v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Tuesday · 14 July 2026 End-of-day synthesis 4 watches · 51 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — A pile-up day: four new FacturaScripts advisories, three same-root-cause Anyquery RCE-class bugs, and three separate MCP-server disclosures landed alongside two live GitHub/npm impersonation campaigns and four newly-confirmed CISA KEV exploits.

Today's shape is breadth, not one dominant story. Vendor security-audit disclosures dropped in four unrelated batches — FacturaScripts (four new advisories, two critical, headlined by an unauthenticated path-traversal RCE and a REST API SQL injection, on top of yesterday's 2FA-bypass finding for the same vendor), Anyquery (three same-root-cause bugs spanning RCE, SSRF, and local file read in server mode), nebula-mesh, and Woodpecker CI — stacked on top of this morning's DIRAC batch.

Two active campaigns are running in parallel: a trusted-scope compromise of the official @asyncapi npm namespace dropping a cross-platform Miasma botnet loader, and a volume impersonation campaign standing up nearly 300 fake GitHub repos to push infostealers. The MCP ecosystem had a rough day too — NetLicensing-MCP, yutu, and n8n-MCP each disclosed a distinct MCP-specific bug (exposed API keys, arbitrary file write, cross-tenant backup access), a reminder that self-hosted MCP servers inherit every ordinary web-service bug class plus a few new ones. CISA also confirmed four fresh KEV exploits today — AD FS, SharePoint, and two SonicWall SMA1000 bugs — none supply-chain, all actively exploited right now.

The bright spot: outside the two campaigns and the four KEV entries, everything else today is disclosed-not-exploited — responsible-research findings with patches or clear mitigations already available for the highest-severity items. Operational priority for the night: pin or roll back any AsyncAPI npm dependency pulled in the last week, and patch the two internet-facing SonicWall SMA1000 KEV entries plus SharePoint and AD FS before their respective BOD 26-04 deadlines this week.

18:00 ET · First Watch

CISA KEV add: Microsoft AD FS insufficient access-control granularity, confirmed exploited

CISA added this AD FS privilege-escalation gap to the KEV catalog today, confirming active exploitation — an authenticated attacker can elevate privileges locally on federation servers. AD FS sits in the auth path for hybrid AD/Azure environments, so a local privesc here is a stepping stone to broader identity compromise. Apply Microsoft's mitigation before the BOD 26-04 due date (2026-07-28) and check AD FS logs for anomalous privilege changes since disclosure.

CISA KEV add: SharePoint Server missing authentication for critical function, confirmed exploited

KEV add confirms active exploitation of a missing-authentication flaw that lets an unauthorized network attacker elevate privileges — no credentials required to reach the vulnerable function. SharePoint's history as a ransomware entry point (2025's ToolShell campaign) makes any unauthenticated privesc bug here high-priority regardless of CVSS. Due date is 2026-07-17 — treat internet-facing SharePoint as the priority tier tonight.

CISA KEV add: SonicWall SMA1000 SSRF, confirmed exploited

SonicWall's SMA1000 secure-access gateway has a remote, unauthenticated SSRF now confirmed under active exploitation. SMA appliances are a recurring target for edge-device campaigns — SSRF on the gateway is typically the first step toward the internal management surface. Patch per SonicWall's advisory before the 2026-07-17 BOD due date.

CISA KEV add: SonicWall SMA1000 code injection, confirmed exploited

Companion KEV add on the same SMA1000 line — an authenticated administrator-level attacker can inject and execute arbitrary OS commands. Paired with the SSRF above, an attacker reaching the SSRF's internal surface may have a path to this bug's admin-level trigger; patch both together, not as independent fixes.

Nearly 300 fake GitHub repos impersonate legitimate software and security projects to push infostealers

A threat actor has stood up close to 300 GitHub repositories impersonating legitimate software and security tooling, each serving as a delivery mechanism for infostealer malware. This is a volume impersonation campaign rather than a single compromised package — the defense is developer hygiene (verify org/maintainer identity before cloning or running install scripts from search-result repos), not a patch. Worth a reminder in standup if your team pulls tooling from GitHub search rather than known namespaces.

