Open Source Security Archives • Daily CyberSecurity

Void Dokkaebi Unmasked: The “Worm-Like” Supply Chain Threat Targeting Developers Void Dokkaebi Supply Chain Infected VS Code Tasks

Void Dokkaebi Unmasked: The “Worm-Like” Supply Chain Threat Targeting Developers

Do Son April 23, 2026

A new report from researchers at TrendMicro has exposed the evolution of Void Dokkaebi (also known as...

Critical 9.4 CVSS Flaw Leaves Dolibarr ERP Open to RCE Dolibarr RCE CVE-2026-23500

Critical 9.4 CVSS Flaw Leaves Dolibarr ERP Open to RCE

Do Son April 20, 2026

A security vulnerability has been identified in Dolibarr ERP & CRM, a popular open-source suite used by...

Froxlor’s CVSS 10 Flaw Turns Config Files into Persistent Backdoors Froxlor RCE Persistent Backdoor

Froxlor’s CVSS 10 Flaw Turns Config Files into Persistent Backdoors

Do Son April 17, 2026

Security researchers have sounded the alarm on two critical vulnerabilities within Froxlor, the popular open-source server management...

The Human Element: How a Single GitHub Token Leak Put Apache HTTP Server in the Spotlight Apache HTTP Server credential leak

The Human Element: How a Single GitHub Token Leak Put Apache HTTP Server in the Spotlight

Do Son April 9, 2026

The recent code modifications published by the esteemed open-source project, Apache HTTP Server (httpd), have ignited widespread...

Budibase Patches Critical RCE and SSRF Vulnerabilities Budibase RCE SSRF Vulnerability Budibase Vulnerabilities Authentication Bypass

Budibase Patches Critical RCE and SSRF Vulnerabilities

Do Son April 7, 2026

Budibase, the popular open-source low-code platform used by engineers to rapidly build internal tools, has released urgent...

Keycloak Under Siege: Patch Now to Stop Token Theft and Account Takeovers Keycloak vulnerabilities Keycloak Security MFA Bypass

Keycloak Under Siege: Patch Now to Stop Token Theft and Account Takeovers

Do Son April 6, 2026

The popular open-source identity and access management solution Keycloak has released a critical security update, version 26.5.7,...

The Human Variable: How a Masterful Phishing Ruse Hijacked Axios and 100 Million Users Axios proxy vulnerabilities prototype pollution gadget Axios Vulnerability Cloud Hijacking Axios npm supply chain attack Axios Vulnerability Node.js DoS CVE-2025-58754 CVE-2025-27152 Axios Vulnerability, Form-Data Flaw

Axios proxy vulnerabilities prototype pollution gadget Axios Vulnerability Cloud Hijacking Axios npm supply chain attack Axios Vulnerability Node.js DoS CVE-2025-58754 CVE-2025-27152 Axios Vulnerability, Form-Data Flaw

The Human Variable: How a Masterful Phishing Ruse Hijacked Axios and 100 Million Users

Do Son April 3, 2026

The esteemed open-source library Axios, a staple of the contemporary industry, recently fell victim to a cyber...

Squid Caching Proxy Alert: Critical ICP Protocol Flaws Threaten Web Infrastructure CVE-2024-25617 CVE-2025-59362 Squid Proxy ICP Vulnerability

CVE-2024-25617 CVE-2025-59362 Squid Proxy ICP Vulnerability

Squid Caching Proxy Alert: Critical ICP Protocol Flaws Threaten Web Infrastructure

Do Son March 25, 2026

Squid, the widely deployed open-source caching proxy, has been hit with a trio of significant security vulnerabilities...

High-Severity JSON Schema Flaw Threatens MariaDB Database Stability MariaDB Vulnerability JSON Schema Overflow

High-Severity JSON Schema Flaw Threatens MariaDB Database Stability

Do Son March 24, 2026

MariaDB, the widely used open-source relational database and community-developed fork of MySQL, has released critical updates to...

