Kai Ole Hartwig — Blog

Blog

Security analyses, DevSecOps, TYPO3 & Kubernetes — and, in between, personal notes from life as a caregiving father. Posts in the “Personal” category are exactly that.

Sylius, Symfony, PHP, e-commerce, GHSA-5597-7rmh-97q5, GHSA-mr9r-h354-966r, GHSA-6955-hrm5-c4qp, LiveComponent, IDOR, broken access control, payment request, API Platform, CWE-639, CWE-863, NIS-2, German Mittelstand

Sylius security release (2.0.18/2.1.15/2.2.6)

Incident analysis (cluster post) of the Sylius security release of 2 June 2026. Three advisories in the shop/payment API path: GHSA-5597-7rmh-97q5 (cart FormComponent deletes/alters a completed order, CVSS 6.5, CWE-672/841), GHSA-mr9r-h354-966r (IDOR on shop payment-request endpoints, CWE-639) and GHSA-6955-hrm5-c4qp (channel-based payment-method restriction bypass, CVSS 4.3, CWE-863). Affected: 2.0.0-2.0.17, 2.1.0-2.1.14, 2.2.0-2.2.5. Fixed in 2.0.18 / 2.1.15 / 2.2.6. No CVE IDs, all Moderate, no known active exploitation. Fix via composer update; each flaw has a documented service-override workaround.

VSCode, webview, github.dev, GitHub, token stealing, supply chain, OAuth, full disclosure, Jupyter, extension, platform operations, DevSecOps

VSCode webview escape (github.dev token stealing)

One click on a crafted github.dev link is enough to steal a GitHub OAuth token with full access to all repos. No patch available. Analysis of the exploit chain (Jupyter-notebook XSS + webview keydown forwarding + extension install), immediate measures and operator recommendation. Ammar Askar, full disclosure 2 June 2026.

NVIDIA OpenShell, GitHub Copilot, Microsoft Build 2026, agent containment, sandbox, credential isolation, policy-as-code, least privilege, Apache 2.0, Foundry Local, Azure Local, on-device agents, sovereignty, GDPR, AI agents, DevSecOps, MCP

OpenShell agent containment (Build 2026)

Daily brief on the OpenShell integration into GitHub Copilot (Microsoft Build 2026, 2 June): agents get their own containment and execution substrate — sandboxed containers, policy-as-code, credential isolation. Separation of capability and authorisation, openly licensed, model-agnostic — for the Mittelstand first a data-protection and sovereignty question.

FrankenPHP, FrankenPHP 1.12.4, Caddy 2.11.4, Mercure 0.24.2, header spoofing, underscore header, CGI, X-Forwarded-For, GHSA-vcc4-2c75-vc9v, CWE-93, SSE, worker mode, data race, PHP app server, Symfony, Docker, DevSecOps, supply chain

FrankenPHP 1.12.4 (underscore-header / Caddy 2.11.4)

Hardening release FrankenPHP 1.12.4: underscore-header spoofing closed at the server, bundled Caddy 2.11.4 and Mercure 0.24.2 security patches, plus worker-mode crash and data-race fixes. No active 0-day, but „every user should upgrade“ — with mitigation, detection and operator guidance.

npm, binding.gyp, node-gyp, supply chain, worm, credential harvesting, CI/CD, GitHub Actions, Bun, AES-128-GCM, dangling commit, autotel, awaitly, node-env-resolver, StepSecurity, ignore-scripts, DevSecOps

binding.gyp npm worm (node-gyp)

Ongoing npm supply chain incident: a self-replicating worm uses binding.gyp/node-gyp instead of postinstall, downloads the Bun runtime, harvests cloud/registry credentials, injects setup-bun into GitHub Actions workflows and poisons further packages of the victim. With mitigation, detection IOCs and operator guidance — package list delegated to the primary source.

Miasma, Shai-Hulud, supply chain, AI coding agents, Claude Code, Cursor, Gemini CLI, VS Code, GitHub, config injection, SessionStart hook, Bun, credential harvesting, Azure, durabletask, npm, DevSecOps, prompt injection

Miasma editor wave (AI coding agents)

The Miasma family follows the developer from the package manager into the editor: a commit plants six files, five of them triggers (SessionStart hook in .claude/.gemini, alwaysApply rule in .cursor, folderOpen task in .vscode, test-script hijack) for a 4.3 MB Bun dropper. Cloning is safe, opening is not. 113 repos (floor) incl. Azure/durabletask. --ignore-scripts does not catch a SessionStart hook. With mitigation, detection, operator guidance.

PHP, ext-soap, CVE-2026-6722, CVE-2026-7261, CVE-2026-7262, CVE-2026-7258, CVE-2026-6104, use-after-free, RCE, SoapServer, urldecode, mbstring, PHP 8.4, Composer, DevSecOps, memory corruption

PHP SOAP CVE-2026-6722 (UAF RCE)

CVE-2026-6722: use-after-free in PHP ext-soap (object dedup via id/href without refcount increment, Apache-map UAF, heap grooming via strings) — unauthenticated RCE on SoapServer exposure. Plus CVE-2026-7261 (UAF SoapServer/session), -7262 (NULL deref/DoS), -7258 (OOB read in urldecode, SOAP-independent) and -6104 (mbstring overrun). Fix 8.2.31/8.3.31/8.4.21/8.5.6. Moselwal: SOAP practically retired — disabled is not the same as not loaded. Deliberately not a 48h daily item (disclosure 12 May 2026).

compressing, npm, Node.js, CVE-2026-40931, CVE-2026-24884, symlink, path traversal, arbitrary file write, git clone, supply chain, CI/CD, lstat, path.resolve, RCE, DevSecOps

compressing CVE-2026-40931 (patch bypass)

An early-June public deep-dive on a patch bypass (CVE-2026-40931) in the npm library compressing: path.resolve()/startsWith validate only the string, not whether a path segment is a symlink on disk. The symlink is not embedded in the archive but planted in advance via git clone; on extraction fs.writeFile follows it and writes outside the target. With mitigation, detection, root cause and operator guidance; fix 2.1.1 / 1.10.5.

nginx-poolslip, nginx zero-day, NGINX 1.31.0, ASLR bypass, heap feng shui, Vega AI, NebSec, reverse proxy security, German Mittelstand, DevSecOps

nginx-poolslip 0-day (nginx 1.31.0)

Nebula Security disclosed on 21 May 2026 an unauthenticated RCE path (codename nginx-poolslip) in the internal memory pool allocator of nginx 1.31.0 mainline — ASLR bypass via heap feng shui, no CVE number, no official patch, no public exploit code, 30-day embargo after patch. A situation analysis that draws a clean line between fresh-and-unverified and actively-mitigate — written from the perspective of a platform operator that has replaced NGINX in its own stack with FrankenPHP/Caddy, but still operationally maintains existing customers with NGINX in the path.

