's tolerant DATETIME coercion lets an attacker append HTML/JS after a valid timestamp; on a default install with anonymous edit rights on public pages, this needs no authentication at all. yeswiki/yeswiki >=4.1.0,<4.6.6.

YesWiki: reflected XSS via Bazar widget `id` parameter, `strip_tags()` doesn't escape quotes (CVE-2026-52774, CVSS 6.1)

The Bazar widget handler sanitizes the `id` GET parameter with `strip_tags()` alone, which doesn't touch double quotes, so an attacker breaks out of the HTML attribute and injects an event handler - no login, no page ownership, not even a real page tag required. yeswiki/yeswiki <4.6.6.

Sylius: cart FormComponent can modify or delete an already-completed order (CVE-2026-53637, CVSS 6.5)

Sylius's cart LiveComponent doesn't recheck order state before acting, so if checkout completes in another tab while the cart page stays open, `clearCart()` deletes the now-placed order outright and `removeItem()`/`saveCart()` mutate it - reachable accidentally or deliberately by the customer themselves. sylius/sylius 2.0.x<2.0.18, 2.1.x<2.1.15, 2.2.x<2.2.6.

Sylius: channel-based payment-method restriction bypass on shop account orders API (CVE-2026-53638, CVSS 4.3)

The shop-account payment-change endpoint, unlike its checkout twin, never validates that the chosen payment method is enabled for the order's channel, so an authenticated customer can assign a payment method the store operator explicitly excluded from that channel. sylius/sylius same version ranges as the cart bug above - same disclosure batch, patch together.

GoBGP: BGP OPEN capability parser reads past declared `CapLen` boundary (CVE-2026-49837, CVSS 5.9)

GoBGP's capability decoders parse from the full remaining buffer instead of the CapLen-bounded slice, so a malformed OPEN message can bleed bytes from one capability into another - worst case, a `CapLen==0` 4-octet-AS capability picks up the next capability's bytes as the peer AS value used later for validation. github.com/osrg/gobgp/v4 <=4.5.0.

API Platform Core: cross-user attribute leak in JSON:API/HAL normalizer cache (CVE-2026-49858, CVSS 5.9)

api-platform's JSON:API and HAL normalizers cache serialized component structure keyed only on `cache_key`, not on the requesting user's permissions, so a lower-privileged user can be served cached property structure that the per-request `#[ApiProperty(security:...)]` check would otherwise have hidden. Same bug class as CVE-2025-31485, which only fixed the GraphQL normalizer. api-platform/core, api-platform/json-api, api-platform/hal across 2.6.x-4.3.x; check whether your GraphQL fix already covers this or if the new patch is separately required.

morgan: log forging via unneutralized control characters in `:remote-user` token (CVE-2026-5078, CVSS 5.3)

morgan's `:remote-user` token writes the Basic-auth username straight to the log stream without stripping control characters, so a crafted Authorization header injects forged log lines and breaks one-request-per-line log parsing - affects the combined/common/default/short formats. morgan (npm) >=1.2.0,<=1.10.1, fixed in 1.11.0.

Kimai: SSRF in invoice PDF rendering via Markdown image URLs (CVE-2026-49865)

Kimai's invoice PDF renderer fetches remote image URLs embedded in customer-controlled Markdown (`invoiceText`) during PDF generation, giving SSRF against internal targets from anywhere that renders an invoice preview. kimai/kimai <=2.57.0.

tarteaucitron: `data-cookie` attribute lets attacker HTML silently delete arbitrary cookies (CVE-2026-49977, CVSS 4.3)

`tarteaucitron.cookie.purge()` fires on any element with the `purgeBtn` class with no check that it's a legitimate tarteaucitron button, so attacker HTML with a matching `data-cookie` attribute tricks a user into deleting an arbitrary non-HttpOnly cookie on click. tarteaucitronjs (npm) <1.33.0; low-impact since the attacker needs to know the target cookie name, but check any consent-banner integration for injectable HTML near cookie-purge buttons.

mint (Elixir): CRLF injection in HTTP request line via unvalidated `method` (CVE-2026-48861)

Mint's HTTP/1 encoder validates the request target for CRLF but never validates the method string, so an app that forwards attacker-controlled input as the HTTP method gets request-line splitting and can pipeline an attacker-chosen second request onto the same connection. mint (erlang) <1.9.0; low severity because it needs an app that passes untrusted input as the method, but worth a quick grep if you proxy arbitrary verbs.

