v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Wednesday · 15 July 2026 End-of-day synthesis 4 watches · 66 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — MantisBT's zero-password admin takeover held the day's top story, but a 9pm wave of 22 GHSA advisories — a six-language Datadog tracer DoS, a Rails ViewComponent XSS bypass, and a django-haystack eval() RCE — pushed the day's high-severity count past 30.

Today paired one confirmed active supply-chain attack with one mass vulnerability dump on a widely self-hosted tool. Security researchers nailed down the exact AsyncAPI npm compromise — five specific package versions, one carrying roughly 2M weekly downloads — and traced the entry point to a backdoored GitHub Actions workflow rather than a stolen token, which shifts the fix from ‘rotate npm tokens’ to ‘audit the org’s CI.’

The bigger story, though, is MantisBT: eight advisories landed at once, headlined by a SOAP API bug that lets anyone who self-registers — the default configuration — read their own session cookie and use it to impersonate the administrator with zero password knowledge, chaining into a SQL injection that dumps the whole database and an eval()-based RCE for anyone who already has admin. Koel added five more advisories showing its earlier SSRF fix only closed one of five vulnerable fetch paths, and a handful of unrelated SSRF and path-traversal bugs (TensorZero, obsidian-local-rest-api, LangBot's MCP config) round out a day where ‘we already patched that’ kept turning out to be only half true.

Late escalation at 21:00 ET: a fresh batch of 22 GHSA advisories landed between First Watch and bedtime, adding a dozen more high-severity items to the board — a W3C baggage-parsing DoS shipped simultaneously across all six Datadog tracer language SDKs, a ViewComponent around_render bypass that defeats Rails' HTML escaping in collection rendering, and a django-haystack eval() RCE triggered by attacker-controlled Elasticsearch content. None of it unseats MantisBT as the day's top story, but it's a lot of ground to cover before bed. The bright spot holds: every high-severity find today — MantisBT, Koel, TensorZero, and tonight's late batch — already ships a patched release or a documented workaround; nothing here is a zero-day with no fix available.

→ Operational priority for the night if MantisBT runs anywhere in your stack, patch now or disable self-registration — the admin-bypass path needs nothing more than a public signup form; if you run Datadog's tracer in any language, drop baggage from DD_TRACE_PROPAGATION_STYLE until you can upgrade.

21:00 ET · Last Watch

@andrea9293/mcp-documentation-server: Web UI binds to all interfaces with no authentication by default

The bundled Web UI starts automatically on port 3080 and binds to 0.0.0.0 instead of localhost, and its document-management API requires no authentication — any host on the same LAN, VM network, or container bridge can enumerate, read, add, and delete documents. Same ‘convenience default’ shape as the unauthenticated Kubernetes MCP bridge flagged earlier this week: local-first MCP tooling keeps shipping network-wide defaults. Set START_WEB_UI=false or bind explicitly to 127.0.0.1 until a patched release ships.

django-haystack: eval() on unmatched Elasticsearch field values enables RCE

The Elasticsearch backend falls back to eval() on any field value it can't match to a declared SearchField by exact key, which happens whenever a field uses an index_fieldname alias — so attacker-controlled content indexed into Elasticsearch executes as a Python expression the next time any user's search returns it. CVSS 8.5, no patched version listed yet. If you run django-haystack against Elasticsearch with any user-influenced indexed content, audit your SearchField aliases now.

ViewComponent: around_render hook bypasses HTML escaping, enabling XSS

around_render can return HTML-unsafe strings that skip the escaping normally applied to #call output, and collection rendering compounds it by joining every item's output and blanket-marking the whole batch html_safe — so any app using around_render to wrap or instrument rendering with user-controlled data has an XSS path. Companion advisory GHSA-9h85 (stale render context across reused component instances, medium) landed in the same disclosure batch. Audit any around_render overrides for unescaped user input before assuming ViewComponent's default escaping still applies.

Pomerium: pre-auth memory exhaustion via unbounded zstd decompression in HPKE callback

The stateless-auth /.pomerium/callback endpoint is intentionally reachable pre-authentication and decompresses attacker-controlled zstd data with no size limit; since the HPKE receiver public key is published at a well-known URL, anyone can encrypt a decompression bomb and crash the proxy via unbounded memory allocation. Only Pomerium Zero / hosted-authenticate deployments using the stateless flow are exposed — check which auth flow you run before assuming this applies. No patched version listed yet; cap request size at a fronting proxy if you can't wait.