CVE-2026-5950, BIND 9, DNS resolver, ISC, resource exhaustion, recursive resolver, DNS resilience, infrastructure hardening, German Mittelstand, DevSecOps

BIND 9 resolver loop (CVE-2026-5950)

ISC published the advisory for CVE-2026-5950 on 20 May 2026 — an unbounded resend loop in the BIND 9 resolver state machine under the bad-server handling path. Affected: 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, and 9.21.7 through 9.21.21 plus the subscription lines. Authoritative services are not affected per ISC, recursive resolvers are. Patches are available in 9.18.49, 9.20.23, and 9.21.22. Situation analysis plus architecture occasion for DNS resilience with redundancy and implementation mix.

multi-agent, single-agent, agentic AI, AI agents, CoT-SC, chain-of-thought, self-consistency, agent orchestration, architecture, cost, BrowseComp-Plus, arXiv, Salesforce AI Research, NTU, UBC, HKUST, MCP, A2A, SME

Multi-agent illusion

Daily brief on the preprint 'The Illusion of Multi-Agent Advantage': multi-agent is an architecture decision, not a default. What SMEs should take from the cost finding and the data-protection flank (more agents = more inference calls = a larger third-country surface).

symfony 7.4.12, 8.0.12, 6.4.40, webhook hmac bypass, mailtrap, cve-2026-45755, mailjet, lox24, cve-2026-45754, twilio, cve-2026-47212, jsonpath redos, cve-2026-45756, himanshu anand, convention vs contract, sbom, renovate, German Mittelstand

Symfony Webhook HMAC Follow-up

Composer tree audit, secret verify, trusted_proxies — the follow-up template for CVE-2026-45754 / -45755 / -45756 / -47212. All four reported by Himanshu Anand, all four with the same Convention-vs-Contract pattern in doParse(Request, #[SensitiveParameter] string $secret).

laravel-lang, laravel, composer, packagist, supply chain, credential stealer, tag injection, github fork, flipboxstudio, aikido, socket, postinstall, branch tracking, sbom, lockfile pinning, composer audit, German Mittelstand

Twin Composer Incident on 22 May 2026 — Laravel-Lang Tag Injection (Aikido) and Postinstall Wave in 8 Composer Packages + 700+ GitHub Repositories (Socket)

Two parallel Composer incidents on 22 May 2026: tag injection through GitHub fork commits (Laravel-Lang, Aikido) and postinstall hooks in package.json plus branch-tracking versions (Socket, 8 Composer packages + 700+ repos). C2 endpoints flipboxstudio.info and parikhpreyash4/systemd-network-helper-aa5c751f.

Project Glasswing, Anthropic, Claude Mythos Preview, Claude Security, CI/CD, DevSecOps, Patch Tuesday, OpenSSF Alpha-Omega, ExploitBench, ExploitGym, NIS-2, EU AI Act, DORA, GDPR, German Mittelstand, Supply Chain Security, Coordinated Vulnerability Disclosure, Cloudflare, Mozilla, wolfSSL, CVE-2026-5194

Project Glasswing 30 Days

Daily brief on the Project Glasswing 30-day update from 22 May 2026: finding bugs is no longer the bottleneck - verifying, patching and rolling out is - and the Mittelstand sits at the receiving end of the wave.

Drupal, CVE-2026-9082, SA-CORE-2026-004, PostgreSQL, SQL injection, Doctrine DBAL, TYPO3, Symfony, parser differential, JSON encoder, entity query, array shape, trust boundary, CISA KEV, German Mittelstand, DevSecOps

Drupal CVE-2026-9082 (parser-differential class)

The Drupal SQLi wave of 20/22 May 2026 is the pattern carrier of the same class that triggered the SymfonyRuntime wave (CVE-2026-46626) two weeks earlier: a parser differential between two layers that appear to parse the same input. This post dissects the technical cause and carries the audit reflex over to the TYPO3 / Doctrine DBAL stack.

Claude Code, Gemini CLI, SEO poisoning, infostealer, fileless malware, PowerShell, AMSI bypass, ETW bypass, Anthropic, Google, EclecticIQ, MIRhosting, developer workstation, supply chain, OAuth tokens, CI/CD credentials, Slack, Microsoft Teams, OpenVPN, PuTTY, WinSCP, MCP, agentic AI, German Mittelstand, NIS-2, BSI, GDPR, SOPS, YubiKey, FIDO2, OIDC, secret rotation, password manager, age

AI tool install as trap (SEO poisoning)

Daily brief on the EclecticIQ analysis from May 21, 2026 of an SEO poisoning campaign running since March against the install pages of Claude Code and Gemini CLI. AI agent tooling adoption has arrived as its own supply chain track in the eCrime economy; the German Mittelstand needs inventory, PowerShell hardening and a secret discipline (SOPS / YubiKey / OIDC with minute-scale tokens / password manager with rotation) that shrinks the value of a compromised notebook to a few minutes of valid tokens.

TYPO3 14.3.2, TYPO3 13.4.30, maintenance release, Symfony, Composer, CVE-2026-45065, CVE-2026-45067, CVE-2026-45068, CVE-2026-45070, CVE-2026-45073, CVE-2026-45133, CVE-2026-45304, CVE-2026-45305, CVE-2026-45793, dependency raise, continuous deployment

TYPO3 14.3.2 + 13.4.30 (maintenance)

Both releases are announced as „maintenance only" — no dedicated core security advisory. But the dependency-raise commit carries nine CVE references that we document in writing for DPO/audit purposes. Plus npm devdep cleanup, site-aware cache-tag collection, an MD5 cleanup, and in 14.3.2 additionally a live-search language flag and fluid:analyze useNonce detection.

Abliteration, Heretic, Open-Weight, Llama 3.3, Gemma 3, Gemma 4, Meta, Google, Financial Times, Alice AI Safety, Refusal Direction, Directional Ablation, Model Provenance, Model Signing, Sigstore, Hugging Face, SHA Pinning, Llama Guard, NeMo Guardrails, OpenShell, EU AI Act, NIS-2, GDPR, BSI APP.7, Supply Chain Security, Sovereign Hosting, Self-Hosted LLM, German Mittelstand, AI Agents

Abliteration Open-Weight Models

Daily briefing on the FT/Alice investigation from 25 May 2026: abliteration as directional ablation has been documented since 2024; what is new is the trivialisation via a CLI tool with Optuna parameter search, 3,500 variants and 13 million downloads. The operational consequence for self-hosted or sovereign-hosting architectures on Llama, Gemma, Mistral or Qwen: model provenance via SHA pinning, signed manifest and a model-independent policy layer (Llama Guard, NeMo Guardrails, OpenShell).

Composer 2.10, Packagist, supply chain security, stable version immutability, MFA, FIDO2, dependency policies, minimum release age, cooldown, SLSA, Sigstore, OpenSSF, Sovereign Tech Agency, TYPO3, Sylius, PHP, German Mittelstand, NIS-2, GDPR, BSI, DORA, MaRisk

Composer 2.10 & Packagist roadmap

Nils Adermann and Igor Benko have published the Packagist/Composer supply chain roadmap on 27 May 2026. Composer 2.10 with its dependency policy framework ships this week, stable version immutability on Packagist.org goes live in the same deploy, MFA status moves into the transparency log and onto maintainer profiles. Looking further ahead, a minimum release age policy, FIDO2-backed staged releases for packages with a large userbase and an alignment with OpenSSF L3/L4 plus SLSA build provenance are on the plan. For TYPO3 and Sylius operators, enabling MFA is now an operational prerequisite for the next twelve weeks.

Starlette, FastAPI, MCP, Model Context Protocol, vLLM, LiteLLM, ASGI, Python, BadHost, CVE-2026-48710, Host header injection, Auth bypass, Path confusion, CWE-444, X41 D-Sec, OSTIF, Anthropic MCP, OAuth Discovery, AI Agents, German Mittelstand, DevSecOps, Supply Chain Security

BadHost CVE-2026-48710 (Starlette/MCP)

Incident analysis of the BadHost vulnerability (CVE-2026-48710): Starlette rebuilds request.url from the Host header via string concatenation, while the ASGI router reads scope['path']. A path-based auth middleware therefore sees a different path than the router decides on. MCP servers are particularly exposed because the specification enforces unauthenticated OAuth discovery endpoints. Disclosure 22 May 2026, fix in Starlette 1.0.1.

