Ostorlab: Mobile App Security Testing for Android and iOS

Articles by

Aziz Elbelaychy

CVE-2026-27971 : Qwik server$ Unauthenticated Remote Code Execution

A technical breakdown of CVE-2026-27971, a CVSS 9.2 critical unauthenticated remote code execution vulnerability in Qwik (< 1.19.1). Unsafe deserialization in the server$ RPC flow allows attacker-controlled QRL objects to be reconstructed from application/qwik-json requests, enabling arbitrary module path and symbol resolution and, where require() is available,remote code execution via crafted server-side function invocation.

Aziz Elbelaychy


            Wed 01 April 2026

Security

Exploit CVE-2025-68461 : Roundcube Webmail SVG Animate XSS Sanitizer Bypass

A technical breakdown of CVE-2025-68461, a CVSS 7.2 high stored Cross-Site Scripting vulnerabilit...

Aziz Elbelaychy


                  Tue 17 March 2026

Security

CVE-2026-26019 : LangChain RecursiveUrlLoader Server-Side Request Forgery Vulnerability

A technical breakdown of CVE-2026-26019, a CVSS 4.1 medium Server-Side Request Forgery vulnerabil...

Aziz Elbelaychy


                  Wed 04 March 2026

Security

CVE-2025-64712: Path Traversal RCE in Unstructured Library MSG Processing

A technical breakdown of CVE-2025-64712, a CVSS 9.8 critical path traversal remote code execution...

Aziz Elbelaychy


                  Mon 23 February 2026

Aziz Elbelaychy

CVE-2026-27971 : Qwik server$ Unauthenticated Remote Code Execution

Exploit CVE-2025-68461 : Roundcube Webmail SVG Animate XSS Sanitizer Bypass

CVE-2026-26019 : LangChain RecursiveUrlLoader Server-Side Request Forgery Vulnerability

CVE-2025-64712: Path Traversal RCE in Unstructured Library MSG Processing

Subscribe to the Ostorlab Newsletter