Datadog tracers: W3C baggage-header parsing has no extraction-side limit, enabling DoS — same bug across all six language SDKs

DD_TRACE_BAGGAGE_MAX_ITEMS/MAX_BYTES limits were enforced only on baggage injection, not extraction, so a remote unauthenticated request with an oversized or comma-stuffed baggage header makes the tracer allocate a hash-map entry per pair with no cap — a DoS against any service instrumented with an affected tracer, since baggage propagation is on by default in most of them. The identical defect shipped simultaneously in dd-trace-java, -py, -js, -dotnet, -go, and -rb (five more advisories below) — patch every language runtime in your stack, not just the one you noticed first. Workaround: drop baggage from DD_TRACE_PROPAGATION_STYLE, or cap header size at your proxy/LB.

systeminformation: OS command injection in networkInterfaces() via interfaces(5) source directive on Linux

networkInterfaces() reads /etc/network/interfaces and, for every source <path> line, interpolates the path unquoted into a shell string run via execSync() — the same root-cause class as a previously-fixed NetworkManager injection in this file, except this sink was left unsanitized. An attacker who can influence a sourced path in /etc/network/interfaces (or anything it recursively sources) gets command execution in any process calling networkInterfaces(); relevant mainly for inventory/asset-discovery tools that run this library against untrusted or multi-tenant hosts.

websocket-driver (npm): oversized protocol length headers corrupt subsequent message parsing

A client can send an indefinite run of bytes with the high bit set in the frame length header, growing an integer that eventually exceeds 64-bit float precision and causes the next payload to parse incorrectly. GHSA rates this critical; the disclosed impact is message corruption/desync rather than a demonstrated RCE or auth-bypass path, so this list carries it as high pending more detail. Four companion websocket-driver advisories (below) landed in the same batch across the npm and RubyGems ports — patch both if you use either; upgrade to 0.7.5 (npm).

ViewComponent: reused component instances retain stale render context across users and requests

If the same component, collection, or spacer instance is reused across requests, threads, or tenants, later renders can use stale helpers, controller, request, and slot context from an earlier render — including a demonstrated path to rendering privileged UI for a lower-privileged user. Patch alongside the around_render bypass above; both come from the same ViewComponent disclosure batch.

open-feature-operator: cross-namespace resource resolution leaks flag-source secrets on multi-tenant clusters

The documented {NAMESPACE}/{NAME} annotation syntax lets any workload reference another namespace's FeatureFlagSource or InProcessConfiguration, and the operator resolves it cluster-wide — materializing env vars, flagd sidecar bearer tokens, and sync URIs from a resource the referencing tenant doesn't own. Only relevant if you treat Kubernetes namespaces as a trust boundary; the project considers the cluster-wide RBAC scope intentional, so there's no patch, just a documented gap. Avoid putting secrets directly in FeatureFlagSource specs on multi-tenant clusters.

adawolfa/isdoc: decompression bomb via unvalidated ZIP/PDF embedded-file sizes

Reading ISDOCX archives or PDFs with embedded ISDOC documents inflates entries and copies embedded files without checking uncompressed size first, so a small crafted file can exhaust memory or disk. Availability-only impact — no confidentiality/integrity risk. Upgrade to 1.4.3/1.5.1/1.6.1/2.0.0.

serde_with: KeyValueMap serializer panics on empty sequence or map entries

The KeyValueMap serializer preallocates capacity as len - 1 before checking the element has a first key field, so serializing attacker-controlled data with an empty inner sequence or map through #[serde_as(as = "KeyValueMap<_>")] panics the process. Availability-only; check for a patched release before shipping serde_with against untrusted input shaped this way.

cyberdrop-dl-patched: Pixeldrain API key shared with unverified third-party sites

The tool sends its Pixeldrain API key to third-party sites it hasn't verified as legitimate Pixeldrain mirrors, letting an attacker-controlled site harvest the key and act on the user's Pixeldrain account. Upgrade past 9.14.0 once available; in the meantime, treat any Pixeldrain-adjacent site added to the tool's config as untrusted.