Nx Console CVE-2026-48027 (TeamPCP)

Incident analysis of CVE-2026-48027 (Nx Console 18.95.0): a malicious VS Code extension under the verified publisher handle nrwl, live for 18 minutes in the Visual Studio Marketplace and 36 minutes on Open VSX. The bundle itself carried no payload — on workspace activation it ran a shell call that fetched nx-next from an orphaned commit on nrwl/nx (Google TI named the stealer SANDCLOCK). Entry vector: the TanStack npm wave CVE-2026-45321 (TeamPCP / Mini Shai-Hulud). Consequence: ~3,800 internal GitHub repositories, OpenAI, Grafana Labs, Mistral AI. Moselwal not directly in the stack, but Claude Code configuration files are explicitly harvested — the operational lever runs through every machine with Claude Code in the workbench workflow.

TinyMCE, CVE-2026-47759, CVE-2026-47761, CVE-2026-47762, Stored XSS, data-mce-href, data-mce-src, data-mce-style, sanitiser bypass, HtmlPurifier, DOMPurify, WordPress Classic Editor, Sonata Admin, FOSCKEditorBundle, Sylius, Drupal 10, rich-text editor, SBOM, supply chain, content security policy

TinyMCE CVE-2026-47759 (data-mce Bypass)

Incident analysis on CVE-2026-47759 (TinyMCE 5.11.1 / 7.9.3 / 8.5.1): sanitiser bypass via editor-internal data-mce-* attributes that are written back into href/src/style during serialisation. The same release cycle also covers CVE-2026-47761 (high) and CVE-2026-47762 (medium, mce:protected with the protect option). Moselwal's own TYPO3 stack is unaffected (CKEditor 5 instead of TinyMCE). In the wider PHP world the dominant exposed class is WordPress with the Classic Editor plugin plus individually embedded TinyMCE components — Sonata Admin, Sylius and Drupal 10 all ship CKEditor as the default editor. Take-away: rich-text editors belong in the SBOM as their own supply-chain layer alongside Composer and npm dependencies, sanitiser config has to know the data-mce-* class explicitly.

vpmdhaj, npm, supply chain, typosquat, OpenSearch, ElasticSearch, preinstall hook, lifecycle scripts, AWS credentials, HashiCorp Vault, CI CD secrets, ignore-scripts, npmrc, Microsoft Threat Intelligence, SBOM, maintainer identity, TanStack, Nx Console, NIS-2, GDPR, DORA

vpmdhaj npm Typosquat (OpenSearch/Elastic)

Incident analysis of the vpmdhaj typosquat wave from 28 May 2026 (Microsoft Threat Intelligence): 14 malicious npm packages published under a freshly created maintainer alias, repository.url spoofing opensearch-project/opensearch as visual cover, preinstall lifecycle hook firing automatically. Microsoft documents two stager variants (Gen-1 ≤ 1.0.7265 via preinstall.js/index.js, Gen-2 ≥ 1.0.7266 via setup.mjs). Examples opensearch-setup and elastic-opensearch-helper; the full package list is being withheld. A methodologically new class sitting alongside the TanStack/Nx Console line of the past weeks: a fresh alias identity instead of a compromised maintainer identity. For the Mittelstand: ignore-scripts default, token rotation, SBOM maintainer-account age as an audit axis.

CVE-2026-7598, libssh2, SBOM, CycloneDX, NixOS, Terraform, OpenTofu, Ansible, Puppet, supply-chain security, DevSecOps, CRA, Cyber Resilience Act, zero trust, cosign, Renovate, CVSS, mid-market

CVE-2026-7598: why this libssh2 vulnerability is the litmus test for your supply-chain discipline

Integer overflow in libssh2 shows: without SBOM and without declarative host inventory, every weekly CVE becomes a hero action. We show three-layer response and our own practice with NixOS, Terraform/OpenTofu and Ansible.

OpenAI, Frontier Governance Framework, FGF, EU AI Act, GPAI-SR, Regulation EU 2024/1689, EU Code of Practice, California SB 53, TFAIA, Transparency in Frontier AI Act, Preparedness Framework, Risk Tier, Cyber Offense, CBRN, Harmful Manipulation, Loss of Control, AIRP, AI Safety Incident Response Plan, Safety and Security Model Report, ISO 42001, NIST AI Risk Management Framework, ISO 27001, SOC 2 Type II, Chain of Thought Monitoring, OpenAI Ireland Limited, OpenAI OpCo LLC, Mid-market, GDPR, DPIA, MaRisk, DORA, supplier file, AI procurement

OpenAI Frontier Governance Framework

Daily Brief on OpenAI's publication of the Frontier Governance Framework on 29 May 2026. A standards/governance move: OpenAI's first public governance document that runs alongside the internal Preparedness Framework and aligns with the EU AI Act Code of Practice for GPAI-SR models (Regulation (EU) 2024/1689) and California's Transparency in Frontier AI Act (SB 53). Four risk domains with tier thresholds (Cyber Offense, CBRN, Harmful Manipulation, Loss of Control), Safety and Security Model Report on a six-month cadence, AI Safety Incident Response Plan (AIRP). Two-entity responsibility: OpenAI Ireland Limited (EU Code of Practice) / OpenAI OpCo LLC (TFAIA, US). On the standards layer the FGF names ISO 42001 and the NIST AI Risk Management Framework for the AI layer, ISO 27001/17/18/701 plus SOC 2 Type II for information security. For the mid-market the document becomes a procurement record: supplier file, DPIA connection point, AI procurement checklist, ISO 42001 certification ambition.

Samba, CVE-2026-4408, SAMR, DCE/RPC, samba-dcerpcd, check password script, %u, shell injection, remote code execution, RCE, file server, classic domain controller, CVE-2007-2447, NIS-2, GDPR, KRITIS, German Mittelstand

Samba CVE-2026-4408 (SAMR RCE)

Incident analysis for CVE-2026-4408: Samba SAMR DCE/RPC remote code execution through shell injection in the check password script when %u substitution is enabled and samba-dcerpcd runs in standalone system-service mode. Direct sibling of CVE-2007-2447 (username map script). Affected are Samba file servers and classic non-AD domain controllers; AD-DCs are not affected.

TYPO3 EXT-SA 2026, ceselector RCE, news SQL injection, crawler RCE, ke_search XXE, tt_address SQL injection, sf_register broken access control, Renovate, georgringer news, Mittelstand

TYPO3 EXT-SA cluster May 2026

On the evening of 19 May 2026 the TYPO3 Security Team published six extension advisories — from Critical (ceselector RCE via unserialize cookie) to High (news SQLi, crawler RCE) to Medium (tt_address, sf_register, ke_search). For anyone running a patch-pipeline-managed stack (Renovate, Dependabot or similar), the six patch releases flow automatically into the build. A technical analysis per vulnerability, including the two recurring patterns (PHP object injection and unsanitised SQL input) and the ke_search three-pack of XXE, path traversal and information disclosure.

