Vendors are still shipping defaults that completely nuke their own security models.

💽 Transparent Disk Decryption
Running IncusOS bare-metal? Your TPM-backed LUKS encryption is security theater against physical access. The default TPM policy doesn't bind to the root partition. An attacker swaps the root drive for a malicious one, boots up, and the TPM blindly forks over the LUKS volume key. They put the original drive back, and Secure Boot doesn't even blink.

The Fix: Apply the [IncusOS advisory](https://github.com/lxc/incus-os/security/advisories/GHSA-wj2j-qwcf-cfcc) to enforce strict TPM validation.
Hard Truth: Patches only stop future theft. If a server was left physically unguarded, assume the LUKS master key is burned. Rotate it.

👀 Cross-Origin Credential Scraping
Glances shipped a suicidally bad CORS policy: allow_origins="*" combined with allow_credentials=True. If an authenticated admin visits a malicious site, it silently fires background requests at your internal Glances endpoints. Attackers can scrape passwords, system configs, and process args straight out of your monitoring data.

The Fix: Upgrade to 4.5.2 per the [Glances CORS report](https://github.com/advisories/GHSA-9jfm-9rc6-2hfq).
Operator Action: Can't patch today? Manually restrict allow_origins to trusted internal domains to stop the data hemorrhage.

We blow millions on endpoint agents while attackers just weaponize our management consoles and "working as designed" features.

📱 The Native Wiper
Why write malware when MDM does it for you? Attackers wiped 80,000 devices by hijacking a standard admin, creating a backdoor Global Admin, and mashing the remote wipe button in Microsoft Intune. No malware required.
Tradeoff: Centralized cloud management is a literal doomsday button.
Guidance: Nuke standing privileges. Enforce FIDO2, gate roles via PIM, and alert on mass DeviceAction in Intune logs.

The industry is too busy giving chatbots root access to notice our underlying routing and parsing infrastructure is still entirely broken.

🕸️ Hijacking Cluster DNS
Kube-router blindly trusts ExternalIPs and LoadBalancer IPs. Hand a user basic Service creation rights, and they can nuke your cluster DNS. Malicious external IPs will rewrite IPVS routing tables to hijack cluster-wide traffic. Upgrade to v2.8.0 or deploy an admission controller to block untrusted bindings immediately.

💥 BaaS Process Panic
Running Parse Server? Unhandled JS prototype chain traversal means anyone with curl can send a crafted payload and instantly crash your Node.js process. It's a single-shot DoS with absolutely zero workarounds. Apply the patches in this advisory before script kiddies flatten your backend.

🧠 Unconstrained Execution
Wiring external text parsers directly to production data is just handing out RCE. Critical flaws in Amazon Bedrock, LangSmith, and SGLang allow for complete environment takeover. Attackers can use malicious inputs to execute arbitrary code and exfiltrate databases. Stop giving these wrappers direct access to prod. Read the full report.

Always a fun day when endpoints hand out free shells and cloud "security features" double as recon tools.

🐍 Free Root via Langflow
Langflow just gifted the internet a trivial RCE. They left /api/v1/build_public_tmp unauthenticated for "public flows." Feed it a custom payload with Python nodes, and the backend shoves your string straight into an unsandboxed exec(). One POST gets you a root shell and every env var.

Tradeoff: You can't just slap auth on an endpoint designed to blindly run user code.
Telemetry: Hunt ingress logs for POSTs to /api/v1/build_public_tmp containing import os.
Action: Block this path at your WAF. Details in the [GitHub advisory](https://github.com/advisories/GHSA-vwmf-pq79-vjvx).

🪣 AWS Kills Bucket Obscurity
AWS finally fixed S3 domain-squatting with a new account-regional namespace (`bucketname-accountID-region-an`). The catch? They just handed attackers a map to your shadow data.

Since account IDs are effectively public, attackers grab a legacy public bucket, rip the region from HTTP headers, brute-force your ID, and mass-enumerate private buckets. A 403 instead of a 404 confirms the bucket exists and is uniquely yours.