FacturaScripts: path traversal in UploadedFile::move() leads to arbitrary file write and RCE

UploadedFile::move() concatenates the destination path with the attacker-controlled original filename without validation, so a crafted filename with traversal sequences writes arbitrary files outside MyFiles/ — including into web-servable locations, yielding remote code execution. First of four new FacturaScripts advisories today, on top of yesterday's 2FA-bypass disclosure for the same vendor; this is the one to patch immediately, the others compound it. No patched version is cited yet — pull the fix commit or restrict upload paths at the web server until one lands.

FacturaScripts: authenticated SQL injection in REST API filter parameter via parenthesis bypass

The FacturaScripts REST API's filter parameter is vulnerable to authenticated SQL injection via a parenthesis bypass in Where::sqlColumn — verified working against a stock install. Combined with today's path-traversal RCE and yesterday's 2FA bypass on the same vendor, a chained path from low-priv account to full database compromise looks realistic. Audit REST API access logs for parenthesis-heavy filter values.

TidGi Desktop: RCE via malicious TiddlyWiki repository import (auto-executing startup tiddler)

Importing a malicious TiddlyWiki repository into TidGi Desktop auto-executes a startup tiddler module, achieving remote code execution from a single import action — no further interaction needed. TiddlyWiki files are routinely shared as knowledge-base exports; treat any TiddlyWiki repo from an untrusted source as executable content, not a document. No fix version is cited yet — avoid importing third-party TiddlyWiki repos until one ships.

n8n-MCP: cross-tenant access to workflow version backups in multi-tenant HTTP deployments

In multi-tenant HTTP deployments, n8n-MCP's workflow version backups are stored without tenant isolation, letting one authenticated tenant read another tenant's workflow history — which routinely embeds credentials and API keys. If you run n8n-MCP as a shared multi-tenant service, treat this as a live credential-exposure risk, not a theoretical bug. A companion medium-severity advisory (GHSA-2cf7-hpwf-47h9) covers a related default-scope backup exposure in the same feature — patch both together.

Anyquery: arbitrary file write via unrestricted ATTACH DATABASE in server mode, leads to RCE

Anyquery's server mode doesn't restrict native SQLite disk commands, so ATTACH DATABASE lets an attacker point at an arbitrary path and write a file there — combined with SQLite's ability to write executable content, that's remote code execution. First of three same-day Anyquery advisories, all rooted in the same missing input validation across its SQLite virtual table modules; the SSRF and local-file-read companions below share the fix. Disable server mode or restrict it to trusted networks until a patch ships.

Anyquery: SSRF via unrestricted SQLite virtual table modules in server mode

Second of three same-day Anyquery advisories: server mode's SQLite virtual table modules also allow unrestricted outbound HTTP requests, giving an attacker an SSRF primitive against internal services reachable from the Anyquery host. Same root cause and same fix path as the RCE above — patch once, not three times.

nebula-mesh: certificate revocation is never enforced at the mesh

nebula-mesh revokes a host by pushing its certificate fingerprint to a blocklist distributed to agents each poll cycle, but the mesh itself never checks that blocklist when establishing connections — a revoked host's certificate is still accepted for new tunnels. Revocation working everywhere except the one place it's supposed to matter is the kind of gap that survives testing because the control plane looks correct. If you rely on nebula-mesh revocation to offboard compromised nodes, treat it as non-functional until fixed.

nebula-mesh: operator session tokens stored in plaintext in the database

Operator session tokens are stored in plaintext in the operator_sessions table, with the token itself as the primary key — any read access to the database (backup, replica, or a future SQL injection) yields working session tokens directly. Companion finding in the same nebula-mesh audit batch as the cert-revocation gap above; three more medium-severity issues from the same review (enrollment-token TTL, unbounded OIDC state, unzeroized CA key on error paths) round out the disclosure.

NetLicensing-MCP: unauthenticated use of the server-side NetLicensing API key in HTTP mode

Running netlicensing-mcp in HTTP transport mode exposes the server-side NetLicensing API key to any client that can reach the endpoint, with no authentication gating access. MCP servers that proxy a licensing or billing API key are an increasingly common shape for this bug class — audit any self-hosted MCP server for the same ‘server-side secret, no auth in HTTP mode’ pattern. Restrict network access to the HTTP endpoint until patched.

yutu: arbitrary file write via MCP caption-download tool

The caption-download MCP tool in yutu passes the caller-supplied file parameter straight to os.Create with no path validation, so an MCP client can write to arbitrary filesystem locations the yutu process can reach. Second MCP-specific bug disclosed today alongside NetLicensing-MCP — if you're running third-party MCP tools with filesystem or secret access, this is a good week to review their input handling specifically.