IBM, Red Hat, Project Lightwell, open-source security, supply chain, software supply chain, clearinghouse, AI-powered security, Maven, Java, PyPI, npm, Go, pom.xml, dependency manifest, backport, pinned versions, Anthropic Project Glasswing, Claude Mythos Preview, OpenAI Trusted Access for Cyber, DORA, DORA Article 28, ICT third-party risk, NIS-2, NIS-2 Article 21, Cyber Resilience Act, CRA, MaRisk, GDPR, DPIA, Mittelstand, SBOM, CycloneDX, SPDX, SLSA, provenance

Project Lightwell (IBM/Red Hat)

Daily brief on IBM and Red Hat Project Lightwell (announcement 28 May 2026, Armonk). A $5 billion initiative pairs an engineering force of more than 20,000 people with frontier AI models in a Trusted Enterprise Clearinghouse for the open-source supply chain. The model operates on dependency manifests (pom.xml first, later requirements.txt / package.json / go.mod), does not access customer source code, and ships backports pinned to the exact version in production into a repository the customer controls. Initial focus Maven/Java, roadmap PyPI/npm/Go. Early adopters are eleven major US banks (Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, Wells Fargo). Structurally, Lightwell moves the bottleneck from vulnerability discovery (after Anthropic's Project Glasswing, 10,000 findings in 30 days) to remediation. Compliance attachment for DACH SMEs: DORA Art. 28 ICT third-party risk, NIS-2 Art. 21(2)(d) supply-chain duties, Cyber Resilience Act manufacturer duties from 11 December 2027. SBOM/CycloneDX/SPDX and SLSA provenance become a direct attachment point.

Linux Kernel, CVE-2026-46227, SCTP, SCTP_SENDALL, use-after-free, type confusion, CapEff=0, LPE, privilege escalation, sched_ext, drm, amdgpu, batman-adv, 117 CVEs, kernel wave, container, Kubernetes, German Mittelstand, NIS-2

Kernel wave CVE-2026-46227 (SCTP)

Incident analysis of the Linux kernel CVE wave 28–30 May 2026: 117 CVEs in 48 hours. Main finding CVE-2026-46227 SCTP SCTP_SENDALL type confusion with unprivileged LPE path (CapEff=0) and controlled indirect call. Companion cluster: sched_ext cgroup UAF, drm/gem prime-swap race, drm/amdkfd SVM OOB, batman-adv and amdgpu/vcn. Mittelstand reflex: SCTP module blacklist where not active, container capability audit for /dev/dri, kernel patch pipeline up to tempo.

OpenShift, OpenShift Router, HAProxy, CVE-2026-42965, CVE-2026-46579, SSRF, cloud metadata, mTLS, X-SSL-Client, EndpointSlice, FQDN, Kubernetes, German Mittelstand, DORA, NIS-2

OpenShift Router double (SSRF + mTLS)

Incident analysis of the double CVE-2026-42965 + CVE-2026-46579 in the OpenShift Router component. First flaw: SSRF to cloud metadata via FQDN-typed EndpointSlice from a user with EndpointSlice write permission. Second flaw: mTLS client spoofing via plain HTTP when a route carries insecureEdgeTerminationPolicy: Allow and the backend uses X-SSL-Client headers for authentication. Operational for Moselwal customers with their own OpenShift platform.

KubeVirt, OpenShift Virtualization, Container Native Virtualization, CVE-2026-9804, virt-exportserver, VMExport, path traversal, symlink, CWE-59, link following, Mittelstand, OpenShift

KubeVirt CVE-2026-9804 (symlink traversal)

Incident analysis for CVE-2026-9804 in KubeVirt virt-exportserver. CWE-59 Improper Link Resolution Before File Access: symlink-based path traversal in the VMExport directory endpoint. A user with write access to the exported PVC can place a symlink pointing to /var/run/secrets/kubernetes.io/serviceaccount/token or any other pod filesystem path; the exporter reads and returns the file. Affected: Red Hat OpenShift Virtualization 4 / Container Native Virtualization.

[Translate to English:] AI Agent, LLM, Prompt Injection, LiteLLM, Flowise, MS-Agent, CVE, DevSecOps, KI-Sicherheit

When the AI agent becomes a privileged insider: three current CVEs in LiteLLM, Flowise and MS-Agent

Three CVEs from spring 2026 make the structural problem of productive AI agents concrete: SQL injection in LiteLLM, prompt-injection RCE in Flowise CSV agent, OS command hijacking in MS-Agent. What the incidents share, and which four architectural principles absorb them structurally.

symfony, sylius, typo3, fluidemail, mailmessage, htmlsanitizer, urlgenerator, x509authenticator, mime, smtp-injection, crlf-injection, route-requirement-bypass, bidi-override, host-spoof, parser-differential, regex-anchor, cve-2026-45064, cve-2026-45065, cve-2026-45066, cve-2026-45753, cve-2024-50340, german mittelstand, renovate, feature-88643

Symfony patch wave 20 May 2026 (CVE cluster)

Analysis of the Symfony disclosure wave from 20 May 2026 with seven CVEs across the four supported lines — HtmlSanitizer trio, UrlGenerator route-requirement bypass, Mime\Address CRLF injection, X509Authenticator, SymfonyRuntime bypass. Stack mapping per component for Symfony-direct, Sylius, and TYPO3 v12.4 LTS / v13.4 LTS / v14.x. Concrete call chains: Sylius Customer Mailer, TYPO3 EXT:form email finisher, custom mailer services. Operational decision block plus a PCRE-regex-precedence explanation.

RPM, rpmuncompress, CVE-2026-44604, command injection, shell injection, archive extraction, ZIP, 7z, GEM, container build, RHEL, Rocky, Alma, Hummingbird, German Mittelstand, NIS-2

rpmuncompress CVE-2026-44604 (command injection)

Incident analysis for CVE-2026-44604 in the rpmuncompress utility. CWE-78 OS command injection: when invoked with a target directory the tool inserts the top-level folder name of the archive into a shell command line without escaping shell metacharacters. Affected formats are ZIP, 7z and GEM on RHEL/Rocky/Alma/Fedora plus container build pipelines with UBI/S2I builders. Mittelstand reflex: CI/CD audit, rpm package update, container base image rebuild.

Keycloak, FGAPv2, Fine-Grained Admin Permissions, CVE-2026-9795, privilege escalation, OIDC, OAuth, Symfony, Sylius, TYPO3, German Mittelstand

Keycloak CVE-2026-9795 (FGAPv2 PrivEsc)

Incident analysis for CVE-2026-9795 in Keycloak FGAPv2. CVSS 7.3 HIGH, CWE-266 Incorrect Privilege Assignment. Vector AV:N/AC:H/PR:H/UI:R/S:C — escalation from an already authenticated FGAPv2 admin position into unauthorised higher realm roles. Note: GHSA-27gp-8389-hm4w belongs to the separate CVE-2025-7784 from July 2025 with a different mechanism (manage-users → self-assign realm-admin). Operational for Moselwal customers running Keycloak in front of Symfony/Sylius/TYPO3 backends.

