Web Security Archives • Page 2 of 5 • Daily CyberSecurity

Frontend Secrets Exposed: Vite Patches Critical Security Bypass in Dev Server Vite Vulnerability Arbitrary File Read

Frontend Secrets Exposed: Vite Patches Critical Security Bypass in Dev Server

Do Son April 9, 2026

Vite has become the “speed demon” of modern frontend development, prized for its lightning-fast Hot Module Replacement...

UAT-10608 Uses a Next.js “React2Shell” Flaw to Map Your Entire Cloud NEXUS Listener React2Shell Vulnerability

UAT-10608 Uses a Next.js “React2Shell” Flaw to Map Your Entire Cloud

Do Son April 7, 2026

Cisco Talos has revealed a major automated credential harvesting campaign, tracked as UAT-10608, that has already compromised...

Whitespace Flaw Re-Opens Critical JWT “Algorithm Confusion” Bypass fast-jwt JWT Algorithm Confusion

Whitespace Flaw Re-Opens Critical JWT “Algorithm Confusion” Bypass

Do Son April 6, 2026

Security researchers have disclosed two major vulnerabilities within fast-jwt, a high-performance library used to implement JSON Web...

Password Hijack in the Modern Stack: Payload CMS Patches Critical 9.1 CVSS Reset Flaw Payload CMS Vulnerability CVE-2026-34751

Password Hijack in the Modern Stack: Payload CMS Patches Critical 9.1 CVSS Reset Flaw

Do Son April 3, 2026

The rapid-growth, fullstack Next.js framework Payload—known for giving developers “instant backend superpowers” —is facing a serious security...

The xmldom CDATA Flaw That Puts 23 Million Weekly Users at Risk xmldom Vulnerability XML Injection

The xmldom CDATA Flaw That Puts 23 Million Weekly Users at Risk

Do Son April 2, 2026

A significant vulnerability has been discovered in xmldom, a massive JavaScript library with over 23.5 million weekly...

The Weakest Link: Popular Node.js Config Library “Convict” Hit by Prototype Pollution Prototype Pollution node-convict Vulnerability

The Weakest Link: Popular Node.js Config Library “Convict” Hit by Prototype Pollution

Do Son March 30, 2026

A critical vulnerability has been uncovered in node-convict, the widely used configuration management library designed to make...

Scriban’s “Leaky” Cache: A 9.1 CVSS Sandbox Escape Hits 40 Million .NET Installs Scriban Vulnerability .NET Sandbox Escape

Scriban’s “Leaky” Cache: A 9.1 CVSS Sandbox Escape Hits 40 Million .NET Installs

Do Son March 30, 2026

A critical security flaw has been identified in Scriban, the popular high-performance scripting language and engine for...

One Character to Rule Them All: How a Missing Slash Bypasses gRPC-Go Security (CVE-2026-33186) gRPC-Go Vulnerability Authorization Bypass

One Character to Rule Them All: How a Missing Slash Bypasses gRPC-Go Security (CVE-2026-33186)

Do Son March 23, 2026

A significant security flaw has been identified in gRPC-Go, the high-performance Go implementation of the gRPC framework....

Critical Craft CMS Flaw Grants Instant Admin Access Craft CMS Vulnerability CVE-2026-32267 CVE-2023-41892 Craft CMS CVE-2025-32432

Critical Craft CMS Flaw Grants Instant Admin Access

Do Son March 18, 2026

In the world of web development, the “Live Preview” button is a staple for content editors—a harmless...

Django Releases Security Patches to Address DoS and Permission Vulnerabilities Django Security Update CVE-2026-25673 Django Security Update SQL Injection Vulnerability Django SQL Injection, PostgreSQL Flaw CVE-2022-34265 PoC Django, SQL injection

Django Security Update CVE-2026-25673 Django Security Update SQL Injection Vulnerability Django SQL Injection, PostgreSQL Flaw CVE-2022-34265 PoC Django, SQL injection

Django Releases Security Patches to Address DoS and Permission Vulnerabilities

Do Son March 4, 2026

The Django security team has issued important updates for all supported versions of the framework to address...

Critical RCE Flaw in Qwik Framework Allows Server Takeover via Single Request Qwik RCE CVE-2026-27971

Critical RCE Flaw in Qwik Framework Allows Server Takeover via Single Request

Do Son March 4, 2026

Security researchers have identified a critical vulnerability in Qwik, the popular web framework known for its “instant-on”...