Woodpecker CI: privilege escalation via unrestricted serviceAccountName in the Kubernetes backend

Woodpecker's Kubernetes backend lets a pipeline's backend.k8s.serviceAccountName option be set without restriction, so a pipeline author can request any service account in the cluster — including ones with far more privilege than CI should have. Standard pipeline-config-as-privilege-escalation shape; restrict which service accounts pipelines can request via admission policy rather than trusting the pipeline config alone.

Woodpecker CI: gRPC agent_id metadata can be spoofed, enabling cross-tenant agent impersonation

Second Woodpecker bug in the same disclosure: the gRPC layer trusts an agent-supplied agent_id in metadata without verifying it against the connection, so any authenticated agent can impersonate any other agent on the server. In a shared or multi-tenant Woodpecker deployment this breaks agent-level isolation between pipelines. Patch both Woodpecker items together.

TsDProxy: X-Forwarded-For header injection allows IP spoofing in proxied requests

tsdproxy's reverse-proxy handler forwards the client-supplied X-Forwarded-For header to backend services without stripping or overwriting it, so any client can spoof the source IP backend services see. Anything downstream that makes access-control or rate-limit decisions based on X-Forwarded-For is bypassable. Patch to the fixed release, or explicitly strip/overwrite XFF at the proxy config until you can.

FacturaScripts: CSV formula injection in CSVExport executes when an admin opens the export

CSVExport doesn't sanitize authenticated low-privilege user input before writing it into exported CSVs, so a crafted cell value executes as a formula when an admin opens the export in Excel or similar — classic CSV-injection-to-code-execution-on-the-admin's-desktop. Third of four new FacturaScripts items today; the pattern across this batch is consistently missing input validation at trust boundaries.

FacturaScripts: unauthenticated path traversal in static file controllers reads private MyFiles documents

Static file controllers authorize requests by inspecting the URL string rather than the resolved path, so an unauthenticated request with traversal sequences reads private documents from MyFiles/ that should require a session. Fourth and last of today's FacturaScripts advisories — this vendor's file-handling layer is the common thread across nearly all of them, today and yesterday both.

Fedify: earlier SSRF mitigation incomplete, validatePublicUrl still allows special-use IPv4 ranges

Fedify's earlier SSRF fix (GHSA-p9cg-vqcc-grcx) validated against public IP ranges but missed special-use IPv4 blocks, so validatePublicUrl still lets a crafted URL reach internal-adjacent addresses the original patch was supposed to close off. A fix for a fix landing incomplete is worth flagging specifically — if you patched the earlier Fedify SSRF and considered it closed, it isn't. Update again.

Netty: denial of service via unbounded headers in StompSubframeDecoder

StompSubframeDecoder doesn't cap the number or cumulative size of headers in a STOMP frame, so a single malicious frame can drive unbounded memory allocation and OOM the process. Netty underpins a large share of the JVM networking ecosystem — anyone terminating STOMP (common in messaging middleware fronting Spring apps) should check their Netty version against the fix.

06:00 ET · Morning Watch

Compromised npm packages in the official @asyncapi namespace deliver a cross-platform Miasma botnet loader

Socket flagged three packages in the official @asyncapi npm namespace carrying a loader for the Miasma botnet, with payloads for macOS, Linux, and Windows. A trusted-scope compromise in widely-used API-spec tooling is an active campaign, not a disclosure — treat any recent AsyncAPI install as compromised until Socket publishes the exact package/version list. Pin AsyncAPI dependencies to a known-good pre-compromise version and check build hosts that pulled from the namespace in the last few days for the loader's persistence mechanism.

DIRAC RequestManager remote code execution via eval() on untrusted input

DIRAC's RequestManager passes the groupingAttribute parameter from export_getRequestCountersWeb straight into eval(), and any authenticated user can reach it — a crafted dunder-attribute string walks back to the os module and runs commands as the DIRAC service account. This is the second critical eval-on-untrusted-input RCE disclosed in DIRAC this week (FileCatalog's DatasetManager hit the same bug class yesterday), so treat it as one audit finding a systemic pattern rather than two isolated bugs. Grep RequestDB.py and other DIRAC service handlers for eval( before assuming the patch (8.0.79 / 9.0.22 / 9.1.10) covers every instance — the advisory notes other eval calls in the same files may be equally reachable.