Chromium, Chrome 148, Google, sandbox escape, ANGLE, V8, Skia, PDFium, WebGL, browser security, workstation hardening, supply chain, German Mittelstand

Chromium 148 Stable (127 fixes)

Incident analysis of the Chrome 148 stable wave: 127 security fixes (Chromium security team classification), including 3 Critical and over 90 High. ANGLE cluster with sandbox escape paths (CVE-2026-9879/-9910/-9926/-9927), V8 OOB write (CVE-2026-9896), Skia integer overflows (CVE-2026-9998/-9909/-10012), PDFium UAF (CVE-2026-10002). Follow-up patch roll 148.0.7778.215/216/217 with further CVEs on 29 May. Mittelstand reflex: MDM browser update policy enforced, Electron app inventory, headless Chrome container rebuild.

linux-kernel, ptrace, pidfd_getfd, lpe, local-root, credential-disclosure, cve-2026-46333, qualys-tru, ptrace_scope, yama, dumpable-flag, do_exit-race, container-host, kubernetes-worker, ci-runner, debian, ubuntu, fedora, rhel, wolfi, german mittelstand

CVE-2026-46333 ptrace LPE

Technical analysis of CVE-2026-46333 based on the Qualys detail advisory: original kernel code from kernel/ptrace.c, do_exit() race window between exit_mm() and exit_files(), pidfd_getfd() stack, four documented exploit targets (chage, ssh-keysign, pkexec, accounts-daemon), Pumpkin Chang systemd-run trick, Ubuntu YAMA edge case, Fedora SELinux SetPassword workaround. Plus stack mapping for container hosts, Kubernetes workers, CI runners; mitigation via kernel.yama.ptrace_scope=2 with operational cost; detection sketches for Tetragon, Falco, auditd.

PamDOORa, PAM, Linux backdoor, opkssh, OIDC, short-lived SSH certificates, YubiKey, FIDO2-SK, AIDE, file integrity monitoring, bastion host, Kubernetes, k3s, Talos, NixOS, DevSecOps, customer-owned, mid-market

PamDOORa: when authentication itself becomes the back door — what a PAM-based Linux backdoor means for mid-market stacks

New PAM-based Linux backdoor PamDOORa: not a CVE but a detection-and-hardening question. Four check paths, five hardening points, four architecture layers above the host — including opkssh/OIDC, YubiKey VPN, K8s workers, and the bastion pattern.

[Translate to English:] Semantic Kernel, CVE-2026-25592, CVE-2026-26030, KI-Agenten, Prompt Injection, RCE, Microsoft, Azure, InMemoryVectorStore, Plugin-Disziplin, DevSecOps

Semantic Kernel: when the prompt becomes the shell — what the Microsoft disclosure means for your agent architecture

[Translate to English:] Zwei CVEs in Microsoft Semantic Kernel zeigen, dass Prompt-Injection eine Architektur-Klasse ist, kein Bug. Wir empfehlen Patch-Sprung, Plugin-Inventur, Wechsel auf durable Vector-Stores und harte Prozessgrenzen zwischen Modell-Output und Host-Code.

[Translate to English:] Comment and Control, Prompt Injection, Claude Code, Gemini CLI, GitHub Copilot Agent, GitHub Actions, KI-Agenten, Tool-Allowlist, DevSecOps, Supply Chain

Comment and Control: three popular AI coding agents, one shared architecture problem

[Translate to English:] Drei KI-Coding-Agenten von drei Anbietern, dieselbe Architekturschwäche: untrusted GitHub-Kommentare steuern Tool-Aufrufe und stehlen Action-Secrets. Anthropic spricht das offen aus. Wir empfehlen Tool-Allowlist, Trennung von Lese- und Schreib-Stufe, Quarantäne externer Beiträge.

Symfony, CVE-2026-48489, Security HTTP, firewall, access_control, failure_forward, form-login, subrequest, local request forgery, authorization bypass, Sylius, NIS-2, GDPR

Symfony CVE-2026-48489 (Firewall Bypass)

Incident analysis of CVE-2026-48489: authorization bypass / local request forgery in Symfony Security HTTP. With a form-login firewall and failure_forward: true, the DefaultAuthenticationFailureHandler uses the client-controlled _failure_path as the target of an internal subrequest; because the firewall deliberately skips subrequests, the access_control AccessListener does not run. An unauthenticated POST with _failure_path=/admin/... reads GET routes behind a ^/admin rule — with no misconfiguration. Entry condition failure_forward: true (non-default). Fixed in 5.4.53 / 6.4.41 / 7.4.13 / 8.0.13. Operational rating high, no official CVSS (NVD still RESERVED).

Symfony, CVE-2026-48736, HTTP Client, NoPrivateNetworkHttpClient, IpUtils, PRIVATE_SUBNETS, SSRF, IPv6, 6to4, NAT64, Teredo, cloud metadata, Sylius, NIS-2, GDPR

Symfony CVE-2026-48736 (SSRF bypass)

Incident analysis of CVE-2026-48736: SSRF protection bypass in Symfony HTTP Client / HTTP Foundation. NoPrivateNetworkHttpClient blocks private networks via IpUtils::PRIVATE_SUBNETS, but the list omitted 6to4 (2002::/16), Teredo (2001::/32), NAT64 (64:ff9b::/96, 64:ff9b:1::/48) and IPv4-compatible (::/96). checkIp6() is a pure CIDR comparison and never extracts the embedded IPv4. Impact is deployment-dependent (IPv6/NAT64 routing). Recommendation: patch plus egress defense-in-depth. Operational rating medium, no official CVSS (NVD still RESERVED). Sister issue to CVE-2026-48489, shared patch path.

Claude Code, Anthropic, ClickFix, SEO poisoning, mshta, HTA polyglot, MP3 polyglot, fileless malware, PowerShell, AMSI bypass, reflective .NET, infostealer, browser credentials, oakenfjrod, Cyderes, Howler Cell, developer workstation, MITRE ATT&CK, NIS-2, GDPR

Fake Claude Code installer (ClickFix/polyglot)

Technical incident analysis of the Cyderes Howler Cell campaign against Claude Code first-time users: SEO poisoning + ClickFix (Win+R / mshta.exe), a 6.7 MB MP3/HTA polyglot from download.version-516[.]com, 32-bit PowerShell with AMSI bypass, a per-victim subdomain on oakenfjrod[.]ru (MD5 of COMPUTERNAME+USERNAME), a ~17 MB stage 3 and a reflective .NET infostealer via Assembly.Load(byte[]), C2 185.177.239.255. Browser credential theft, fully fileless after stage 1. Anthropic not compromised (brand impersonation). Detection: mshta network traffic, 32-bit PowerShell from a COM task, .NET assembly load without a file (ETW), DNS wildcard *.oakenfjrod[.]ru. Complements the strategic assessment of 26 May. Operational rating high (active campaign, social-engineering-gated).

npm, supply chain, Mini Shai-Hulud, Miasma, TeamPCP, @redhat-cloud-services, preinstall, GitHub Actions, OIDC, CI/CD, credential theft, cloud identity, AWS, GCP, Azure, Kubernetes, MCP, dead man switch, DevSecOps, NIS-2, GDPR, Mittelstand

Miasma npm worm (@redhat-cloud-services)

Incident analysis of the Miasma wave: 32 compromised @redhat-cloud-services npm packages, a variant of TeamPCP's open-sourced Mini Shai-Hulud. Patient zero was a compromised Red Hat employee GitHub account with orphan commits to two RedHatInsights repos; publishing ran via GitHub Actions OIDC trusted publishing including Sigstore. A preinstall hook runs a 4.2 MB obfuscated loader, harvests GitHub/AWS/GCP/Azure/Kubernetes/Vault/npm/SSH/Docker credentials, newly also collects GCP and Azure cloud identities, installs kitty-monitor persistence and a destructive gh-token-monitor dead-man switch. Operational assessment: critical. Order: isolate, remove persistence, then rotate.