ToolHive: host-side SSRF in remote MCP-server auth discovery bypasses container isolation

Discovery requests for remote MCP server authentication run host-side in the ToolHive process, before the per-server container sandbox, with no private-IP or loopback guard — so a malicious remote MCP server a user adds through ToolHive's normal workflow can make the host itself fetch internal URLs, including cloud metadata, defeating the isolation ToolHive advertises. GHSA rates this low despite the SSRF class because exploitation requires the user to add an attacker-controlled remote server in the first place. Second ToolHive SSRF-class advisory this batch, after the IPv6-blocklist gap flagged at First Watch.

18:00 ET · First Watch

CISA adds Oracle E-Business Suite privilege-management flaw to the KEV catalog

CISA catalogued CVE-2026-46817, an improper privilege-management vulnerability in Oracle E-Business Suite, as actively exploited. EBS has been a recurring ransomware entry point this year (the Cl0p Oracle EBS campaign), so an active-exploitation add here gets attention even without public technical detail yet. Patch per Oracle's advisory and check EBS-facing logs for privilege-escalation attempts predating today's disclosure.

MantisBT: SOAP API authentication bypass lets any self-registered user impersonate the administrator

mci_check_login() in the SOAP API trusts a client-supplied username paired with any valid cookie_string, so a user who self-registers — enabled by default via $g_allow_signup — can read their own cookie_string out of their browser and use it to authenticate as any other username, including admin, with zero password knowledge. The REST API and web UI both derive username server-side and aren't affected, but the SOAP surface (71 operations) gives full read/write/delete across all issues, attachments, and accounts once impersonated. If you run MantisBT with self-registration on — the default — patch now; there's no workaround.

TensorZero Gateway: caller-supplied storage_path overrides object-storage config for arbitrary file read and SSRF

The /internal/object_storage endpoint accepts a caller-supplied storage_path that overrides the gateway's configured [object_storage] settings at request time; switching the type to filesystem reads arbitrary files off the gateway host, and switching to s3_compatible turns the gateway into an SSRF proxy that can be aimed at cloud metadata endpoints. Exploitable by anyone who can reach the endpoint when the gateway runs with authentication disabled — check your TensorZero deployment's auth setting before assuming this doesn't apply. Patched in 2026.6.0; block external access to /internal/object_storage if you can't upgrade yet.

obsidian-local-rest-api: URL-encoded %2F survives routing to enable authenticated path traversal on /vault/{path}

Express normalizes and rejects a literal ../ at the routing layer, but %2F isn't a path separator to the router — the handler's own decodeURIComponent call turns ..%2F..%2F back into a real ../ after routing has already let it through, giving an authenticated caller arbitrary read/write/delete anywhere on the host filesystem, not just inside the vault. CVSS 8.8. This is the routing-vs-handler decode-order bug shape again — if you wrote path-handling middleware that decodes after a security check runs, audit it the same way. Upgrade to 4.1.3.

MantisBT: six unauthenticated reflected-XSS injection points in admin/install.php

Two companion advisories (this one via print_test_result(), GHSA-vcrw-4xvv-jh49 via an unescaped printf) cover six reflected-XSS points in the pre-auth install script; MantisBT's CSP blocks inline script but is missing a form-action directive, so the realistic exploit is a crafted URL that renders a fake login form on the genuine admin page and phishes credentials to an attacker server, or a <meta> redirect to a phishing site. Delete the /admin install directory post-setup as MantisBT's own admin guide already recommends — that removes the exposure entirely regardless of patch status.

MantisBT: RCE via eval() class hoisting when an admin sets a non-string config value

Setting a non-string configuration value routes through a Tokenizer that calls eval() with a return; prefix meant to block code execution, but PHP hoists class and function declarations at compile time past the return — so an attacker who can set a config value (already an admin-only action) can define a class that hijacks whatever the autoloader loads next, achieving code execution. Requires existing admin access, which caps this as defense-in-depth rather than a standalone path to compromise, but it means an admin account takeover (see the SOAP bypass above) chains straight into RCE.