High-Severity XSS Flaw in Angular i18n Turns Language Files into Backdoors Angular hostname hijacking vulnerability Angular SSRF Origin Hijacking Angular XSS Vulnerability CVE-2026-32635 Angular i18n XSS CVE-2026-27970 Angular SSR SSRF CVE-2026-27739 Angular Vulnerability CVE-2026-22610 CVE-2025-59052 Angular security Angular XSS Bypass, SVG Injection

Angular hostname hijacking vulnerability Angular SSRF Origin Hijacking Angular XSS Vulnerability CVE-2026-32635 Angular i18n XSS CVE-2026-27970 Angular SSR SSRF CVE-2026-27739 Angular Vulnerability CVE-2026-22610 CVE-2025-59052 Angular security Angular XSS Bypass, SVG Injection

High-Severity XSS Flaw in Angular i18n Turns Language Files into Backdoors

Do Son March 3, 2026

A newly security flaw was found in the widely used Angular web building platform. Identified as CVE-2026-27970...

Steering the Server: Critical 9.2 Severity SSRF Flaw in Angular SSR Allows Internal Network Probing Angular hostname hijacking vulnerability Angular SSRF Origin Hijacking Angular XSS Vulnerability CVE-2026-32635 Angular i18n XSS CVE-2026-27970 Angular SSR SSRF CVE-2026-27739 Angular Vulnerability CVE-2026-22610 CVE-2025-59052 Angular security Angular XSS Bypass, SVG Injection

Steering the Server: Critical 9.2 Severity SSRF Flaw in Angular SSR Allows Internal Network Probing

Do Son March 2, 2026

Developers relying on Angular’s Server-Side Rendering (SSR) capabilities need to double-check their security configurations. A highly critical...

Death of the XSS Bug? Firefox 148 Debuts the Sanitizer API to Neutralize Malicious Scripts Sanitizer API Firefox 148 Security Firefox WebRTC Vulnerability CVE-2025-14321 PoC Firefox VPN Feature, Browser-Only VPN Firefox Add-ons Rollback Firefox Encryption Firefox MKV support Firefox ESR, Windows 7

Sanitizer API Firefox 148 Security Firefox WebRTC Vulnerability CVE-2025-14321 PoC Firefox VPN Feature, Browser-Only VPN Firefox Add-ons Rollback Firefox Encryption Firefox MKV support Firefox ESR, Windows 7

Death of the XSS Bug? Firefox 148 Debuts the Sanitizer API to Neutralize Malicious Scripts

Do Son February 25, 2026

Cross-site scripting (XSS) has haunted web developers for decades, consistently ranking as one of the most pervasive...

200k Sites Exposed: Critical CleanTalk Flaw (CVSS 9.8) Allows RCE CleanTalk Vulnerability CVE-2026-1490

200k Sites Exposed: Critical CleanTalk Flaw (CVSS 9.8) Allows RCE

Do Son February 16, 2026

A plugin designed to keep spam bots at bay has inadvertently left the back door open for...

CVE-2026-25993: Critical EverShop SQL Injection (CVSS 9.3) Exposes Stores EverShop Vulnerability Second-Order SQL Injection

CVE-2026-25993: Critical EverShop SQL Injection (CVSS 9.3) Exposes Stores

Do Son February 12, 2026

A critical vulnerability has been discovered in EverShop, a modern, developer-focused e-commerce platform built on React and...

“Fiber” Optic Failure: Predictable UUIDs Expose Go Web Framework to Hijacking CVE-2024-25124 Fiber Framework Vulnerability CVE-2025-66630

“Fiber” Optic Failure: Predictable UUIDs Expose Go Web Framework to Hijacking

Do Son February 11, 2026

A critical vulnerability has been uncovered in Fiber, the high-performance web framework for Go that powers countless...