Tesla (Elixir): CRLF injection via `add_content_type_param` (CVE-2026-48596)

`Tesla.Multipart.add_content_type_param/2` appends caller strings to the Content-Type header with no CRLF check, so untrusted charset/boundary parameters can split the header and inject arbitrary request headers. tesla (erlang) >=0.8.0,<1.18.3.

Tesla (Elixir): multipart `Content-Disposition` header injection via unescaped filename/field values

`part_headers_for_disposition/1` interpolates filename/field-name values into the Content-Disposition header with no escaping, so unescaped quotes inject extra disposition parameters and CRLF injects additional part headers. tesla (erlang) >=0.8.0,<1.18.3; all five Tesla/Mint advisories today land in the same 1.18.3 release - one upgrade covers all of them.

Exposed C2 server reveals WP-SHELLSTORM, a mass WordPress-backdooring operation targeting 1.4M+ sites

A cybercrime crew's own command-and-control server sat exposed on the open internet for three weeks, and researchers pulled the target list back out: over 1.4 million WordPress sites profiled under the tracked name WP-SHELLSTORM, though far fewer were actually compromised. Not a supply-chain attack itself, but the exposed tooling shows how mass site-hacking operations run in practice - useful signal if you're triaging WordPress plugin/theme alerts and want to understand how attackers prioritize targets.

Microsoft dissects GigaWiper, a Windows backdoor bundling disk-wiping, fake ransomware, and spyware

Microsoft took apart GigaWiper, a Windows backdoor that bundles three older destructive payloads - full-disk wipe, boot-record overwrite, and fake ransomware that encrypts with a key it never saves - behind operator-selectable commands. No supply-chain delivery vector has been disclosed yet, but the fake-ransomware-as-cover pattern is worth knowing for incident triage: encrypted files with no functioning ransom-note follow-through point at wiper intent, not extortion.

06:00 ET · Morning Watch

Admidio: CSRF on plugin install/uninstall/update via unprotected GET requests (CVE-2026-53760, CVSS 5.2)

Admidio's plugin install/uninstall/update endpoint reads mode and name straight off a GET request with no CSRF token check anywhere in the file, and SameSite=Lax cookies still ride along on a top-level navigation. A single link gets an authenticated admin to trigger the uninstall path, which runs the plugin's bundled DROP TABLE script — one click, irreversible data loss. Composer package admidio/admidio <=5.0.11; move plugin operations to POST and add the same validateCsrfToken() call every other admin action in the codebase already uses.

nebula-mesh: host revocation isn't durable — blocked or offboarded hosts can regain a valid certificate (CVE-2026-53602)

nebula-mesh's management API checks the host blocklist only at poll time, not at certificate issuance, so a blocked host can mint a fresh enrollment token, re-enroll, and walk away with a new certificate fingerprint that was never on the list. Renewal has the same gap in reverse — it never re-checks whether the provisioning operator is still active, so hosts an offboarded operator set up keep auto-renewing indefinitely. Go module github.com/forgekeep/nebula-mesh <0.3.7, no patched version yet; until one ships, pull blocked hosts off the mesh manually instead of trusting the blocklist to hold.

Avo: direct attachment-upload endpoint skips authorization, bypasses field-level upload policy (CVE-2026-53769, CVSS 6.5)

Avo's direct attachment-upload endpoint creates and attaches the ActiveStorage blob before it ever checks the upload_<field>? or update? policy — the delete path authorizes correctly, the create path just never calls authorize_action. An authenticated low-privilege user can overwrite or add attachments on records the app's own policy explicitly denies them from touching. RubyGem avo >=2.28.0,<3.32.0; no fixed version yet, restrict Avo routes to fully trusted admins until upload authorization lands.