MantisBT: SQL injection via the history_order config value, triggered just by viewing a bug

The history_order configuration value is concatenated straight into a SQL ORDER BY clause with no parameterization or whitelist, and it's settable via the web UI or the REST config API by an admin — but the injection fires for any user simply viewing a bug's history, extracting cookie_string and other credential fields from the entire database. Combined with the SOAP auth bypass above, an attacker's path is: self-register, impersonate admin via SOAP, set history_order, wait for any user to view a bug page.

MantisBT: stored XSS via crafted attachment filename in the HTML bug-export page

A missing output-encoding call in print_all_bug_page_word.php lets any authenticated user upload an attachment with a filename like probe." onload="alert(1) that breaks out of an IMG tag's alt attribute when another user views the HTML export page. Impact is capped by MantisBT's CSP, but it's the sixth-through-eighth item in today's MantisBT advisory batch — treat this release as a single mandatory upgrade, not eight optional ones.

Koel: the fix for a prior SSRF CVE only covers one of five fetch paths against redirect-based bypass

v9.3.5 added an isSafeUrl() pre-check for CVE-2026-47260 across synchronizeEpisodes, getStreamableUrl, AddRadioStation, and EpisodePlayable, but the follow-up commit that actually validates each HTTP redirect hop was wired into only EpisodePlayable — every other fetcher still trusts the initial check alone, which a 302 to an internal address walks straight past. Five more advisories below (GHSA-rjg7, GHSA-jr4p, GHSA-8q6q, GHSA-6p96, GHSA-w79m) are the specific fetch paths this incomplete fix left open. CVSS 7.1 — if you patched the original CVE and considered Koel's SSRF surface closed, it wasn't.

Koel: authenticated full-read SSRF via Subsonic internet radio stations

One of the fetch paths left open by the incomplete CVE-2026-47260 fix above — an authenticated user can point a Subsonic radio-station URL at an internal address and read the full response back through the player. Patch alongside the parent advisory; partial fixes here don't help.

LangBot: any authenticated user can achieve RCE by adding a STDIO MCP server configuration

LangBot's MCP loader imports StdioServerParameters directly from the mcp package and hands it whatever command an authenticated user configures, so adding an 'STDIO' MCP server with an arbitrary command spawns that command as a subprocess on the LangBot host. CVSS 8.8 — same underlying shape as MCP-config-as-code-execution bugs showing up elsewhere this week; if your product lets end users define their own MCP server commands, that configuration surface needs to be admin-gated, not user-gated.

garminconnect (Python library): OAuth token store written world-readable under default umask

The library writes garmin_tokens.json to disk without restricting permissions, so under the common 022 umask the file lands as 0o644 — world-readable — and it contains a live refresh token. Any other local account on a shared host reads it and gets persistent, unauthorized access to the victim's Garmin Connect account. If you use this library on a shared or multi-tenant host, chmod the token file to 0600 now and rotate the token; don't wait for the patched release.

Protobuf: unbounded recursion depth in embedded-message decoding enables stack-exhaustion DoS

Decoding a deeply nested embedded message imposes no recursion-depth limit, so a small crafted message with enough nesting levels exhausts the stack and crashes the decoding process. Protobuf sits under enough RPC and serialization stacks that 'do you decode untrusted protobuf anywhere' is worth asking broadly, not just where you think you do. Upgrade once a patched release lands; in the meantime, cap message nesting at the transport layer if your framework supports it.

safeurl: private-network blocklist missing four newer IPv6 CIDR ranges (NAT64, SRv6, doc prefix)

safeurl's privateNetworks blocklist predates RFCs 8215/9602/9637/9780 and doesn't cover 64:ff9b:1::/48, 5f00::/16, 3fff::/20, or 100:0:0:1::/64, so requests to IPs in those ranges sail past the SSRF guard. ToolHive shipped the identical gap the same day (GHSA-pph6-vfjv-vpjw) — if you maintain a homegrown IPv6 private-range blocklist anywhere in your stack, this is the exact list to check it against today, not just these two projects. Upgrade to 0.2.4, or disable IPv6 (the library's own default) until you do.