Tradeoff: Squatting is dead, but hiding internal bucket names is now impossible.
Telemetry: Watch CloudTrail for `403 Access Denied` spikes hitting dictionary bucket names.
Action: Map your exposure with Bucky before attackers do. Full chain in this PwnedLabs writeup.

We spend millions on network boundaries just to watch firewalls hand out root and AI sandboxes tunnel data over DNS.

🔥 Firewall Management Shells
Interlock ransomware operators are actively chaining an unauthenticated zero-day (CVE-2026-20131) in Cisco Secure FMC. This drops attackers straight into a root shell on the appliance. They've been using it since January to bypass perimeters and encrypt entire networks. Patch your FMC nodes immediately.

🐧 Trivial Root via systemd
Ubuntu local privilege escalation just got painfully easy. A timing window bug in a systemd cleanup race condition (CVE-2026-3888) reliably hands out interactive root shells. Anyone with a low-privilege foothold can use this to instantly expand their blast radius. Bake this fix into your base AMIs and redeploy your container worker nodes before someone starts climbing your permissions tree.

🐍 Ghost Commits in CI/CD
The "ForceMemo" campaign is poisoning Python pipelines using stolen VS Code credentials to hijack GitHub accounts. Attackers stealthily rebase legitimate commits and alter committer dates to hide their malicious code injection from basic reviews. Read the supply chain breakdown. Force hardware MFA everywhere and start auditing your default branches for anomalous date modifications.

🧠 AI Sandboxes Leaking DNS
AWS Bedrock AgentCore’s "Sandbox" mode freely leaks outbound DNS queries. Attackers use this to establish interactive reverse shells and tunnel data straight out of your account via the interpreter's IAM role. AWS considers this a documentation issue, so they aren't patching the escape.
The Threat: Unrestricted data exfiltration via DNS C2 tunnels.
The Fix: Ditch the default Sandbox entirely. Move your AI agents into restricted VPC modes to kill off outbound network access.

It's incredible how many infrastructure takeovers start with a single missing string character or blind trust in an internal dashboard.

🔀 The Missing Slash Bypass
It turns out basic string matching is still hard. There is an authorization bypass in gRPC-Go tied to how it processes the HTTP/2 :path pseudo-header. If an attacker manually crafts a request and strips the leading slash, the backend router still finds the destination. But the RBAC interceptors evaluate the raw, un-slashed string.

If your service mesh relies on a default-allow fallback, the attacker's request completely evades your exact-match deny rules. They ask for Service/Method instead of /Service/Method, sail past the blocklist, and execute the call.

Action: Bump gRPC-Go to v1.79.3 today. If you can't restart right now, inject the validating interceptor from the advisory to drop malformed paths before they hit your auth logic.

🤑 Free Cloud Tokens via SSRF
Internal dashboards remain a massive liability. [Budibase just disclosed an unrestricted SSRF](https://github.com/Budibase/budibase/security/advisories/GHSA-4647-wpjq-hh7f) inside its REST Datasource Query Preview endpoint. There is absolutely zero network validation happening on the backend.

Anyone with 'builder' or 'admin' access can swap the `fields.path` parameter to target `169.254.169.254`. The server happily executes the request and hands back cloud metadata tokens. This instantly escalates an application-level user to a full AWS or GCP infrastructure takeover. Attackers can also pivot to pillage internal Kubernetes APIs or the backing CouchDB.

Action: Apply the Budibase patch immediately to lock down the preview endpoint.

Just once I'd like to review an architecture where config parsers don't hand out root and audio drivers don't compromise the hypervisor.

🚪 Zero-Auth RCE by Default
MCP Connect ships with auth so broken that a missing token evaluates to an empty string and waves you right in. Worse, it binds to 0.0.0.0 out of the box with an ngrok script to aggressively maximize exposure. Hit port 3000, hit /bridge, get instant RCE. Enforce your AUTH_TOKEN and read the advisory.

