Get expert help, fast.
Security Feed
Gitea container registry flaw exposes private images to unauthenticated access
[Under Evaluation - CVE-2026-27771]: A flaw in Gitea versions <1.26.2 allows unauthenticated attackers to pull private container images via the registry API. Exploitation requires no credentials, exposing sensitive data. Update to 1.26.2 or set [service].REQUIRE_SIGNIN_VIEW=true in the configuration as a workaround.
Gitea container registry flaw exposes private images to unauthenticated access
[Under Evaluation - CVE-2026-27771]: A flaw in Gitea versions <1.26.2 allows unauthenticated attackers to pull private container images via the registry API. Exploitation requires no credentials, exposing sensitive data. Update to 1.26.2 or set [service].REQUIRE_SIGNIN_VIEW=true in the configuration as a workaround.
containerd CRI plugin unsanitized image LABEL propagation enables host command execution
[Under Evaluation - CVE-2026-53488, CVE-2026-50195, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262]: In containerd CRI plugin versions 1.7-2.3, image configuration LABEL instructions are propagated to containers without sanitization, allowing arbitrary host command execution via a crafted container image. This issue does not require checkpoint/restore. Upgrade to a vendor-fixed containerd build for affected platforms (EKS/ECS/Fargate/Bottlerocket/Amazon Linux).
Apache Tomcat CRL handling flaw in FFM-based connector can fail open on error
**[Under Evaluation – CVE-2026-53434]:** Apache Tomcat has a flaw in its FFM-based connector when configuring CRLs. Error conditions during CRL processing can proceed without the required action, impacting TLS client certificate revocation enforcement. Affects `11.0.0-M1`-`11.0.22`, `10.1.0-M7`-`10.1.55`, `9.0.83`-`9.0.118`. Upgrade to `11.0.23`, `10.1.56`, or `9.0.119`.
7-Zip Compound Document extraction null pointer dereference leads to denial of service
**[Under Evaluation – CVE-2025-53817]:** `7-Zip` Compound Document extraction is affected by a null pointer dereference in the Compound handler in versions `< 25.0.0`. An attacker can supply a crafted Compound Document to trigger a crash, causing denial of service (availability impact). Upgrade to `7-Zip 25.0.0` or later to remediate.
Oracle E-Business Suite Oracle Payments unauthenticated HTTP flaw enables product takeover
**[Under Evaluation – CVE-2026-46817]:** Oracle E-Business Suite `Oracle Payments` (component: `File Transmission`) in supported versions `12.2.3-12.2.15` is vulnerable to an easily exploitable unauthenticated attack over HTTP. A remote attacker with network access can compromise and take over `Oracle Payments`, with high impact to confidentiality, integrity, and availability. Apply Oracle May 2026 CPU fixes (`cspumay2026`).
Deep Threat Research

Mastra Supply Chain Compromise: easy-day-js Dropper Pulls a Cross-Platform RAT Into @mastra InstallsÂ

From “Encrypt Everything” to “Encrypt for the Quantum Era”: The Upwind Cloud Cryptography Framework

Newly Discovered durabletask Malware Targeted Kubernetes, Cloud Secrets, and CI/CD Infrastructure








