Security

A deep dive into DORA-focused third‑party risk for mobile AppSec, showing why embedded SDKs and runtime providers demand release‑scoped governance because vulnerabilities persist across multiple app versions in the wild and provider outages directly break critical journeys. It outlines an audit‑ready approach built on per‑release SDK inventories and diffs, approval/ban rules, patch SLAs with time‑boxed exceptions, and evidence packs that stay version‑scoped, indexed, and quickly retrievable.

Security

Mobile application shielding protects apps on untrusted devices by preventing reverse engineering, tampering, debugging, and unauthorized access to sensitive data. It helps security teams secure critical app logic, sensitive information, and transactions even if the device is compromised.

Security

A deep dive into two critical vulnerabilities uncovered in Roundcube Webmail (< 1.6.14, 1.5.14, 1.7 RC4) during a source code review. OVE-2026-8 allows authenticated attackers to inject arbitrary IMAP commands via the _filter parameter due to missing CRLF sanitization. OVE-2026-9 enables Server-Side Request Forgery (SSRF) by exploiting the CSS proxying mechanism, allowing access to internal network resources and cloud metadata.

Security

A technical breakdown of CVE-2026-27971, a CVSS 9.2 critical unauthenticated remote code execution vulnerability in Qwik (< 1.19.1). Unsafe deserialization in the server$ RPC flow allows attacker-controlled QRL objects to be reconstructed from application/qwik-json requests, enabling arbitrary module path and symbol resolution and, where require() is available,remote code execution via crafted server-side function invocation.

Security

A technical breakdown of CVE-2026-2599, a CVSS 9.8 Critical unauthenticated PHP Object Injection vulnerability in the "Contact Form Entries" WordPress plugin (≤ 1.4.7). The download_csv function deserializes untrusted user input without allowed_classes restrictions. When combined with WordPress 6.4.0-6.4.1, the built-in WP_HTML_Token class provides a complete all-public POP chain leading to full Remote Code Execution via two unauthenticated HTTP requests.

Security

A mobile-first guide to DORA compliance for BFSI teams. Learn how to define your scope, simplify your release process, and avoid the traps that create unnecessary compliance work.

Security

A technical breakdown of CVE-2025-68461, a CVSS 7.2 high stored Cross-Site Scripting vulnerability in Roundcube Webmail (< 1.5.12 and < 1.6.12). The rcube_washtml sanitizer blocks SVG \ tags that target the href attribute, but the attribute_value() comparison does not strip XML namespace prefixes before matching. An attacker can use attributeName="xlink:href" to bypass the check entirely, delivering unsanitized javascript: URIs in the values attribute directly into the rendered email DOM. JavaScript execution is currently prevented by an accidental namespace corruption in PHP's DOMDocument::loadHTML() which strips the xlink namespace declaration, but the sanitizer bypass is confirmed and the vulnerability remains exploitable under alternative parser configurations such as the Masterminds HTML5 parser or PHP 8.4's Dom\HTMLDocument.

Security

Analysis of GHSA-cr3w-cw5w-h3fj, a CVSS 9.7 critical XSS-to-RCE vulnerability in Saltcorn (≤ 1.5.0-beta.19). Two chained flaws, reflected XSS in route parameters and command injection in backup generation, enable remote code execution via administrator phishing.