The $12.5 Million Shield: How Big Tech is Funding the Fight Against “AI Slop” in Open Source Open-source AI bug surge

The $12.5 Million Shield: How Big Tech is Funding the Fight Against “AI Slop” in Open Source

Do Son March 24, 2026

A consortium of six technological titans—Anthropic, AWS, GitHub, Google, Microsoft, and OpenAI—has collectively pledged a formidable 12.5...

AI vs. Bugs: OpenAI Launches “Codex Security” to Revolutionize AppSec OpenAI Advanced Account Security Phishing-Resistant AI Authentication OpenAI Codex Security AI Application Security

OpenAI Advanced Account Security Phishing-Resistant AI Authentication OpenAI Codex Security AI Application Security

AI vs. Bugs: OpenAI Launches “Codex Security” to Revolutionize AppSec

Do Son March 7, 2026

Recently, OpenAI has officially unveiled Codex Security, an advanced application security agent designed to identify and fix...

Stream Hijacked: Critical Zero-Click Command Injection Flaw Exposed in AVideo-Encoder AVideo-Encoder Vulnerability CVE-2026-29058

Stream Hijacked: Critical Zero-Click Command Injection Flaw Exposed in AVideo-Encoder

Do Son March 6, 2026

Security researchers have uncovered a critical vulnerability in AVideo-Encoder, a key component of the open-source AVideo Platform...

Critical Vulnerabilities in AVideo: From SQL Injection to Remote Code Execution AVideo RCE YPTSocket Vulnerability AVideo Vulnerabilities Streaming Platform Security AVideo Vulnerabilities CVE-2026-28501

AVideo RCE YPTSocket Vulnerability AVideo Vulnerabilities Streaming Platform Security AVideo Vulnerabilities CVE-2026-28501

Critical Vulnerabilities in AVideo: From SQL Injection to Remote Code Execution

Do Son March 4, 2026

Security researchers have identified two severe vulnerabilities in AVideo, a popular open-source video streaming platform used by...

Security Alert: “Hackerbot-Claw” Autonomous Campaign Exploits GitHub Actions hackerbot-claw campaign Cisco RCE Exploit CVE-2026-20045 SonicWall VPN, Akira Ransomware Nobelium Apache Tomcat, Apache Camel

hackerbot-claw campaign Cisco RCE Exploit CVE-2026-20045 SonicWall VPN, Akira Ransomware Nobelium Apache Tomcat, Apache Camel

Security Alert: “Hackerbot-Claw” Autonomous Campaign Exploits GitHub Actions

Do Son March 3, 2026

Christopher Robinson, Chief Technology Officer and Chief Security Architect at the Open Source Security Foundation (OpenSSF), has...

Critical Flaws in Vikunja Expose Users to Persistent Account Takeovers Vikunja Persistent Takeover CVE-2026-28268

Critical Flaws in Vikunja Expose Users to Persistent Account Takeovers

Do Son March 2, 2026

Vikunja is a popular open-source, self-hostable to-do application designed to help users organize their tasks using list,...

The Cryptography Trojan: Malicious Go Module Impersonates Foundational Library to Steal Passwords and Deploy Root Backdoors Go Supply Chain Attack Rekoobe Backdoor

The Cryptography Trojan: Malicious Go Module Impersonates Foundational Library to Steal Passwords and Deploy Root Backdoors

Do Son March 2, 2026

Socket’s Threat Research Team recently uncovered a dangerous new supply chain attack: a malicious Go programming module...

30-Year-Old Bug: High-Severity libpng Flaw (CVSS 8.3) Exposes Millions of Apps libpng Vulnerability CVE-2026-25646 libpng Vulnerability Remote Code Execution (RCE)

libpng Vulnerability CVE-2026-25646 libpng Vulnerability Remote Code Execution (RCE)

30-Year-Old Bug: High-Severity libpng Flaw (CVSS 8.3) Exposes Millions of Apps

Do Son February 10, 2026

A high-severity vulnerability has been unearthed in libpng, the official and ubiquitous reference library for handling PNG...