📝 Weaponized Config Files
Dynaconf turns variable parsing into a trivial compromise by evaluating templates without a sandbox. Slip a malicious Jinja payload into a .env file, and the @jinja resolver blindly executes it on startup. Stop trusting external config and upgrade before your environment variables root your microservices. Patch details: GitHub alert.

🔊 Audio-Triggered VM Escapes
Why anyone attaches sound devices to server infrastructure is beyond me. An uncontrolled heap overflow in QEMU's virtio-snd lets a malicious guest OS escape the hypervisor entirely. One malformed audio request drops attackers straight onto the physical host. Disable and detach virtio-snd across all QEMU instances.

🤖 90s SQLi Returns
We're speed-running legacy web vulnerabilities to justify bloated budgets. Spring's MariaDB integration blindly trusts unvalidated metadata filters (CVE-2026-22730). Attackers just inject basic SQL syntax to shatter tenant isolation and dump cross-tenant proprietary data. Stop leaking your databases and upgrade to version 1.0.4 or 1.1.3.

🔗 References:
• OpenSIPS SQL Injection to Authentication Bypass (CVE-2026-25554)

Another week of open-source tools handing out admin rights and hypervisors deciding your network traffic is optional.

📂 Langflow RCE
Authenticated attackers can bypass lazy path validation in the Langflow v2 API to write arbitrary files anywhere on the host. It's a trivial path to host RCE. Patch or choke off v2 API access before someone pivots into your network.

🪪 MinIO Admin Hijack
MinIO shipped a critical JWT algorithm confusion bug in its OIDC setup. Anyone with a leaked ClientSecret can forge tokens and grant themselves consoleAdmin. Patch MinIO and rotate OIDC secrets before your storage gets owned.

💥 42 Bytes to OOM
A botched patch in DeepDiff's restricted unpickler bypasses its class filter. A crafted 42-byte payload forces a 10GB memory allocation, triggering an instant OOM kill. This leaves platforms like AWS SageMaker wide open to a hilariously cheap DoS. Pin DeepDiff to 8.6.2 immediately.

☠️ K8s Ransomware
TeamPCP is hunting Kubernetes clusters with container-specific ransomware. They rely on basic pipe-to-shell (curl/wget) for initial access, then abuse native K8s features to move laterally and detonate. Alert on interactive shell pipes and audit clusters before production gets encrypted.

👻 VMware NSX Blackhole
If pod routing randomly breaks across subnets, blame the infrastructure. VMware NSX deep packet inspection is silently dropping valid VXLAN traffic on UDP port 8472. This self-inflicted DoS will burn days of troubleshooting. Swap your K8s CNI backend to WireGuard, or move VXLAN traffic off the standard port to bypass NSX entirely.

Nothing like watching your pipelines get owned before the coffee kicks in.

🧠 Langflow's Public Backdoor
Langflow patched an old RCE but ignored their public flow builder. Unauth attackers can inject malicious pipelines for instant code execution. Slap actual auth on your endpoints and read the write-up on the bypass.

🔀 Dagu Directory Climbing
Running Dagu? A botched patch left locateDAG wide open. Authenticated users can climb directories to steal Kubernetes secrets or load YAML for instant RCE. Push the patch update or drop %2F payloads at the WAF.

🤖 ML Stack Collapse
40 CVEs just hammered the core ML stack (MLflow, vLLM, PyTorch, HuggingFace). Trivial vectors let attackers pop shells directly on your training clusters.
Grab the new Sigma rules from this [advisory dump](https://raxe.ai/labs/advisories).
Jam them into your SIEM before your GPUs become a botnet.

📦 Poisoned Python Wheels
Your CI/CD is shipping pre-exploited artifacts. skia-python baked vulnerable libfreetype C libraries into Python wheels because pinned base images never update. Trusting pinned images blindly just automates CVE delivery.
Force `apt update` before building wheels.
Check the dependency advisory for downstream exposure.