MantisBT: REST/SOAP issue-update accepts product versions that were never released

Issue updates through the REST and SOAP APIs accept a target/fixed version value without validating it against the project's list of released versions, letting a user record issues against versions that don't exist yet. Data-integrity issue, not a security boundary break — lowest priority in today's MantisBT batch.

MantisBT: REST API allows unauthorized issue status changes

The REST API's status-change endpoint doesn't fully enforce the same workflow/permission checks the web UI applies, letting a user move an issue to a status their role shouldn't permit. Same permission-parity gap as the note-type issue above — REST/SOAP keep tracking behind the web UI's authorization checks in this release.

Koel: full-read SSRF via podcast enclosure URL

Another fetch path missed by the incomplete SSRF fix — isPublicHost()'s filter_var guard doesn't catch a redirect to an internal host on the podcast-enclosure path, giving full response read. Same fix as the other four Koel SSRF advisories in this batch.

Koel: SSRF in radio-station creation via missing validation

Radio-station creation is a third fetch path in the same incomplete-SSRF-fix family — missing redirect validation lets a crafted station URL reach internal hosts. Roll into the same patch as the other Koel SSRF items.

Koel: SSRF through authenticated Subsonic podcast feed URLs

A fourth fetch path in the same Koel SSRF family, this time via Subsonic podcast feed URLs rather than radio stations. Same root cause, same fix needed across all five identified paths.

Koel: blind SSRF via authenticated Subsonic podcast-channel creation

The fifth and last fetch path in today's Koel SSRF batch — podcast-channel creation triggers a blind (no response read back) request to an attacker-chosen internal address. Blind SSRF is still useful for internal port-scanning and triggering side effects on metadata endpoints; patch with the rest of the batch.

FiftyOne: app server ships wildcard CORS, enabling cross-origin data access

FiftyOne's app server sets Access-Control-Allow-Origin: * by default, so any web page a logged-in user visits can make cross-origin requests to their local FiftyOne instance and read back dataset contents. Relevant mainly for anyone running FiftyOne's app bound to a non-loopback interface; restrict CORS origins or keep the app server loopback-only until a fix ships.

CISA adds a 2023 KNX building-automation lockout bypass to the KEV catalog

A three-year-old KNX Protocol Connection Authorization account-lockout weakness was added to KEV today, meaning CISA has evidence of active exploitation against building-automation deployments. Low relevance to typical cloud/SaaS stacks; relevant if you operate or integrate with KNX-based building-management systems.

ToolHive: SSRF guard misses the same new IPv6 NAT64/SRv6 ranges as safeurl

Same missing-CIDR gap as the safeurl advisory published minutes earlier (GHSA-xgch-x3mx-cm3c) — two unrelated projects both missed the same recently-assigned IPv6 special-purpose ranges in their SSRF blocklists on the same day, which says more about how stale these lists get than about either project specifically. Worth a five-minute check if ToolHive fronts anything untrusted.

12:00 ET · Forenoon Watch

Nearly 300 fake GitHub repos impersonate security, dev, and finance tools to push a BoryptGrab infostealer variant

ArcticWolf traced 292 fake GitHub repos impersonating security products, crypto/financial tools, dev utilities, secure-email clients, macOS utilities, and gaming software back to activity starting June 26; each repo's README links to a download page that runs gup.exe, which side-loads libcurl.dll to decode and reflectively execute a BoryptGrab infostealer variant entirely in memory. This build adds a previously undocumented bypass of Chrome's App-Bound Encryption via direct code injection into the browser process, then harvests credentials from 19+ browsers and 32 crypto wallets plus messaging/social app data to a Russia-based C2. Treat 'download the tool from this GitHub README' links with the same suspicion as email attachments, and if anyone pulled one of the impersonated tools since June 26, hunt for gup.exe/libcurl.dll pairs and rotate browser-stored credentials.

