Research

Vulnerability research and advisories

Actionable writeups with exploit context, metadata, and practical remediation details.

Subscribe to our security research

Get new advisories by email or plug the feed into your RSS reader.

RSS feed

Prefer RSS? Subscribe at https://corgea.com/research/rss.xml.

CVE-2026-25707: `libzypp` lets hostile repository metadata escape the cache root

A late-June Linux package-manager disclosure shows that pre-17.38.10 `libzypp` trusted `../`-style repository metadata locations, allowing a hostile or compromised repo to steer mirrored files outside the intended cache directory during refresh and making repository trust an arbitrary local file overwrite boundary.

Jul 1, 2026 • high
CWE-22CVE-2026-25707

CVE-2026-55407: `buffa` and `connectrpc` amplify tiny protobuf payloads into Rust OOMs

A June 30 disclosure shows that pre-0.8.0 versions of the Rust crates `buffa` and `connectrpc` can inflate streams of unknown protobuf fields into outsized heap allocations, turning small untrusted messages into process-killing memory amplification.

Jul 1, 2026 • high
CWE-400CWE-770CVE-2026-55407

CVE-2026-58302: LinuxCNC rtapi_app path traversal to root

LinuxCNC before 2.9.9 installs rtapi_app with elevated privileges and feeds user-controlled module names into dlopen() after formatting ${EMC2_RTLIB_DIR}/${name}.so. Without rejecting slashes or .. segments, an unprivileged local user can traverse out of the module directory and load an arbitrary shared library as root.

Jun 30, 2026 • high
CWE-22CWE-427CVE-2026-58302

Weekly Briefing - 30-06-2026

Corgea's weekly briefing for 24-30 June 2026 covers the ImmobiliareLabs Backstage plugin compromise, Leo Platform's expanding Phantom Gyp/Miasma package wave, expr-eval's no-fix Node.js code-execution flaw, and Vite's Windows dev-server secret leak.

Jun 30, 2026 • critical
CWE-506CWE-494CWE-829

CVE-2026-13502: antlr4-maven-plugin build-state deserialization

CVE-2026-13502 affects org.antlr:antlr4-maven-plugin 4.13.0 through 4.13.2. The public disclosure frames it as a race around the plugin's dependency-status file, but the practical sink is unfiltered ObjectInputStream deserialization of build-directory state under target/maven-status/antlr4/dependencies.ser.

Jun 28, 2026 • high
CWE-362CWE-502CVE-2026-13502

ImmobiliareLabs Backstage plugins compromised with Phantom Gyp Miasma payload

On 26 June 2026, 22 malicious patch releases hit four `@immobiliarelabs` Backstage plugin families. The poisoned npm artifacts added a `binding.gyp` trigger plus a new 5 MB root `index.js`, turning `npm install` into install-time code execution against environments that often hold GitLab, LDAP, CI, cloud, and developer-portal secrets.

Jun 26, 2026 • critical
CWE-506CWE-494CWE-829

CVE-2026-53571: Vite `server.fs.deny` bypass leaks protected files on Windows

Vite's dev server on Windows can leak `.env`, `.env.*`, and certificate files that developers expected `server.fs.deny` to block. The bypass uses NTFS alternate-data-stream path forms such as `/.env::$DATA?raw` and, in some cases, 8.3 short-name aliases, affecting `vite` before `6.4.3`, `7.3.5`, and `8.0.16` when the dev server is exposed beyond localhost and the target file sits in an allowed directory.

Jun 25, 2026 • high
CWE-22CWE-200CVE-2026-53571

Leo Platform npm packages compromised with Phantom Gyp Miasma toolkit

On 24 June 2026, malicious versions of 23 Leo Platform npm packages were published in a six-second burst. Follow-up reporting on 25 June shows the wave was broader than the initial 20-package view: three additional prerelease connector packages were poisoned, `leo-sdk`'s `latest` dist-tag was redirected to the malicious `6.0.19` line, and the same Phantom Gyp plus Bun-staged payload family also overlapped with adjacent npm and source-repository poisoning activity.

Jun 25, 2026 • critical
CWE-506CWE-494CWE-829

CVE-2026-12866: `expr-eval` turns untrusted formulas into Node.js code execution

A newly published June 2026 npm vulnerability shows that every `expr-eval` release can compile attacker-influenced formulas into executable JavaScript through `Expression.prototype.toJSFunction()`, exposing Node.js services, internal tools, and CI helpers that treat user formulas as data.

Jun 24, 2026 • critical
CWE-94CVE-2026-12866

Weekly Briefing - 23-06-2026

Corgea's weekly briefing for 17-23 June 2026 covers the Mastra npm scope takeover that weaponized easy-day-js across more than 140 packages, plus Nodemailer's newly disclosed raw-message file-read and SSRF bypass.

