v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Monday · 13 July 2026 End-of-day synthesis 4 watches · 19 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — A late 21:00 ET wave adds two more confirmed-exploitable criticals — a hardcoded Docker default secret enabling Kimai account takeover and a brute-forceable FacturaScripts 2FA bypass — on top of a day that already carried a newly-exploited legacy Cisco IOS bug, DIRAC's double eval()-to-RCE disclosure, and day three of the unresolved jscrambler npm infostealer.

Two genuine criticals opened the evening from opposite ends of the software-age spectrum — a legacy 2008 Cisco IOS CSRF bug newly confirmed under active exploitation, and DIRAC's double eval()-to-RCE disclosure — layered on day three of the still-unresolved jscrambler npm infostealer and batch disclosures from NukeViet and Decidim. The 18:00 synthesis closed on that shape.

Late escalation at 21:00 ET: two more criticals landed in the ninety minutes after First Watch, both shipping with working proof-of-concept exploits. Kimai's official Docker image has shipped a hardcoded, publicly-known APP_SECRET as its default since inception — unauthenticated attackers can forge session cookies and login links to take over any account, including super_admin, that isn't 2FA-protected (CVE-2026-52824); a companion high-severity bug lets a pre-2FA session cookie grant full REST API access before TOTP ever completes, and nine more medium authorization/CSRF bugs rounded out an eleven-advisory Kimai batch. Separately, FacturaScripts's 2FA verification endpoint ships with no CSRF protection, no rate limiting, and a verification window eight times wider than the underlying library's default (CVE-2026-47677, CVSS 9.3) — a published brute-force script took over a 2FA-enabled account in under two minutes against a default install.

→ Operational priority for the night if you run Kimai's official Docker image, check whether APP_SECRET is still the literal string change_this_to_something_unique and rotate it immediately regardless of patch status; if you run FacturaScripts with 2FA enabled, treat every 2FA-gated account as effectively unauthenticated until patched, and keep the Cisco IOS 12.4 management-interface removal and jscrambler credential rotation from this morning's priority list open too.

21:00 ET · Last Watch

Kimai discloses eleven advisories in one late-night batch — a hardcoded Docker default secret enables full account takeover

The official Kimai Docker image has shipped `APP_SECRET=change_this_to_something_unique` as its default since inception, and nothing in the entrypoint script checks for or replaces that sentinel value; since Symfony uses `APP_SECRET` as `kernel.secret` to HMAC-sign remember-me cookies, login links, and CSRF tokens, any instance still running the default can have its authentication tokens forged by an unauthenticated attacker (CVE-2026-52824). A companion high-severity bug lets the pre-2FA `KIMAI_SESSION` cookie grant full authenticated REST API access before TOTP verification ever completes, and nine more medium authorization/CSRF bugs across timesheets, teams, and exports round out the batch. If you run Kimai's Docker image, check `/opt/kimai/.env.local` (or your container env) for the literal string `change_this_to_something_unique` and rotate it now — don't wait for the point release.

FacturaScripts's 2FA endpoint skips CSRF checks and rate-limiting, and its verification window is 17x wider than it needs to be — full account takeover by brute force

`twoFactorValidationAction()` accepts an unauthenticated POST of just a username and TOTP code, never checks a CSRF token, and never consults the incident/lockout guard that gates the regular login path — combined with a verification window of 8 (vs. the library default of 1), roughly 17 codes are valid simultaneously, so brute force needs only ~40,800 guesses on average (CVSS 9.3, published PoC took over a test account in under two minutes at ~400 requests/sec from one IP). Enabling 2FA in FacturaScripts today is strictly weaker than not enabling it, since it adds an unauthenticated brute-forceable path that didn't exist before. If you run FacturaScripts with 2FA enabled, treat those accounts as effectively unauthenticated until you patch — admin nicks are usually guessable, and the endpoint requires no password.

json_repair: a circular $ref in a JSON Schema drives unbounded CPU consumption

json_repair's schema-guided repair mode doesn't detect cycles in `$ref` chains, so a schema that references itself sends the resolver into effectively unbounded recursion/looping and pins a CPU core. If you accept user-supplied JSON Schemas anywhere near this library — which is common in LLM-output-validation pipelines — that's an easy single-request DoS; validate or cap schema complexity before handing it to json_repair, and upgrade once a fix ships.

Apple App Store Server Python library's SignedDataVerifier can accept a stale OCSP GOOD response, bypassing certificate revocation

`SignedDataVerifier` doesn't consistently enforce OCSP response freshness, so a captured or replayed GOOD response can validate a certificate Apple has since revoked. Anyone verifying App Store server notifications or receipts with this library should upgrade and, if patching is delayed, check that revoked-cert handling isn't silently accepting old attestations.