06:00 ET · Morning Watch

AsyncAPI npm compromise: exact backdoored package/version list confirmed, GitHub Actions identified as entry point

Follow-up on yesterday's @asyncapi npm compromise: OX Security, SafeDep, StepSecurity, and Aikido have now confirmed the exact backdoored set — @asyncapi/[email protected], @asyncapi/[email protected], @asyncapi/[email protected], and @asyncapi/[email protected]/6.11.2-alpha.1 — with the specs package alone carrying roughly 2M weekly downloads. Aikido traces the compromise to a backdoored GitHub Actions workflow rather than a stolen npm token, so treat the org's CI as the point of failure, not just the registry. If you pulled any of these exact versions since 2026-07-14, rotate secrets used in AsyncAPI's build pipeline and reinstall from a pinned pre-compromise version — this closes the gap in yesterday's guidance.

nebula-mesh: non-admin operators can disable webhook SSRF protection via allow_private

A non-admin operator role can set allow_private:true on their own webhook subscription with no server-side role check, switching delivery to an unguarded HTTP client that skips the loopback/private/link-local SSRF guard. This is the third nebula-mesh advisory touching operator-tier authorization in the last two days — audit who holds the operator role, not just admin, before treating it as a low-trust tier. Upgrade past 0.7.1 and review existing webhook subscriptions for allow_private already set to true.

nebula-mesh: CA private key left unwiped in memory on web mobile-bundle error paths

The web handler for mobile-bundle generation decrypts the mesh CA's ed25519 private key into memory but never calls Wipe() on any return path, success or error — the plaintext key sits on the Go heap until GC. Anyone who can read process memory (core dump, swap, memory-scraping) recovers the signing key and can mint arbitrary host certificates for the mesh. This is the fourth nebula-mesh advisory landing this week; pin a patched release rather than cherry-picking individual fixes.

Ech0: malformed Accept-Language header triggers ~70x CPU amplification via underscore-separator parser bypass

Ech0's i18n middleware runs golang.org/x/text's Accept-Language parser on every request; the CVE-2022-32149 fix capped `-` characters but not `_`, which the parser's scanner aliases to `-` before parsing, so a single crafted header burns ~1.5s of CPU and ten concurrent requests saturate a ten-core box. Classic incomplete-fix pattern — if you patched the original x/text CVE and moved on, check whether your own input validation covers the alias path too. Upgrade Ech0 to 5.0.1.

Trivy: unbounded Helm chart tar-bomb decompression causes OOM during misconfig scanning

Trivy's custom tar unpacker reads Helm chart .tgz entries with io.ReadAll and no size cap, so a small crafted archive that decompresses to gigabytes OOM-kills the scanner. Exploitable wherever Trivy scans untrusted directories or images for misconfigurations — CI pipelines that scan third-party Helm charts are the obvious target. Upgrade to 0.71.0.

EasyAdmin: stored XSS via inline-served uploads through FileField and ImageField

FileField accepts any file type and ImageField's default constraint accepts SVG; when uploads are stored in the public web root — as EasyAdmin's own documentation shows — files are linked inline with no Content-Disposition:attachment, so an uploaded .html or .svg with embedded JS executes in an admin's session on open. Check your upload configuration for public-root storage before assuming this doesn't apply; the docs' example config is the vulnerable one. Upgrade to 5.0.13.

MKP (Kubernetes MCP server): unauthenticated pod-log read with attacker-controlled limitBytes causes memory exhaustion

MKP's get_resource tool forwards user-supplied limitBytes/tailLines straight to the Kubernetes API and buffers the entire log stream in memory with no cap — one crafted tools/call request with limitBytes=128MB grew RSS by over 1.1GB in testing. Any MCP-exposed Kubernetes tooling is a soft target for this class of bug; audit other MCP-to-k8s bridges for the same unbounded-read pattern. Upgrade to 0.4.1.

Hoverfly: unsynchronized map write in Diff mode crashes the process under concurrent requests

AddDiff() writes to the shared responsesDiff map with no mutex; any concurrent proxy traffic in Diff mode trips Go's race detector and kills the process with a fatal concurrent map read/write. Trivially triggered by normal multi-client load, not an attacker-crafted payload — disable Diff mode in production until patched, or serialize proxy traffic to it.

