CVE
Browse all articles, tutorials, and guides about CVE
Posts
NGINX Rift (CVE-2026-42945): The 18-Year-Old Rewrite Bug That Hands an Attacker Your Worker Process
An autonomous code-audit tool found an 18-year-old heap overflow in NGINX's rewrite module. Affects every release from 0.6.27 through 1.30.0, plus NGINX Plus and the entire F5 product line. Full RCE PoC is public. Here is the one-line config grep that tells you whether you are exposed, the patch matrix, and what to do about the long tail of products that bundle the vulnerable nginx without a vendor patch yet.
Dirty Frag (CVE-2026-43284 + CVE-2026-43500): Local Root on Every Major Linux Distro
A two-bug chain in the Linux kernel networking subsystems lets any unprivileged local user become root in a single command. The PoC is public, the embargo broke, and not all distros have a patch yet.
Next.js 16.2.6 and 15.5.18 Ship 13 Security Fixes: Patch Now
Vercel released back-to-back security updates for Next.js covering 7 high, 4 moderate, and 2 low severity advisories, including an upstream React denial-of-service issue. Here is what is broken, who is exposed, and the rollout path.
Mini Shai-Hulud: PyTorch Lightning Just Stole Your CI Secrets
On April 30 a supply chain worm pushed malicious versions of PyTorch Lightning (10M+ downloads/month), intercom-client, and intercom-php to PyPI, npm, and Packagist in 48 hours. It steals every credential in your CI and propagates through your own GitHub tokens. Here is what to check and what to rotate.
CVE-2026-3854: A Single git push Owned GitHub
A semicolon in a git push option let any authenticated user run code on GitHub.com's backend and on 88% of self-hosted GitHub Enterprise installs. Here is how the bug worked and what to do.
Two Composer Command Injection Flaws Let Attackers Run Arbitrary Code - Even Without Perforce
CVE-2026-40176 and CVE-2026-40261 affect all Composer 2.x versions. A malicious composer.json or crafted package metadata can execute OS commands on your machine. Upgrade to 2.9.6 now.