🦕 Jurassic Edge Exploit
Partying like it's 1994: researchers found a 32-year-old pre-auth overflow in the GNU inetutils Telnet daemon. Stop laughing—this relic lives on in modern edge gear like Citrix NetScaler and TrueNAS.
Attackers overflow the BSS segment for a free perimeter root shell.
Nuke Telnet immediately and read the full autopsy.

Identity boundaries are dissolving and CLI tools are deciding security prompts are optional.

🪪 Identity Perimeter Shells
Oracle dropped an emergency patch for a critical 9.8 CVSS flaw in Identity Manager. If this appliance touches the internet, unauthenticated remote attackers can execute arbitrary code and own your identity perimeter. It's a tier-zero asset. Apply the patch before ransomware operators turn your identity bridge into a toll road.

👻 Ghost Tokens in Entra
Attackers are manipulating Entra ID auth flows to extract valid tokens while completely bypassing native sign-in logs—for the third and fourth time. If you rely strictly on default telemetry, your SOC is legally blind. Run the exact KQL queries from TrustedSec to hunt for this unlogged token theft before it hunts you.

🚦 Traefik's mTLS Bypass
Using Traefik as an ingress proxy? Fragmented TLS ClientHello packets break its SNI pre-sniffer, causing it to fail open. Instead of dropping the malformed connection, it silently falls back to a permissive state and strips mTLS enforcement. Attackers bypass client certificate validation effortlessly. Upgrade Traefik immediately.

🤖 Workspace Trust Bypass
Anthropic’s Claude Code CLI features a fatal load-order bug (CVE-2026-33068): it processes malicious repo settings before asking the user for workspace trust. If a dev clones a poisoned repo, the CLI instantly elevates permissions and skips the prompt. The machine is compromised before they can even click "deny." Enforce version 2.1.53 across all workstations before your devs own themselves.

Security tools are backdoored, storage gateways are leaking identities, and core crypto libraries are failing Cryptography 101.

🏴‍☠️ The Trivy Supply Chain Bait-and-Switch
Trivy’s official release pipeline got compromised. Version 0.69.4 is backdoored. If your pipelines pulled this release, malicious GitHub Actions and binaries are currently exfiltrating your secrets to a typosquatted C2.

Purge 0.69.4 from your CI/CD workflows immediately. Block the C2, rip out the malicious artifacts, and rotate every single secret exposed to this build. Consider them burned.

🪣 Brute-Forcing MinIO Buckets
MinIO's STS endpoint leaks LDAP usernames and has zero rate limiting. Anyone can spam the AssumeRoleWithLDAPIdentity action, enumerate valid users, and brute-force their way to temporary AWS-style credentials. From there, your S3 bucket resources are theirs.

Slap a WAF rate limit on that endpoint today and deploy the MinIO patch before someone walks off with your object data.

🧟 Zombie Certificates in AWS-LC
If you compile custom apps with AWS's crypto libraries, your revocation checks are broken. A logic flaw in aws-lc-sys and aws-lc-fips-sys bypasses validation for partitioned CRLs. Hand your app a known-revoked certificate, and it blindly trusts it.

Managed AWS services are unaffected, but custom code using these crates is wide open. Bump the dependencies and rebuild your applications to patch this blind trust out of your codebase.

It's always a good day when we remember that custom regex filters and hardcoded default secrets are the load-bearing pillars of the internet.

🎥 Regex Strikes Again
Someone thought writing custom IP blocklists with regular expressions was a good idea, and now AVideo is bleeding cloud credentials. The unauthenticated LiveLinks proxy tries to block local metadata queries by matching IPv4 strings like 169.254.x.x and standard IPv6 loopbacks. The bypass? Just feed it an IPv4-mapped IPv6 address like ::ffff:169.254.169.254. Since the custom regex ignores mapped prefixes entirely, the request sails right through to the AWS metadata service.

If you are running this in an AWS environment with IMDSv1 still enabled, this drops your temporary IAM role credentials directly into an attacker's lap.