Fragnesia, CVE-2026-46300, XFRM, espintcp ULP, Linux kernel LPE, page cache, drop_caches, ESP-in-TCP, German Mittelstand, TYPO3 hosting, Dirty Frag, Copy Fail

Fragnesia (CVE-2026-46300) — the third XFRM LPE in three weeks

Third Linux kernel LPE in three weeks — after Copy Fail and Dirty Frag, now Fragnesia (CVE-2026-46300, CVSS class high). Logic flaw in the ESP-in-TCP path (espintcp ULP): already-spliced file pages are treated as ESP ciphertext and decrypted in place. The AES-GCM keystream is XORed into the page cache of every readable file, IV-nonce controlled — a deterministic one-byte write primitive without a race. The public PoC overwrites /usr/bin/su with a 192-byte ELF stub. Mitigation is identical to Dirty Frag, but drop_caches must be triggered as well.

Mini Shai-Hulud, CVE-2026-45321, TanStack, Mistral AI, UiPath, OpenSearch, Guardrails AI, TeamPCP, npm, PyPI, supply chain, SLSA provenance, GitHub Actions OIDC, Pwn Request, the German Mittelstand

When the seal is genuine and the contents are not: CVE-2026-45321, Mini Shai-Hulud and the first validly-signed compromised npm delivery

Mini Shai-Hulud is the first incident to break the SLSA provenance assumption: the compromised npm packages carry valid signatures because the worm hijacked the legitimate build pipeline itself. A cosign verification alone is no longer enough in 2026; a second verification stage (manifest diff against baseline) becomes a regular operational stage.

NGINX, CVE-2026-42945, NGINX Rift, ngx_http_rewrite_module, heap buffer overflow, reverse proxy, TYPO3, Sylius, DevSecOps, German Mittelstand

NGINX Rift CVE-2026-42945 May 2026

CVE-2026-42945 NGINX Rift hits every nginx 0.6.27–1.30.0 and NGINX Plus R32–R36 when the configuration contains a rewrite directive with an unnamed capture, a question-mark replacement and a follow-up directive. The patch has been available since 13 May 2026; the more durable mitigation is configuration discipline on named captures.

OpenShift, CVE-2026-1784, ose-cluster-ingress-operator, HAProxy, Route, spec.path, config injection, RCE, Kubernetes, multi-tenant, scope changed, CWE-15, NIS-2, GDPR, Mittelstand

OpenShift CVE-2026-1784 (ingress RCE)

Incident analysis of CVE-2026-1784: config injection leading to RCE in the OpenShift ingress operator. The spec.path field of a Route object is insufficiently validated; tenant-controlled content flows into the HAProxy configuration generated by the ose-cluster-ingress-operator for the shared router. CVSS v3.1 8.8 (AV:L/AC:L/PR:L/S:C/C:H/I:H/A:H), CWE-15. Entry condition: write access to Route objects in a namespace. Scope Changed — the impact leaves the tenant namespace and hits the cluster-wide ingress. Fix via Red Hat errata for the relevant 4.x line; stopgap: an admission policy on spec.path.

Apache Solr, CVE-2026-44825, BasicAuth, hardcoded credentials, default credentials, security.json, TYPO3, EXT:solr, CWE-798, CWE-1188, NIS-2, GDPR, Mittelstand

Apache Solr CVE-2026-44825 (default users)

Incident analysis of CVE-2026-44825: insecure default configuration in Apache Solr. The BasicAuth setup tool bin/solr auth enable writes, alongside the operator's chosen account, four template users (superadmin, admin, search, index) with publicly known passwords into security.json in Solr 9.4.0-9.10.1 and 10.0.0. An attacker with network access to the Solr endpoint thereby gains full administrative access. CVSS v3.1 8.1 (AV:N/AC:H/PR:N/S:U/C:H/I:H/A:H), CWE-798 + CWE-1188. On-stack via TYPO3 EXT:solr. Workaround: delete or re-password the template users; fix in the upcoming versions 9.11.0 / 10.1.0.

PHP 8.4.21, PHP 8.3.31, PDO Firebird, CVE-2025-14179, SQL injection, NUL byte, TYPO3, Sylius, Symfony, Composer, Wolfi, DevSecOps, patch discipline, mbstring, FPM, SOAP, OpenSSL 4.0

PHP 8.4.21 + 8.3.31 PDO Firebird

Coordinated security roll-up of PHP 8.2.31, 8.3.31, 8.4.21 and 8.5.6 on 7 May 2026, with eight to thirteen patches per line. Lead item: NUL-byte SQL injection in the PDO Firebird driver (CVE-2025-14179) — and why the May wave should not be a quarterly task in Composer or Wolfi pipelines.

node-ipc, npm, supply chain, maintainer domain hijack, atlantis-software.net, DNS TXT exfiltration, Webpack, Vite, TYPO3, Sylius, DevSecOps, German Mittelstand, lockfile audit

node-ipc Supply Chain May 2026

node-ipc@9.1.6, 9.2.3 and 12.0.1 carried an identical 80 KB stealer payload on 14 May 2026 that exfiltrated more than 90 credential categories via DNS TXT tunnelling. Initial vector: re-registration of the expired maintainer mail domain atlantis-software.net. Anyone who built in the 11-hour window — even transitively through Webpack/Vite — must treat the build host as compromised.

FrankenPHP, CVE-2026-45062, GHSA-3g8v-8r37-cgjm, FrankenPHP 1.12.3, Unicode path splitting, CGI RCE, splitPos, container image, TYPO3, Sylius, DevSecOps

FrankenPHP 1.12.3 closes CVE-2026-45062 — when Unicode path splitting becomes an RCE path

FrankenPHP 1.12.3 closes CVE-2026-45062 (GHSA-3g8v-8r37-cgjm, CVSS 8.1 high): the <code>splitPos()</code> function in <code>cgi.go</code> used <code>search.IgnoreCase</code> Unicode equivalence folding for non-ASCII path bytes. Two logic flaws allow files like <code>shell﹒php</code> or <code>shell.php</code> to be executed as PHP scripts. Wherever an attacker can place a file in the FrankenPHP web root (uploads, file storage), this becomes unauthenticated RCE. We rebuilt the TYPO3 and Sylius container images with FrankenPHP 1.12.3 and rolled them out via Renovate.

EU AI Act, Digital Omnibus, AI Act SMC, small mid-cap, SME relief, Article 50, watermarking, C2PA, AI-Ready CMS, German Mittelstand, AI compliance, Kim Hartwig

EU AI Act Digital Omnibus

The May agreement on the Digital Omnibus to the EU AI Act extends the SME privileges to a new small mid-cap layer of companies up to 750 employees and EUR 150 million in revenue, postpones the high-risk AI deadlines to December 2027 and August 2028 and shifts the Article 50 watermarking obligation to 2 December 2026. The legal classification remains with lawyer and data protection officer — the platform side can be prepared now.

[Translate to English:] CVE-2026-23918, Apache HTTP/2, mod_http2, double-free, RCE, TYPO3-Hosting, Sylius-Hosting, Debian, Ubuntu, DevSecOps

Apache HTTP/2 double-free (CVE-2026-23918) — why the mod_http2 layer in Apache 2.4.66 sat open for eight days

[Translate to English:] Apache mod_http2 Double-Free in Apache 2.4.66 (CVE-2026-23918, CVSS 8.8). DoS trivial, RCE remote auf Debian-/Ubuntu-Default mit APR-mmap-Allokator. Zwei öffentliche PoCs seit Disclosure-Woche, fix in 2.4.67. Wir prüfen, patchen und validieren TYPO3- und Sylius-Hosting-Frontlines.