OpenCost: unauthenticated file write via /serviceKey endpoint can overwrite the GCP service account key

The /serviceKey POST endpoint writes attacker-supplied data straight to the GCP service account key file with no authentication or validation, letting a remote unauthenticated attacker overwrite cluster cost-monitoring credentials. In a Kubernetes cluster, that's a foothold for further privilege escalation via whatever the corrupted key touches — firewall the OpenCost API from untrusted networks and check whether it's exposed via an Ingress or NodePort today. Upgrade to 1.119.1.

n8n-mcp: authenticated tenant can reach default-scope workflow-version backups in multi-tenant HTTP mode

In n8n-mcp's multi-tenant HTTP mode, an authenticated tenant can under certain conditions read or delete workflow-version backups left in the default (single-tenant) scope, often leftovers from a migration. Scope is narrower than yesterday's related n8n-mcp critical (cross-tenant access, GHSA-j6r7) but the same defect class — tenant isolation gaps in the local backup store. Upgrade to 2.57.4 if running ENABLE_MULTI_TENANT=true.

nebula-mesh: Web UI host creation hardcodes 24-hour enrollment tokens, ignoring configured TTL

The nebula-mgmt Web UI's host-creation path hardcodes a 24-hour token lifetime instead of honoring the configured enrollment_token_ttl, so any operator who can create a host through the UI can mint a bearer enrollment token far longer-lived than the deployment intends. Low severity alone, but it's the fourth nebula-mesh advisory in two days — this product needs a full audit pass, not one-off patches.

nebula-mesh: unauthenticated OIDC login endpoint allows unbounded in-memory state growth

GET /ui/oidc/login is reachable pre-auth and sits outside the rate-limited auth route group; each request allocates a new OIDC state entry with no cap, so an unauthenticated client can grow the in-memory state map bounded only by request throughput. A slow-burn memory-exhaustion DoS, not RCE — rate-limit or WAF the endpoint until patched.

Umbraco.AI can disclose sensitive application configuration, including secrets, to privileged backoffice users

A user with backoffice access to the AI section and a specific custom AI provider configured can trigger disclosure of application configuration values, potentially including credentials. Exploitation requires elevated access already, which caps real-world blast radius. Patch to 1.14.0; treat as a defense-in-depth gap if your threat model includes privileged insiders.

Hoverfly: unbounded goroutine leak via unresponsive remote post-serve action endpoints

Remote post-serve actions run in goroutines against http.DefaultClient with no timeout; an endpoint that accepts the connection but never responds blocks the goroutine indefinitely, and repeated triggers exhaust memory. No patched version listed in the advisory — mitigate by pointing post-serve actions only at endpoints you control and monitoring goroutine counts.

K3s: path traversal in etcd snapshot restore lets a malicious zip write files outside the target path

K3s's snapshot-restore zip decompression doesn't sanitize archive member names, so a crafted snapshot with entries like ../../../../etc/password writes arbitrary files during --cluster-reset-restore. Exploitation requires an administrator to restore an attacker-supplied snapshot, so this is a supply-chain-of-backups risk more than a remote one — set GODEBUG=zipinsecurepath=0 or manually extract before restoring, and treat snapshot files from outside your own cluster as untrusted. Fixed in 1.35.3/1.34.6/1.33.10.

Prototype pollution in @feathersjs/commons _.merge via JSON-parsed __proto__ keys

The _.merge utility in @feathersjs/commons pollutes Object.prototype when merging a JSON.parse'd object containing a __proto__ key; no first-party Feathers package routes untrusted input through this function, so real-world exposure depends entirely on whether a downstream app does. Low urgency unless you call this utility directly on request bodies.

Wasmtime C/C++ API leaks memory when using anyref/externref values

A regression in Wasmtime 37.0.0-37.0.1's C/C++ API bindings leaks memory for embeddings that use anyref or externref; the Rust crate itself is unaffected. Long-running WASM host processes using the C API with these value types should upgrade to 37.0.2 to avoid slow OOM.

FacturaScripts: stored XSS in modal widget lists survives HTML-entity encoding due to decode-before-parse ordering

WidgetVariante and WidgetSubcuenta build onclick attributes by concatenating user input after Tools::noHtml encodes quotes as &#39;, but HTML attribute parsing decodes character references before the JavaScript is parsed, so the encoding doesn't actually neutralize the break-out. Same product, fifth distinct advisory this week — if you run FacturaScripts, this is no longer a one-off; budget time for a full upgrade rather than patching individual CVEs.