Page 18
A critical buffer overflow vulnerability was discovered and patched in the ShadowsockR proxy server, where attacker-controlled network packet data was used directly as the byte count in memory copy operations without bounds checking. This class of vulnerability allows remote attackers to corrupt server memory, potentially enabling arbitrary code execution or denial of service. The fix adds proper bounds validation before any memory copy operation involving network-supplied length values.
A critical LDAP injection vulnerability in Apache Airflow's Flask-AppBuilder security manager allowed attackers to bypass authentication and gain unauthorized access by crafting malicious usernames. The flaw stemmed from unsanitized user input being directly interpolated into LDAP filter strings — a classic but devastating mistake. This post breaks down how the attack works, what was fixed, and how you can prevent similar issues in your own code.
A critical Remote Code Execution vulnerability (CVE-2026-33937) was discovered in Handlebars.js that allows attackers to execute arbitrary code by crafting malicious Abstract Syntax Tree objects passed to the `compile()` function. This post breaks down how the vulnerability works, why it's dangerous, and how upgrading to Handlebars 4.7.9 closes the attack vector.
A critical vulnerability in Tabby's UAC component allowed local attackers to predict Windows named pipe names generated with a weak pseudo-random number generator, enabling them to hijack privileged communication channels before the elevated process could claim them. This pipe squatting attack could grant unprivileged users the ability to inject commands that execute with Administrator or SYSTEM privileges. The fix removes the unsafe exec() pattern and replaces the predictable pipe naming scheme
A critical buffer overflow vulnerability was discovered and patched in `libretro_core_options.h`, where unsafe string operations (`strcpy()` and `strcat()`) could allow attackers to corrupt memory and achieve arbitrary code execution. The fix eliminates these dangerous C string functions in favor of bounds-checked alternatives, closing a path that could be exploited through maliciously crafted core option configurations. Understanding this class of vulnerability is essential for any developer wo
A medium-to-high severity vulnerability was discovered and patched in Slidev's resolver module, where dynamically loaded theme and plugin packages specified in slide frontmatter lacked proper validation, allowing a malicious package name to execute arbitrary code with the developer's full OS privileges. This fix addresses a supply-chain-adjacent attack vector that could allow attackers to exfiltrate credentials or compromise developer machines simply by sharing a crafted markdown presentation fi
A medium-severity vulnerability was discovered and patched in the PicoW ClockMaster firmware's MQTT client, where file import functionality lacked resource limits and the broker connection lacked authentication—allowing attackers on the same network to inject spoofed motor and LED commands. The fix introduces proper input validation, file size checks, JSON depth limits, and authenticated/encrypted MQTT connections. This case is a timely reminder that IoT firmware security requires the same rigor
A high-severity command injection vulnerability was discovered and patched in a Python packaging script that used `os.system()` with unsanitized string interpolation to construct shell commands. An attacker who could influence the `serverHost` variable could execute arbitrary operating system commands with the full privileges of the packaging process. The fix replaces the dangerous `os.system()` call with Python's `subprocess` module, eliminating the shell injection surface entirely.
A critical vulnerability (CVE-2025-9287) was discovered in the `cipher-base` npm package that allows attackers to manipulate cryptographic hash operations, potentially compromising data integrity and security guarantees in affected applications. The fix, delivered in `cipher-base` version 1.0.5, patches this hash manipulation flaw and should be applied immediately by any project using the affected package. Understanding this vulnerability highlights why cryptographic dependencies deserve the sam
A high-severity vulnerability in `graphify/hooks.py` allowed attackers to achieve arbitrary code execution on CI/CD runners by injecting malicious hook script paths through a user-controlled configuration file. The fix introduces strict path validation against an allowlist of permitted directories before any subprocess execution. This kind of supply-chain attack vector is increasingly common and can silently compromise entire build pipelines with a single malicious commit.
A critical vulnerability in a Python build script allowed potential man-in-the-middle attackers to bypass SHA256 checksum verification by serving malicious checksums alongside compromised binaries. This fix implements proper cryptographic signature verification, ensuring that downloaded artifacts are genuinely from trusted sources—not just matching a potentially tampered checksum file.
A medium-severity vulnerability was discovered and patched in an IoT Over-the-Air (OTA) firmware update server, where a Flask route accepted firmware file uploads without any authentication. This flaw allowed any attacker with network access to push arbitrary firmware binaries to connected IoT devices — a potentially devastating supply chain attack vector. The fix introduces proper authentication controls, closing the door on unauthorized firmware injection.