Kimai: pre-2FA session cookie grants full REST API access, bypassing TOTP entirely

Kimai issues the KIMAI_SESSION cookie as soon as the password step succeeds — before the TOTP prompt — and every /api/* endpoint accepts that cookie as fully authenticated, so 2FA protects only the web UI, not the API. Anyone who steals or replays that early cookie gets complete API access to a 2FA-enabled account with nothing but the password. Patch to Kimai 2.59.0 and rotate any session tokens that might have been captured in transit.

DIRAC PilotManager: SQL injection plus missing access control lets any authenticated user manage grid pilot jobs

PilotManagerHandler functions like setPilotStatus pass parameters straight to the database layer with no escaping, and the service is gated only by ‘authenticated’ rather than any real authorization check. Any logged-in DIRAC user can delete or read the output of any pilot job on the grid, and carefully-crafted parameters can likely alter unrelated database rows. Third DIRAC advisory in this batch — patch alongside the RequestManager and FileCatalog RCEs rather than one at a time.

DIRAC pilot code fetched over unverified HTTPS, opening a MITM path to arbitrary code execution

The DIRAC pilot wrapper disables SSL certificate validation when downloading the second-stage pilot.tar (a holdover for pre-2.7.9 Python behavior), and the checksum used to verify it is fetched over that same unvalidated channel — so a network-position attacker can swap both the payload and its checksum together. Exploitation needs a MITM foothold against a grid site's network, which raises the bar, but the payoff is arbitrary code execution with pilot proxy credentials. Fixed alongside the other three DIRAC advisories in 8.0.79 / 9.0.22 / 9.1.10.

NukeViet: path traversal in Edit Comment lets an admin delete arbitrary files, including config.php

The attach POST parameter in the comment-edit admin function is stripped by a fixed-length substr() instead of validated, so padding a payload with exactly 26 filler characters plus a traversal sequence stores a path outside the uploads directory; deleting that comment later calls nv_deletefile() on the stored path. An authenticated admin — or anyone who compromises one — can wipe config.php and take the site offline. Patch to 4.6.00 and audit stored attach values for traversal sequences.

NukeViet: form-feed and entity-encoding bypasses in the anti-XSS filter enable stored XSS in the News module

Two independent bypasses in NukeViet\Core\Request::filterAttr() and unhtmlentities() — one abusing PHP's trim() not stripping the ASCII form-feed character before an event-handler name — let any account with news-post permission store JavaScript that executes for every visitor. A low privilege bar for a stored-XSS primitive against all site visitors is the concerning part. Patch to 4.6.00; if you can't patch immediately, audit recent news posts from low-trust accounts for \x0C-prefixed attributes.

NukeViet: stored XSS via unescaped display name in the comment Reply onclick handler

A low-privileged user's profile display name is interpolated unescaped into an inline onclick handler on the comment Reply link, so a crafted display name runs JavaScript in the browser of anyone — including admins — who clicks Reply on that user's comment. Same disclosure batch as the filter-bypass XSS above; both point at the same weak spot in NukeViet's comment templating. Patch to 4.6.00 and treat any admin session that clicked Reply on an unfamiliar commenter as potentially exposed.

NukeViet: unauthenticated reflected XSS in Comment module, compounded by a site-wide-static anti-forgery token

The status_comment URL parameter accepts base64-encoded HTML/JS decoded and rendered unescaped server-side, and the checkss anti-CSRF token that should gate the request is derived from a static site-wide value (NV_CACHE_PREFIX) instead of a per-session secret — so the token is reusable across every user and the whole attack ships as a single crafted URL, no auth required. That combination turns a routine reflected-XSS bug into a mass-phishable link. Fourth and final NukeViet item in this batch; patch to 4.6.00 across all four.

Apollo ConfigService: AccessKey authentication bypass via non-canonical appId matching

ConfigService looks up AccessKey secrets using the appId parsed from the request; if that value is a non-canonical variant (accent or trailing-space forms a database collation treats as equivalent) the cache lookup misses, ConfigService assumes there's no secret to check, and skips signature verification entirely — while the downstream release lookup still resolves to the real, protected app. An unauthenticated attacker can read configuration data from any ConfigService deployment where AccessKey auth is enabled and the DB collation is accent- or space-insensitive. Second Apollo ConfigService advisory covering this appId-parsing weak spot — confirm both fixes landed together.

