Security

A deep dive into two critical vulnerabilities uncovered in Roundcube Webmail (< 1.6.14, 1.5.14, 1.7 RC4) during a source code review. OVE-2026-8 allows authenticated attackers to inject arbitrary IMAP commands via the _filter parameter due to missing CRLF sanitization. OVE-2026-9 enables Server-Side Request Forgery (SSRF) by exploiting the CSS proxying mechanism, allowing access to internal network resources and cloud metadata.

Product

Ostorlab now integrates with Harness CI to run automated mobile application security scans inside CI pipelines. Using Harness Secrets and a simple Run step, teams can install the Ostorlab CLI and run ostorlab ci-scan run against the same build artifacts produced by the pipeline (e.g., Android APK, Android AAB, or iOS IPA). The integration helps bring security into CI by improving feedback speed and catching vulnerabilities earlier, with options to tailor scans via profiles (fast, full) and optional inputs like test credentials, SBOM, and UI prompts.

Security

A technical breakdown of CVE-2026-27971, a CVSS 9.2 critical unauthenticated remote code execution vulnerability in Qwik (< 1.19.1). Unsafe deserialization in the server$ RPC flow allows attacker-controlled QRL objects to be reconstructed from application/qwik-json requests, enabling arbitrary module path and symbol resolution and, where require() is available,remote code execution via crafted server-side function invocation.

Product

Modern applications are more secure than ever, but that security introduces a major challenge. With the widespread adoption of Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA), automated security testing often stops at the login stage. As a result, automated testing often fails to reach the parts of the application where real user activity and risk exist.

Product

Ostorlab now integrates with Bitrise to run automated mobile application security scans inside CI workflows. Using a Bitrise Secret plus a simple Script step, teams can install the Ostorlab CLI and run ostorlab ci-scan run against the same build artifacts produced by the pipeline (e.g., Android APK, Android AAB, or iOS IPA). The integration helps shift security left by shortening feedback loops and catching vulnerabilities earlier, with options to tailor scans via profiles (fast, full, agentic deep scan) and optional inputs like test credentials, SBOM, and UI prompts.

Product

This release highlights Agentic Deep Scan with BYOK (Bring Your Own AI Key), adds Harness + Bitrise CI documentation, introduces scan filtering by tags and owners, and delivers major performance improvements across tickets and scans.

Security

A technical breakdown of CVE-2026-2599, a CVSS 9.8 Critical unauthenticated PHP Object Injection vulnerability in the "Contact Form Entries" WordPress plugin (≤ 1.4.7). The download_csv function deserializes untrusted user input without allowed_classes restrictions. When combined with WordPress 6.4.0-6.4.1, the built-in WP_HTML_Token class provides a complete all-public POP chain leading to full Remote Code Execution via two unauthenticated HTTP requests.

Security

A mobile-first guide to DORA compliance for BFSI teams. Learn how to define your scope, simplify your release process, and avoid the traps that create unnecessary compliance work.