Ostorlab: Mobile App Security Testing for Android and iOS

Tag

cve-news

CVE-2026-27971 : Qwik server$ Unauthenticated Remote Code Execution

A technical breakdown of CVE-2026-27971, a CVSS 9.2 critical unauthenticated remote code execution vulnerability in Qwik (< 1.19.1). Unsafe deserialization in the server$ RPC flow allows attacker-controlled QRL objects to be reconstructed from application/qwik-json requests, enabling arbitrary module path and symbol resolution and, where require() is available,remote code execution via crafted server-side function invocation.

Aziz Elbelaychy


            Wed 01 April 2026

Security

CVE-2026-2599 : Unauthenticated PHP Object Injection → WP_HTML_Token POP Chain

A technical breakdown of CVE-2026-2599, a CVSS 9.8 Critical unauthenticated PHP Object Injection ...

Mohammed Lachhab


                  Wed 25 March 2026

Security

Exploit CVE-2025-68461 : Roundcube Webmail SVG Animate XSS Sanitizer Bypass

A technical breakdown of CVE-2025-68461, a CVSS 7.2 high stored Cross-Site Scripting vulnerabilit...

Aziz Elbelaychy


                  Tue 17 March 2026

Security

GHSA-cr3w-cw5w-h3fj: 1-Click RCE in Saltcorn

Analysis of GHSA-cr3w-cw5w-h3fj, a CVSS 9.7 critical XSS-to-RCE vulnerability in Saltcorn (≤ 1.5....

Mohammed Lachhab


                  Wed 11 March 2026

Security

CVE-2026-26019 : LangChain RecursiveUrlLoader Server-Side Request Forgery Vulnerability

A technical breakdown of CVE-2026-26019, a CVSS 4.1 medium Server-Side Request Forgery vulnerability in the LangChain Community JavaScript package (< 1.1.14). The RecursiveUrlLoader class uses a naive string prefix check to validate crawled URLs, allowing an attacker to bypass the default preventOutside restriction with a suffixed domain and redirect the crawler to internal network assets, potentially exposing sensitive credentials and metadata endpoints.

Aziz Elbelaychy


                  Wed 04 March 2026

Security

CVE-2025-64712: Path Traversal RCE in Unstructured Library MSG Processing

A technical breakdown of CVE-2025-64712, a CVSS 9.8 critical path traversal remote code execution vulnerability in the Unstructured Python library (< 0.18.18). Unsanitized attachment filenames in Outlook MSG processing allow for path traversal, enabling an attacker to overwrite arbitrary files via a crafted MSG file and achieve code execution.

Aziz Elbelaychy


                  Mon 23 February 2026

Latest posts

Security

CVE-2026-1357: Unauthenticated RCE in WPvivid Backup Plugin

A technical breakdown of CVE-2026-1357, a CVSS 9.8 critical unauthenticated remote code execution vulnerability in the WPvivid Backup & Migration plugin (≤ 0.9.123). Two chained flaws, a cryptographic fail-open and an unsanitized path traversal, allow arbitrary file write and shell upload without credentials.

Mohammed Lachhab


                    Fri 20 February 2026

Changelog

View all changes

cve-news

CVE-2026-27971 : Qwik server$ Unauthenticated Remote Code Execution

CVE-2026-2599 : Unauthenticated PHP Object Injection → WP_HTML_Token POP Chain

Exploit CVE-2025-68461 : Roundcube Webmail SVG Animate XSS Sanitizer Bypass

GHSA-cr3w-cw5w-h3fj: 1-Click RCE in Saltcorn

CVE-2026-26019 : LangChain RecursiveUrlLoader Server-Side Request Forgery Vulnerability

CVE-2025-64712: Path Traversal RCE in Unstructured Library MSG Processing

Latest posts

CVE-2026-1357: Unauthenticated RCE in WPvivid Backup Plugin

Changelog

Subscribe to the Ostorlab Newsletter