CVE-2026-41611, CVE-2026-41109, VS Code, Copilot, Patch Tuesday Mai 2026, Coding-Agent-Hardening, DevSecOps, MCP

VS Code / Copilot cluster May 2026

On 12 May 2026 Microsoft disclosed and patched six vulnerabilities in VS Code and GitHub Copilot. Structurally the most severe finding: CVE-2026-41109 (CVSS 8.8) — a Copilot/VS Code security feature bypass that silently flips the telemetry consent flag and exfiltrates source code via the suggestion logging path. We inventory, patch and validate productive developer workstations and tenant coding-agent platforms.

Pwn2Own, Berlin 2026, zero-day, AI tooling, AI agents, coding agents, LLM gateway, LiteLLM, OpenAI Codex, Anthropic Claude Code, Cursor, LM Studio, Ollama, DevSecOps, NIS-2, GDPR, Mittelstand

Pwn2Own Berlin 2026 - AI tooling

Daily brief on Pwn2Own Berlin 2026 (14-16 May): AI tooling took centre stage for the first time; multiple coding agents and LLM gateways fell. Structural weaknesses rather than isolated bugs - and what that means for patch management, threat modelling and NIS-2 in the Mittelstand.

HTTP/2 Bomb, HPACK, RFC 7541, RFC 9113, denial of service, amplification, window stall, nginx, Apache httpd, Microsoft IIS, Envoy, Cloudflare Pingora, Caddy, Go net/http2, CVE-2026-49975, max_headers, Codex, NIS-2, German Mittelstand

HTTP/2 Bomb (HPACK + window stall)

Incident analysis of the HTTP/2 Bomb: a remote denial-of-service discovered by OpenAI Codex against the default HTTP/2 configuration of most major web servers. It chains an HPACK indexed-reference bomb (1 wire byte becomes ~70 to ~4,000 bytes of server allocation from per-entry bookkeeping) with an HTTP/2 window stall (zero-byte window plus 1-byte WINDOW_UPDATE drip) that pins every allocation. Affected: nginx 1.29.7 (~70:1), Apache httpd 2.4.67 (~4,000:1), Microsoft IIS (~68:1), Envoy 1.37.2 (~5,700:1), Cloudflare Pingora (~62:1). A home PC on 100 Mbps binds ~32 GB against Apache/Envoy in roughly 20 seconds. Public dockerised PoC. nginx fix in 1.29.8 (max_headers, default 1000), Apache fix in mod_http2 v2.0.41 (trunk; CVE-2026-49975), IIS/Envoy/Pingora unpatched at publication. Go-based servers (Caddy, Traefik) are structurally largely protected per source-code analysis.

TeamPCP, GitHub breach May 2026, BreachForum listing, supply chain security, TanStack Shai-Hulud, VS Code extension suspicion

TeamPCP lists ~4,000 GitHub-internal repositories

On 19 May 2026 the group TeamPCP listed roughly 4,000 GitHub-internal repositories for sale on BreachForum. GitHub is investigating but has not labelled the incident a confirmed breach — customer data outside the internal repos is, by GitHub's current statement, not affected. What we know, what we don't, and what mid-sized companies should still do today.

OpenAI, ChatGPT, Lockdown Mode, Elevated Risk, Prompt Injection, Data Exfiltration, Agent Mode, Deep Research, Capability Governance, RBAC, Codex, Connectors, GDPR, Egress Allowlist, MCP, Mittelstand

OpenAI Lockdown Mode

Daily briefing on the broad Lockdown Mode rollout of 6 June 2026: prompt injection is not solved in the model but through deterministic capability governance at the harness - the blueprint for capability profiles, egress allowlists and MCP tool gates in your own agent stack.

TYPO3, Kubernetes, hosting, high availability, shared filesystem, cloud-native, scaling, performance, platform operations, DevSecOps, architecture, container

5 misconceptions: TYPO3 on Kubernetes

Five assumptions that make TYPO3-on-Kubernetes projects needlessly complex: the mandatory shared filesystem, Kubernetes as automatic high availability, more pods as a performance fix, containers as cloud-native, and Kubernetes for every project. None is a TYPO3 problem — all come from the single-server world. With the rule of thumb for when Kubernetes really pays off.

TYPO3, OCI artifact, container, Docker, FrankenPHP, golden image, runtime, supply chain, signed, cosign, reproducible, rollback, Composer, Kubernetes, DevSecOps, digital sovereignty

TYPO3 as a signed OCI artifact

Opinion/architecture: instead of deploying TYPO3 as an individual container image per project, separate runtime (hardened golden image: FrankenPHP, PHP, extensions, Caddy) and application (TYPO3 core, vendor, extensions, sitepackage) and ship the application as a signed OCI artifact. No composer install at start time. Benefits: smaller deployments, faster rollbacks, better supply chain, reproducibility — plus open limits.

Merkle Tree Certificates, MTC, Let's Encrypt, post-quantum, Web PKI, TLS, ML-DSA, ACME, Certificate Transparency, X25519MLKEM768, PLANTS, IETF, RFC 9881, CRQC, hosting, DevSecOps

Merkle Tree Certificates (Let's Encrypt)

MTCs issue certificates in batches; ONE post-quantum signature covers the whole batch, the browser keeps the batch signatures (landmarks) current out-of-band, and the handshake carries only one signature, one public key and a tiny inclusion proof. A two-part explainer: plain language plus a technical deep dive (sizes, mechanics, certificate-transparency-by-design, roadmap staging late 2026 / production 2027, what operators and ACME client maintainers should do today).

IronWorm, npm, supply chain, worm, Rust, eBPF, rootkit, Trusted Publishing, OIDC, GitHub Actions, credential harvesting, CI/CD, Shai-Hulud, JFrog, Kubernetes, Docker, Bun, DevSecOps

IronWorm (Rust npm worm)

The Rust npm worm IronWorm runs via a preinstall hook, harvests 86 environment variables including AI provider keys and ~/.claude credentials, self-publishes in CI via npm Trusted Publishing, exfiltrates without C2 through swapped GitHub Actions workflows, and hides behind an eBPF rootkit (which fails under kernel lockdown). With mitigation, detection IOCs, a root-cause deep dive and operator guidance; package list delegated to JFrog.

FFmpeg, CVE-2026-39210, CVE-2026-39218, zero-day, AI security, autonomous agent, depthfirst, Big Sleep, Mythos, Project Glasswing, AV1, RTP, RTSP, heap overflow, demuxer, container, Docker, supply chain, media pipeline, DevSecOps

FFmpeg 21 zero-days (AI agent)

An autonomous AI security agent found 21 zero-days in roughly 1.5M lines of FFmpeg C; some carry CVE numbers (CVE-2026-39210 to -39218), several bugs lay latent for 15-23 years. The AV1-RTP depacketizer is developed into an unauthenticated RCE primitive (183-byte packet, ffmpeg -i rtsp://...). FFmpeg ships not only in the system package but in container images, Python wheels and appliances. With mitigation, detection, operator guidance and AI-security context.