Identity at Risk: Apache Syncope Patches Critical Login XSS & XXE Flaws

Do Son February 3, 2026

The Apache Software Foundation has released crucial security updates for Apache Syncope, its open-source digital identity management...

Notepad++ Hijacked: State-Sponsored Actors Poisoned Updates for Months FortiClient EMS exploitation Cisco FIRESTARTER Backdoor Arcane Door Campaign Dell RecoverPoint Zero-Day UNC6201 Espionage Notepad++ Compromise Supply Chain Attack Magento SessionReaper CVE-2025-54236 ShadowRay 2.0, AI-Generated Malware WordPress Auth Bypass, CVE-2025-5947 Exploited EcoStruxure Vulnerabilities, Industrial Control System UNC5820 - CVE-2014-2120 - CVE-2021-44207

FortiClient EMS exploitation Cisco FIRESTARTER Backdoor Arcane Door Campaign Dell RecoverPoint Zero-Day UNC6201 Espionage Notepad++ Compromise Supply Chain Attack Magento SessionReaper CVE-2025-54236 ShadowRay 2.0, AI-Generated Malware WordPress Auth Bypass, CVE-2025-5947 Exploited EcoStruxure Vulnerabilities, Industrial Control System UNC5820 - CVE-2014-2120 - CVE-2021-44207

Notepad++ Hijacked: State-Sponsored Actors Poisoned Updates for Months

Do Son February 2, 2026

The developer behind Notepad++, the ubiquitous open-source text editor found on millions of developer desktops, has confirmed...

“Repo Squatting”: How Hackers Are Using GitHub’s Own Features to Hijack Official Repos GitHub Copilot Pro trial suspension GitHub Actions Platform Fee, Self-Hosted Runner Tax 2026 GitHub Apple ID, Privacy Login GitHub Microsoft Github disruptions CVE-2025-30066 GitHub Outage, Service Disruption

GitHub Copilot Pro trial suspension GitHub Actions Platform Fee, Self-Hosted Runner Tax 2026 GitHub Apple ID, Privacy Login GitHub Microsoft Github disruptions CVE-2025-30066 GitHub Outage, Service Disruption

“Repo Squatting”: How Hackers Are Using GitHub’s Own Features to Hijack Official Repos

Do Son January 27, 2026

In a clever twist on software supply chain attacks, threat actors are weaponizing a quirk in GitHub’s...

Critical Alert 3 Active Exploits Detected Today

Critical Alert

Open Source Security

Void Dokkaebi Unmasked: The “Worm-Like” Supply Chain Threat Targeting Developers

Critical 9.4 CVSS Flaw Leaves Dolibarr ERP Open to RCE

Froxlor’s CVSS 10 Flaw Turns Config Files into Persistent Backdoors

The Human Element: How a Single GitHub Token Leak Put Apache HTTP Server in the Spotlight

Budibase Patches Critical RCE and SSRF Vulnerabilities

Keycloak Under Siege: Patch Now to Stop Token Theft and Account Takeovers

The Human Variable: How a Masterful Phishing Ruse Hijacked Axios and 100 Million Users

Squid Caching Proxy Alert: Critical ICP Protocol Flaws Threaten Web Infrastructure

High-Severity JSON Schema Flaw Threatens MariaDB Database Stability

The $12.5 Million Shield: How Big Tech is Funding the Fight Against “AI Slop” in Open Source

AI vs. Bugs: OpenAI Launches “Codex Security” to Revolutionize AppSec

Stream Hijacked: Critical Zero-Click Command Injection Flaw Exposed in AVideo-Encoder

Critical Vulnerabilities in AVideo: From SQL Injection to Remote Code Execution

Critical Flaws in Vikunja Expose Users to Persistent Account Takeovers

The Cryptography Trojan: Malicious Go Module Impersonates Foundational Library to Steal Passwords and Deploy Root Backdoors

30-Year-Old Bug: High-Severity libpng Flaw (CVSS 8.3) Exposes Millions of Apps

Identity at Risk: Apache Syncope Patches Critical Login XSS & XXE Flaws

Notepad++ Hijacked: State-Sponsored Actors Poisoned Updates for Months