Jun 23, 2026 • critical
CWE-506CWE-494CWE-829

Nodemailer raw option bypasses disableFileAccess and disableUrlAccess

A newly published high-severity Nodemailer advisory shows that every version up to 9.0.0 can turn attacker-controlled `raw` message input into arbitrary local-file disclosure and full-response SSRF, because the `MailComposer` raw-message path drops the `disableFileAccess` and `disableUrlAccess` guards before `MimeNode` resolves `{ path }` or `{ href }` content.

Jun 19, 2026 • high
CWE-73CWE-918CWE-200

Mastra npm scope takeover used easy-day-js to Trojanize 141-143 packages

On 17 June 2026, a compromised Mastra maintainer account republished 141 `@mastra/*` packages plus the top-level `mastra` and `create-mastra` packages with a new `easy-day-js: ^1.11.21` dependency that resolved to a weaponized `1.11.22` postinstall dropper, turning fresh npm installs into a detached second stage that established cross-platform persistence, profiled browsers and wallets, and, in Microsoft's 19 June follow-up, was tied to Sapphire Sleet activity that escalated some Windows hosts into PowerShell-backed, SYSTEM-level persistence.

Jun 17, 2026 • critical
CWE-506CWE-494CWE-829

GlassWASM used TinyGo WebAssembly and Solana memos in trojanized Open VSX extensions

Trojanized Open VSX copies of `ExarGD.vsblack@0.0.1` and `noellee-doc.flint-debug@0.1.1` cloned legitimate extension identities, auto-executed a TinyGo-compiled WebAssembly payload on startup, polled Solana JSON-RPC for memo-based command-and-control, and built OS-specific `child_process` download-and-execute commands for macOS, Linux, and Windows.

Jun 16, 2026 • critical
CWE-506CWE-494CWE-829

Weekly Briefing - 16-06-2026

Corgea's weekly briefing for 10-16 June 2026 covers the uncovered remainder of the week's research: the dbmux Phantom Gyp / Miasma compromise, Dulwich's Windows and format-patch path traversal fixes, libp2p's unauthenticated DHT disk-exhaustion flaw, and Spring's internally discovered WebFlux and static-resource DoS fixes.

Jun 16, 2026 • critical
CWE-506CWE-22CWE-20

CVE-2026-50010, 50011, 50020, and 50560: Netty 4.1.135 / 4.2.15 fix TLS, HTTP/1.1, HTTP/2, and Redis parser flaws

Netty's June security train matters to Maven teams because a custom trust manager can silently disable HTTPS hostname verification, `HttpObjectDecoder` can over-accept leading control bytes and enable request-boundary confusion, `RedisArrayAggregator` can allocate attacker-sized arrays, and HTTP/2 servers can be coerced into response-write failures via client-advertised header limits.

Jun 15, 2026 • high
CWE-347CWE-444CWE-400

Weekly Briefing - 15-06-2026

Corgea's weekly briefing for 10-15 June 2026 covers the Atomic Arch AUR takeover, Netty's security-heavy 4.1.135 / 4.2.15 release, the onering crates compromise, and a late-breaking Open VSX extension attack that used TinyGo WebAssembly plus Solana memo-based C2.

Jun 15, 2026 • critical
CWE-494CWE-506CWE-347

Atomic Arch turned orphaned AUR packages into npm and Bun malware launchers

The June 11-12 Atomic Arch campaign adopted orphaned AUR packages, inserted `npm install atomic-lockfile` or Bun-based `js-digest` / `lockfile-js` fetches into package hooks, and used a malicious lifecycle script to execute `src/hooks/deps`, a Linux ELF infostealer with optional eBPF hiding logic across a verified `1,619` unique AUR package names.

Jun 14, 2026 • critical
CWE-494CWE-506CWE-522

CVE-2026-42305 and CVE-2026-47712: Dulwich 1.2.5 fixes Windows checkout abuse and format_patch path traversal

Dulwich before 1.2.5 accepts NTFS-hostile tree entries that can plant files under .git or escape the work tree on Windows, and it also derives format_patch filenames from unsanitized commit subjects, letting attacker-controlled commits write patch files outside the requested output directory.

Jun 12, 2026 • high
CWE-22CVE-2026-42305CVE-2026-47712

CVE-2026-45783: @libp2p/kad-dht lets unauthenticated peers fill disk with unvalidated PUT_VALUE records

A newly published flaw in @libp2p/kad-dht before 16.2.6 allows any remote peer to stream crafted PUT_VALUE messages whose keys bypass record validation, turning DHT server nodes into unbounded disk sinks until the host or container runs out of storage.

Jun 12, 2026 • high
CWE-20CWE-400CVE-2026-45783

CVE-2026-41840 and CVE-2026-41842: Spring 7.0.8 fixes WebFlux multipart and versioned-resource DoS flaws

Spring Framework 7.0.8 and 6.2.19 fix two newly disclosed denial-of-service flaws that matter to Maven-based application teams: a WebFlux multipart-processing leak reachable through hostile multipart bodies, and a static-resource resolution path that can pin connections when versioned filesystem assets are enabled.

Jun 10, 2026 • high
CWE-400CVE-2026-41840CVE-2026-41842