18:00 ET · First Watch

Jscrambler npm infostealer enters day three — BleepingComputer confirms roughly 1,500 downloads across the five malicious releases, still no confirmed resolution

This is not a new compromise — it's wider press pickup of the jscrambler campaign Socket first disclosed 2026-07-11 (five malicious releases, 8.14.0 through 8.20.0, a Rust infostealer that specifically targeted Claude Desktop/Cursor/Windsurf/Zed MCP configs alongside cloud and wallet credentials). BleepingComputer's follow-up adds the first concrete impact number, roughly 1,500 downloads across the bad releases, but as of this pass there's still no confirmed victim count or all-clear from Jscrambler itself — three days in, that reads as unresolved rather than contained. If any machine in your fleet touched jscrambler 8.14.0/8.16.0/8.17.0/8.18.0/8.20.0 and hasn't had its MCP, cloud, and wallet credentials rotated yet, that's still tonight's most urgent item, not yesterday's.

CISA adds an 18-year-old Cisco IOS CSRF bug to KEV — first confirmed exploitation of CVE-2008-4128

CVE-2008-4128, a pair of CSRF flaws in Cisco IOS 12.4's HTTP management interface disclosed in 2008, joined KEV today, meaning CISA has confirmed active exploitation of code nearly two decades old. IOS 12.4 is long past end-of-sale and end-of-support, so there's no patch to apply — the only fixes are replacing the device or pulling its HTTP management interface off the network entirely. Newly-catalogued KEV adds go to the top of the list regardless of CVSS; treat any reachable legacy Cisco IOS gear as in-scope tonight, not "too old to matter."

DIRAC ships four advisories at once — two independent eval()-on-untrusted-input RCE chains, plus a SQLi and an MITM-able pilot bootstrap

DIRAC, the grid-computing framework used across CERN's WLCG and similar high-energy-physics infrastructure, disclosed two separate CVSS-9.9 chains where unsanitized input reaches eval(): FileCatalog's DatasetManager builds a query with an unescaped f-string and evals the result (CVE-2026-61667), and RequestManager does the same trick with a groupingAttribute parameter that walks back up to os-module functions (CVE-2026-45579) — same root cause, two subsystems, both give any authenticated user full server compromise including stored proxies and DB credentials. Two accompanying highs round out the release: unescaped SQL parameters in PilotManager let any authenticated user manage other users' pilot jobs, and the second-stage pilot script downloads over HTTPS with certificate verification explicitly disabled, open to a MITM code swap. If you run DIRAC anywhere in a grid or batch-computing pipeline, this is a same-day upgrade to 8.0.79 / 9.0.22 / 9.1.10, not a backlog item — the eval() sinks are directly reachable by any authenticated user.

NukeViet CMS discloses five high-severity bugs in one batch — pre-auth SSRF, arbitrary file deletion, and a working credential-phishing XSS chain

NukeViet shipped five advisories together: a pre-auth SSRF via spoofed X-Forwarded-Host headers, a path-traversal bug that lets an admin session delete arbitrary files including config.php, two anti-XSS filter bypasses (a stray form-feed character and a decimal HTML entity both slip past the existing filters), and an unauthenticated reflected XSS in the comment module where researchers demonstrated a phishing overlay that actually exfiltrated plaintext credentials. The reflected XSS is the one to prioritize — it needs no authentication and the session token used to gate the comment loader turned out to be a static, site-wide value instead of per-session, so it's readable straight out of any page's HTML. Update to the patched release; if you can't patch immediately, strip client-supplied X-Forwarded-* headers at the reverse proxy as a stopgap for the SSRF.

Apollo ConfigService's AccessKey authentication can be bypassed via two separate appId-parsing bugs

Apollo's ConfigService parses the appId in a request path incorrectly for two endpoint families — raw config file reads and non-canonical appId variants under accent- or space-insensitive database collations — and in both cases it can end up checking for an AccessKey secret against the wrong appId, concluding none exists, and skipping signature verification entirely. The practical effect is an unauthenticated attacker reading configuration data from an app that has AccessKey/management-key auth explicitly enabled, which defeats the point of that control. A third, older advisory for the companion Apollo Portal component (CVE-2025-32781) republished today covers a related unauthorized config-center access path; if you run Apollo, upgrade ConfigService to 2.5.2 and check Portal's advisory too.

