Security Research

Security Blog

Page 4

high9 min

How Regular Expression Denial of Service happens in Node.js picomatch extglob patterns and how to fix it

A Regular Expression Denial of Service (ReDoS) vulnerability in picomatch versions prior to 2.3.2, 3.0.2, and 4.0.4 allowed attackers to craft malicious extglob patterns that triggered catastrophic backtracking in the regex engine, potentially freezing Node.js applications. The fix, tracked as CVE-2026-33671, involved upgrading picomatch to patched versions and pinning the dependency explicitly in `package.json` to ensure the safe version is resolved across the dependency tree.

#nodejs#regex#redos+4 more
O
orbisai0security
Jul 9, 2026
critical9 min

How command injection happens in Python subprocess and how to fix it

A critical command injection vulnerability was discovered in `docling/models/stages/ocr/tesseract_ocr_cli_model.py`, where user-controlled inputs such as language identifiers, file paths, and the Tesseract executable path were passed directly into `subprocess.run()` calls without validation. An attacker who could influence these values — for example, by supplying a maliciously crafted document or configuration — could inject arbitrary shell arguments or commands. The fix introduces strict input

#security#command-injection#python+4 more
O
orbisai0security
Jul 9, 2026
high6 min

How missing Dependabot cooldown happens in GitHub Actions CI/CD and how to fix it

A high-severity configuration gap was discovered in a Node.js library's `.github/dependabot.yml` file where no cooldown period was set for dependency updates. This meant Dependabot could immediately propose updates to newly published (and potentially malicious) package versions, exposing the project and all downstream consumers to supply chain attacks. The fix adds a `cooldown` block with `default-days: 7` to both the `npm` and `github-actions` package ecosystem entries.

#supply-chain-security#dependabot#github-actions+4 more
O
orbisai0security
Jul 8, 2026
critical6 min

How SQL injection via unsafe template literals happens in TypeScript database scripts and how to fix it

A critical SQL injection vulnerability in `scripts/verify-db.ts` allowed attackers to execute arbitrary SQL commands by manipulating table names passed to the `countTable()` function. The script used `client.unsafe()` with string interpolation, directly embedding unsanitized input into SQL queries. The fix replaced the unsafe pattern with parameterized queries using the postgres client's built-in escaping.

#sql-injection#typescript#database-security+4 more
O
orbisai0security
Jul 8, 2026
high8 min

How Authentication Bypass happens in PyJWT and how to fix it

A critical authentication bypass vulnerability in PyJWT 2.12.1 allowed attackers to forge valid JSON Web Tokens, potentially bypassing application authentication mechanisms entirely. The vulnerability was fixed in PyJWT 2.13.0 through security improvements to token validation logic. This fix is essential for any application relying on JWT-based authentication.

#jwt#authentication#python+4 more
O
orbisai0security
Jul 7, 2026
high8 min

How insecure string copy functions happen in C apputils.c and how to fix it

A high-severity buffer overflow vulnerability was discovered in `src/apps/common/apputils.c`, where `strncpy()` was used without guaranteed null-termination across four call sites — including the `sock_bind_to_device()` and `getdomainname()` functions. The fix replaces all unsafe `strncpy()` calls with `snprintf()`, which enforces both length bounds and automatic null-termination. Left unpatched, these flaws could allow an attacker to corrupt memory, crash the process, or potentially execute arb

#buffer-overflow#c-security#strncpy+4 more
O
orbisai0security
Jul 7, 2026
critical9 min

How command injection happens in Go ffmpeg-go and how to fix it

A critical command injection vulnerability (CVE-2026-41179, CWE-78) was discovered in `drivers/local/util.go` of a Go media processing service, where user-controlled file paths were passed to `ffmpeg.Input()` without filtering shell metacharacters. Although a `sanitizeFilePath()` function existed to validate paths, it failed to reject characters like `;`, `|`, and backticks that could be weaponized if the underlying ffmpeg-go library constructs shell commands internally. The fix adds a targeted

#command-injection#go#ffmpeg+4 more
O
orbisai0security
Jul 7, 2026
critical8 min

How plaintext credential storage happens in C embedded firmware (wifi.cpp) and how to fix it

A migration function in `main/wifi.cpp` was designed to move legacy WiFi credentials from plaintext SD card files into encrypted NVS storage, but a logic flaw meant that if the NVS write failed, the plaintext files were never deleted. This left SSID and password data recoverable from the SD card filesystem — even after "deletion" on FAT — by anyone with physical access to the device. The fix restructures the deletion logic so plaintext files are always wiped, regardless of whether the NVS migrat

#embedded-security#credentials#wifi+4 more
O
orbisai0security
Jul 7, 2026
high8 min

How unsafe pickle deserialization happens in Keras/TensorFlow notebooks and how to fix it

A high-severity untrusted deserialization vulnerability was discovered in `TransferLearningTF.ipynb`, a transfer learning tutorial notebook that loads VGG16 model weights from the internet without verifying their integrity. Because Keras relies on Python's pickle-based serialization format under the hood, a tampered or substituted weights file could execute arbitrary code with the full privileges of the notebook user. The fix adds a SHA-256 checksum verification step immediately after the weight

#security#python#keras+5 more
O
orbisai0security
Jul 7, 2026
critical8 min

How Chromium launch-argument injection happens in Python Crawl4AI and how to fix it

A critical unauthenticated remote code execution vulnerability in Crawl4AI 0.8.9 allowed attackers to inject arbitrary Chromium launch arguments through the `browser_config.extra_args` parameter, potentially taking full control of the host process. The fix upgrades to Crawl4AI 0.9.0 and refactors the crawler initialization in `agent/tools/crawler.py` to use the new `BrowserConfig` and `CrawlerRunConfig` APIs, which enforce proper argument validation. This change eliminates the injection surface

#security#rce#argument-injection+4 more
O
orbisai0security
Jul 6, 2026
critical6 min

How integer overflow in buffer size calculation happens in C++ and how to fix it

A critical integer overflow vulnerability was discovered in OpenCV's HAL filter implementation where multiplying image dimensions without overflow protection could allocate dangerously undersized buffers. An attacker supplying crafted image dimensions (e.g., 65536×65536) could trigger heap corruption through out-of-bounds writes. The fix promotes the calculation to 64-bit arithmetic with a single cast.

#security#integer-overflow#cpp+4 more
O
orbisai0security
Jul 6, 2026
critical5 min

How buffer overflow via strcpy() happens in C zlib and how to fix it

A critical buffer overflow vulnerability was discovered in `general/libzlib/gzlib.c` where multiple `strcpy()` and `strcat()` calls operated without bounds checking. An attacker controlling file paths or error messages could overflow destination buffers, potentially achieving arbitrary code execution. The fix replaces these unsafe string operations with bounded `memcpy()` calls that respect pre-calculated buffer lengths.

#security#buffer-overflow#c+4 more
O
orbisai0security
Jul 6, 2026