Decidim: identity verification documents exposed via long-lived signed links, no session required

Verification-document images are served through signed /rails/active_storage/disk/ URLs valid for seven days, embedded directly in the admin review page HTML — anyone who obtains one of those URLs, via referrer leakage, logs, or a shared screen, can pull the participant's scanned ID for the full week without ever authenticating. Government/civic-platform ID documents are about as sensitive as data gets; treat any exposed verification URL as a document leak requiring notification, not just a bug. Patch to decidim-verifications 0.30.9 / 0.31.5 / 0.32.0.

Kimai: ExportTemplate CRUD missing authorization lets a TEAMLEAD plant global export templates

ExportController's web routes for creating and editing export templates check only the class-level create_export permission (granted to ROLE_TEAMLEAD), while the API and UI correctly require the stricter create_export_template (ROLE_ADMIN/SUPER_ADMIN only) — so a TEAMLEAD can reach the web route directly and plant global export templates visible to every user, including admins. First of eleven Kimai authorization advisories disclosed in this batch overnight; low severity individually, but the pattern — web routes missing checks the API enforces — repeats across several of the others. Patch to 2.59.0.

Kimai: Timesheet Restart/Duplicate don't re-check project access after it's been revoked

A user whose project access was revoked can still spin up new timesheets against that project via restart/duplicate, because the check runs at grant time rather than execution time. Stale-authorization bug — the kind that survives an access review because the initial grant was legitimate. Patch to 2.59.0.

Kimai: improper authorization through Activity Creation with a preset project

Activity creation with a preset project skips the authorization check that would normally block creating activities under projects the user isn't authorized for. Same authorization-bypass shape as the rest of this Kimai batch. Patch to 2.59.0.

Kimai: Timesheet PATCH/POST can assign to a project outside the user's team via a query-builder OR-bypass

A logic error in the query builder used for the timesheet authorization check allows an OR-condition bypass, letting a user assign a timesheet to a project outside their team. A distinct root cause from the other Kimai items in this batch — worth a separate look during patch review, not just a rubber-stamp. Patch to 2.59.0.

Apollo Portal: unauthorized read access to configuration data via unvalidated release-ID lookup

GET /envs/{env}/releases/{releaseId} doesn't call the permission validator that should hide config from unauthorized viewers, so a low-privileged Portal user who obtains or guesses a valid release ID can read configuration from applications and namespaces they're not authorized for. Distinct component from the ConfigService AccessKey bypasses disclosed alongside it — Portal and ConfigService are separate authorization boundaries in Apollo, both breached today. Patch to 2.5.0.

Decidim: push subscriptions can be abused to trigger server-side requests

The push-subscription feature can be abused for an SSRF-adjacent server-side request primitive. First of seven Decidim advisories in today's batch; check push-subscription endpoints aren't reachable from untrusted input in your deployment. Patch to decidim-core 0.30.9 / 0.31.5 / 0.32.0.

Decidim: HTML content blocks allow stored script execution

A content-authoring feature (HTML content blocks) doubles as a stored-XSS vector for whoever can create blocks. Part of today's seven-advisory Decidim batch. Patch to decidim-core 0.30.9 / 0.31.5 / 0.32.0.

Decidim: CSV census record endpoints have improper authorization

Census/voter-roll export endpoints expose data beyond the intended admin scope. Census data is sensitive by nature; verify who's been exporting from these endpoints while unpatched. Patch to decidim-verifications 0.30.9 / 0.31.5 / 0.32.0.

Decidim: private exports can be downloaded through reusable signed links

Same root pattern as the verification-document leak above — Active Storage disk URLs standing in for real session-gated authorization — recurring on a second Decidim resource type in the same disclosure batch. Patch to decidim-core 0.30.9 / 0.31.5 / 0.32.0.

Decidim: verification admins can access supplied IDs from other organizations

A multi-tenant isolation gap in Decidim's verification admin tooling lets an admin see identity documents from organizations they don't administer. Relevant to any Decidim instance hosting more than one organization or participatory process. Patch to decidim-verifications 0.30.9 / 0.31.5 / 0.32.0.

Decidim: forms admin question editor lacks an authorization check

Users can edit form questions outside their intended scope because the question editor doesn't check authorization. Seventh and last Decidim advisory in today's batch — same authorization-audit shape as the Kimai cluster above, different framework. Patch to decidim-demographics 0.31.5 / 0.32.0.