Decidim discloses nine advisories at once from a single third-party security audit — two high, seven medium

All nine came out of one Radically Open Security audit commissioned by the Decidim Association and landed together: the two highs are a JWT-backed authentication token that can be replayed across organizations, and verification documents reachable through reusable download links. The seven mediums cover push-subscription SSRF, admin-editable HTML blocks rendered without sanitization, improper authorization on CSV census records and forms question editing, SQL injection through admin search sorting, and cross-organization ID exposure to verification admins — mostly requiring existing admin or participant-manager privilege, which caps the blast radius but not the cleanup work. Nine tickets from one release is the healthy version of disclosure; if you run Decidim, work through the two highs first and batch the mediums into this week's patch cycle.

GeoNode stored XSS chains into full account takeover

A stored XSS in GeoNode, an open-source geospatial content platform, escalates to full account takeover — the usual session-hijack path once script execution lands in another user's browser context. Patch to the fixed release; if GeoNode is public-facing, review recent uploads or profile edits for injected script content while you're at it.

New macOS infostealer CrashStealer poses as Apple's crash-reporting tool, uses a notarized dropper to clear Gatekeeper

CrashStealer is a native C++ macOS infostealer (Jamf Threat Labs) that impersonates Apple's own crash-reporting tool and ships through a dropper that's been notarized, so Gatekeeper waves it through. It's not a supply-chain compromise in the package sense, but it rhymes: it abuses the same trust signal — Apple notarization — that developers rely on to vouch for third-party binaries. Worth a mention for anyone doing macOS endpoint response; it validates the victim's password locally before exfiltrating keychain and crypto-wallet data.

12:00 ET · Forenoon Watch

CISA KEV backfill: Joomlack Page Builder unauthenticated file-upload RCE (CVE-2026-56290)

KEV added this on 2026-07-07 (due 2026-07-10, already past due) and it only surfaces in this pipeline now via the 30-day backfill window. Same unrestricted-upload shape as Balbooa Forms and iCagenda published earlier this month: no dangerous-type check on the upload path, straight to PHP execution with no authentication. Fourth Joomla extension in this KEV run sharing the exact bug class — worth a single sweep of any Joomla install for all four plugin names.

CISA KEV backfill: Lantronix EDS5000 root-privileged command injection (CVE-2025-67038)

Lantronix EDS5000 device-server code injection was added to KEV on 2026-06-23 (due 2026-06-26, three weeks overdue) and only reaches this watch now via backfill. The username parameter passes unsanitized into a root-privileged OS command, so a crafted login attempt becomes full device takeover. If you run EDS5000 serial-to-network gateways on an OT/industrial segment, confirm firmware is patched — the KEV due date passed nearly three weeks ago.

CISA KEV backfill: Ubiquiti UniFi OS command injection via improper input validation (CVE-2026-34910)

First of three Ubiquiti UniFi OS CVEs that hit KEV together on 2026-06-23 (due 2026-06-26) and are only reaching this watch now via backfill. A malicious actor with network access to the controller can inject OS commands through unvalidated input. Requires network access to the UniFi controller rather than open internet exposure, but that's a low bar on any site where UniFi shares infra with less-trusted segments.

CISA KEV backfill: Ubiquiti UniFi OS path traversal (CVE-2026-34909)

Second of the three UniFi OS entries in the same 2026-06-23 KEV batch: path traversal lets a network-adjacent attacker read files off the underlying system, including ones that can be manipulated to reach an account. Patch UniFi OS to the version in Ubiquiti's advisory 064-064 alongside the other two entries in this batch — due date passed three weeks ago.

CISA KEV backfill: Ubiquiti UniFi OS improper access control (CVE-2026-34908)

Third of the UniFi OS trio: improper access control lets a network-adjacent attacker make unauthorized changes to the system outright. Same 2026-06-23 KEV add, same advisory, same fix — treat all three UniFi CVEs as one patching action, not three.

CISA KEV backfill: Splunk Enterprise missing authentication on PostgreSQL sidecar (CVE-2026-20253)

Splunk Enterprise's missing-authentication bug on its PostgreSQL sidecar endpoint let an unauthenticated user create or truncate arbitrary files; it's been in KEV since 2026-06-18 (due 2026-06-21) and is a backfill catch, not new news. If Splunk Enterprise runs anywhere in your stack, verify the SVD-2026-0603 patch landed — file-truncation-as-a-service against a logging platform is a quiet way to damage audit trails before an incident is even noticed.

CISA KEV backfill: Widget Factory Joomla Content Editor improper access control (CVE-2026-48907)

Rounding out today's backfill: Widget Factory's Joomla Content Editor bug, KEV since 2026-06-16 (due 2026-06-19), lets an unauthenticated user create a new editor profile and upload PHP straight to execution — fifth Joomla extension in this KEV run sharing an upload-to-RCE shape with Balbooa, iCagenda, SP Page Builder, and today's Joomlack entry. If Joomla is anywhere in your inventory, this is worth a dedicated extension audit rather than patching one CVE at a time.