GitLab, CVE-2026-6552, CVE-2026-10087, CVE-2026-7250, CVE-2026-9204, patch release, 19.0.2, 18.11.5, 18.10.8, Group SAML, account takeover, XSS, Analytics Dashboard, Grape API DoS, Gitaly SSRF, self-managed, CI/CD, DevSecOps, supply chain

GitLab patch release (CVE-2026-6552/10087)

Scheduled GitLab batch patch release (10 June 2026): twelve fixes, four High. The headline is two CVSS 8.7 Enterprise Edition flaws — CVE-2026-6552 (account takeover via the Group SAML identity API, owner precondition) and CVE-2026-10087 (XSS in the Analytics Dashboard). Plus CVE-2026-7250 (unauthenticated DoS in the Grape API, CE/EE) and CVE-2026-9204 (SSRF in the Gitaly repository import, CE/EE). Only self-managed below 18.10.8 / 18.11.5 / 19.0.2 is affected; GitLab.com and Dedicated are covered. A CI/CD hub holds code and secrets at once — patch cadence is supply-chain security.

ImageMagick, CVE-2026-46557, CVE-2026-25985, fx operation, stack overflow, CWE-674, uncontrolled recursion, policy.xml, Magick.NET, GraphicsMagick, TYPO3, Sylius, image processing, upload decoder, DoS, DevSecOps, hosting

ImageMagick CVE-2026-46557 (fx stack overflow)

ImageMagick CVE-2026-46557: uncontrolled recursion in the fx expression evaluation overflows the stack (CWE-674). CVSS 6.2, AV:L, pure denial of service — no RCE, no data exfiltration. Fixed in current ImageMagick releases and Magick.NET 14.13.1. The editorial core is deliberately the class: ImageMagick/GraphicsMagick behind TYPO3 and Sylius is a parser for untrusted uploads; the file-driven sibling CVEs (e.g. the SVG OOM CVE-2026-25985, 7.5) are the more dangerous variant. policy.xml hardening (resource limits, disabling MSL/URL/MVG/SVG) and worker decoupling close the class, not just this CVE.

LangGraph, LangChain, CVE-2026-28277, CVE-2025-67644, CVE-2026-27022, checkpointer, SQLite, Redis, RediSearch, msgpack, deserialization, SQL injection, RCE, AI agents, agent frameworks, self-hosted, get_state_history, DevSecOps, supply chain, Mittelstand

LangGraph checkpointer chain (CVE-2026-28277)

Three LangGraph flaws disclosed by Check Point Research on 12 June 2026 hit the memory layer (checkpointer) of stateful AI agents. CVE-2025-67644 (CVSS 7.3): SQL injection in the SQLite checkpointer via metadata filter keys. CVE-2026-28277 (6.8): unsafe msgpack deserialization on checkpoint load. Chained they yield RCE in the agent's runtime context — the SQLi inserts a forged checkpoint row with an attacker-controlled BLOB that the decoder reconstructs. CVE-2026-27022 (6.5): RediSearch query injection in the Redis checkpointer (access-control bypass). Precondition: self-hosted, exposed get_state_history() path, user-controlled filter; LangSmith-hosted is not affected. Architectural lesson: an AI agent is a privileged identity — patching closes the spot, a filter allow-list + a sealed write path + least privilege close the class. Fix: langgraph 1.0.10 / -sqlite 3.0.1 / -redis 1.0.1.

OpenSSL, CVE-2026-45447, CVE-2026-34182, CVE-2026-34183, CVE-2026-35188, PKCS7, PKCS7_verify, S/MIME, use-after-free, RCE, CMS, AuthEnvelopedData, QUIC, PATH_CHALLENGE, OCSP stapling, TLS, PHP openssl, DevSecOps, supply chain, hosting

OpenSSL CVE-2026-45447 (PKCS7 UAF)

CVE-2026-45447: heap use-after-free in PKCS7_verify() — an empty ASN.1 SET in the digestAlgorithms field makes OpenSSL wrongly free a caller-owned BIO (crash, heap corruption, in some contexts RCE). Precondition: processing attacker-controlled PKCS#7/S-MIME signatures through the legacy PKCS7 API; the CMS API is not affected. Alongside it: CVE-2026-34182 (CMS AuthEnvelopedData forgery), 34183 (QUIC memory DoS), 35188 (OCSP double-free) and low-severity findings. OpenSSL is the TLS/crypto floor under PHP, Node, nginx/Apache, PostgreSQL, Redis, curl and container images: a floor update plus a restart of the linked services. Architectural lesson: the patch closes the spot, the PKCS7→CMS migration closes the class. Fix 4.0.1/3.6.3/3.5.7/3.4.6/3.0.21/1.1.1zh/1.0.2zq.

Langflow, CVE-2026-5027, path traversal, arbitrary file write, RCE, unauthenticated, auto-login, AI agents, AI builder, low-code, agent frameworks, LLM tooling, self-hosted, exposed instances, VulnCheck, Tenable, Censys, DevSecOps, supply chain, Mittelstand

Langflow CVE-2026-5027 (Path Traversal → RCE)

CVE-2026-5027 (CVSS 8.8) is a path traversal in the Langflow file upload (POST /api/v2/files): the filename parameter from the multipart body is not sanitised, so files can be written to arbitrary locations via ../ sequences. Because Langflow enables unauthenticated auto-login by default, a single request without credentials is enough to reach RCE. Tenable disclosed the flaw on 27 March 2026 (TRA-2026-26), fixed in Langflow 1.9.0 on 15 April 2026; VulnCheck reports active in-the-wild exploitation since 10 June (so far benign test files). Censys: ~7,000 publicly reachable instances, mostly in North America. Architectural lesson: an AI build tool is a production, internet-facing service holding privileged secrets — patching closes the spot, exposure control plus enforced authentication plus inventory close the class.

OLG Hamm, 4 UKl 3/25, AI liability, AI chatbot liability, § 5 UWG, AI hallucination, RAG pipeline, access classes, WebMCP, tool-based architecture, content provenance, Ed25519, C2PA, AI Act Article 50, AI-Ready CMS, German Mittelstand, Kai Ole Hartwig

OLG Hamm 4 UKl 3/25 (AI liability)

The Higher Regional Court of Hamm ruled on 12 May 2026 that a GmbH is fully liable for false statements by its AI chatbot (case 4 UKl 3/25, § 5 UWG). The duty-of-care defence does not apply, correct training data does not relieve liability. The architectural response: controlled generation instead of an unconstrained LLM — RAG pipeline with verified corpus, access-class layer for sensitive topics, tool-based web architecture (WebMCP), audit trail with Ed25519 and C2PA provenance.

CVE-2026-43284, Dirty Frag, Linux kernel, LPE, local privilege escalation, kernel module blacklist, esp4, esp6, rxrpc, ipcomp4, ipcomp6, IPsec, kAFS, OpenAFS, modprobe, AWS-2026-027, patch discipline, mitigation, customer-owned, mid-market

Dirty Frag (CVE-2026-43284): Linux Kernel LPE — Blacklist the Modules, Weigh IPsec, Protect Customer Stacks

Universal Linux LPE “Dirty Frag” hits every kernel since 2017. Mitigation via kernel-module blacklist with clear trade-offs. Eighth trust/CVE post in the cluster, in direct line to Copy Fail.

TYPO3, Kubernetes, RWX volume, shared filesystem, NFS, EFS, CephFS, Azure Files, cache, cluster file backend, FAL, object storage, S3, platform operations, DevSecOps, hosting, architecture

TYPO3 on K8s without RWX volume

A shared filesystem is not automatically the best solution for TYPO3 on Kubernetes — often just the one carried over from the single-server era. Separate cache metadata (centralised) from cache files (local per pod, reproducible) and the RWX volume disappears for the cache: less infrastructure, faster pods, one fewer point of failure. Persistent assets like fileadmin belong in object storage via FAL. This is where the Cluster File Backend for TYPO3 came from, which I develop and maintain.