shell-quote command injection AI-Driven Vulnerabilities Q1 2026 Cyber Threats vm2 Sandbox Escape Node.js RCE upKeeper Privilege Escalation CVE-2026-2449 Pharos Controls Vulnerability Root Access Exploit Cybersecurity Vulnerability Roundup CVSS 10.0 Flaws Shadow Archives CVE-2026-0866 MS-Agent Prompt Injection CVE-2026-2256 basic-ftp Path Traversal CVE-2026-27699 telnetd Root Vulnerability CVE-1999-0073 Regression USR-W610 Vulnerabilities End-of-Life IoT Security IceWarp Security Update IceWarp Vulnerabilities Airleader Master Vulnerability CVE-2026-1358 ZLAN5143D Vulnerability CISA ICS Advisory Acronis Cyber Protect Vulnerability CVE-2025-30411 WAGO 852 Vulnerability OT Network Security SandboxJS Vulnerability Sandbox Escape (CVSS 10.0) Kubernetes Local Path Provisioner CVE-2025-62878 CISA Unresponsive Vendors Avation & RISS Vulnerabilities KiloView Vulnerability CVE-2026-1453 OpenClaw RCE vulnerability Johnson Controls Vulnerability CVE-2025-26385 SandboxJS Vulnerability CVE-2026-23830 ibaPDA Vulnerability CVE-2025-14988 Protobuf Vulnerability CVE-2026-0994 AVEVA Process Optimization Vulnerability CVE-2025-61937 ConnectWise PSA Vulnerability CVE-2026-0695 Aruba VIA Vulnerability CVE-2025-37186 aiohttp v3.13.3, Denial of Service (DoS) SmarterMail RCE, CVE-2025-52691 Airoha RACE, Headphone Jacking HPE OneView RCE CVE-2025-37164 FreePBX Auth Bypass, PBX Takeover ScreenConnect Config Flaw, Untrusted Extensions Ruby SAML Auth Bypass, XML Parser Differential Devolutions SQL Injection, Password Manager Flaw Vivotek Unauthenticated RCE, EOL IP Camera Flaw Lynx+ Critical Flaw, Unauthenticated Reset Firebox Default Credentials, CVE-2025-59396 Veeder-Root RCE, Critical ATG Flaw ArcGIS Server SQLi Watchdoc RCE, CVE-2025-58384 Delta DIALink Daikin Security Gateway, authentication bypass Frostbyte10, industrial controller security SunPower, vulnerability Ubiquiti UniFi Connect, EV Station Vulnerabilities Adobe Experience Manager, RCE Vulnerability UniFi Access, Command Injection LDAPNightmare - CVE-2025-1316

Sandbox Breakout: Critical SandboxJS Flaw (CVE-2026-25881) Allows Host Takeover

Do Son February 11, 2026

A critical vulnerability has been discovered in SandboxJS, a popular library designed to safely execute untrusted JavaScript...

Code Red: 4 Critical SandboxJS Flaws (CVSS 10.0) Allow Host Takeover

Do Son February 9, 2026

A quartet of critical vulnerabilities has been discovered in SandboxJS, a library designed to isolate and secure...

“PDF” Poison: Popular JavaScript Library Patches Critical Injection and Crash Flaws

Do Son February 6, 2026

Developers using jsPDF, a widely adopted library for generating PDF files directly in the browser, are being...

Critical Alert 3 Active Exploits Detected Today

Critical Alert

Web Security

Frontend Secrets Exposed: Vite Patches Critical Security Bypass in Dev Server

Whitespace Flaw Re-Opens Critical JWT “Algorithm Confusion” Bypass

Password Hijack in the Modern Stack: Payload CMS Patches Critical 9.1 CVSS Reset Flaw

The xmldom CDATA Flaw That Puts 23 Million Weekly Users at Risk

The Weakest Link: Popular Node.js Config Library “Convict” Hit by Prototype Pollution

Scriban’s “Leaky” Cache: A 9.1 CVSS Sandbox Escape Hits 40 Million .NET Installs

Critical Craft CMS Flaw Grants Instant Admin Access

Django Releases Security Patches to Address DoS and Permission Vulnerabilities

Critical RCE Flaw in Qwik Framework Allows Server Takeover via Single Request

High-Severity XSS Flaw in Angular i18n Turns Language Files into Backdoors

Steering the Server: Critical 9.2 Severity SSRF Flaw in Angular SSR Allows Internal Network Probing

Death of the XSS Bug? Firefox 148 Debuts the Sanitizer API to Neutralize Malicious Scripts

200k Sites Exposed: Critical CleanTalk Flaw (CVSS 9.8) Allows RCE

CVE-2026-25993: Critical EverShop SQL Injection (CVSS 9.3) Exposes Stores

“Fiber” Optic Failure: Predictable UUIDs Expose Go Web Framework to Hijacking

Sandbox Breakout: Critical SandboxJS Flaw (CVE-2026-25881) Allows Host Takeover

Code Red: 4 Critical SandboxJS Flaws (CVSS 10.0) Allow Host Takeover

“PDF” Poison: Popular JavaScript Library Patches Critical Injection and Crash Flaws