Checkmarx Zero

A critical unauthenticated #RCE vulnerability (CVE-2026-33017) has been identified in #Langflow. The /api/v1/build_public_tmp/{flow_id}/flow endpoint allows attackers to supply malicious flow data containing arbitrary Python code, which is executed via exec() without sandboxing. This results in full remote code execution without requiring authentication. Unlike previous fixes, this endpoint is intentionally public but improperly trusts user-controlled input. Stay safe by restricting access to public flow endpoints and avoiding untrusted flow data until a fix is available. devhub.checkmarx.com/cve-details/CV…

🚨 #PhantomRaven update The Checkmarx Zero research team identified additional packages linked to the latest activity in this ongoing supply chain campaign. To support the security community and maintain transparency, we’re sharing an updated list of packages tied to the campaign, including previously reported packages and newly discovered ones identified by Checkmarx Zero. 📦 List of packages (previously reported + newly discovered): 🔗 gist.github.com/cx-ricardo-gon… #OpenSourceSecurity #SupplyChainSecurity #npm #Malware #AppSec #PhantomRaven

AI-based security review tools are fascinating, so of course we've been pushing them to discover their strengths and limits. One of our senior security researchers, Alon Lerner, noted that security review commands and tools in LLMs definitely sound very confident in their results. But that confidence is often unearned. LLM-based tools are probabilistic, require significant context to get meaningful results, and make important mistakes in analysis that can mislead AppSec teams and developers. But there's real value available to organizations that adopt these tools to augment their security programs. IF you understand the strengths and limitations and use them wisely. Learn more: checkmarx.com/zero-post/unea…

Whoever had "AI attacks against GitHub Actions" on their #AppSec bingo card won this last week with the "hackerbot-claw" thing. We cover that story and more: 🦞 OpenClaw had a vulnerability leading authenticated gateway users to be able to completely take over the host agents. 🤖 ModelScope MS-Agent bug (CVE-2026-2256) enabled OS command execution 🦠 "Contagious Interview" followup campaign got the "name and logo" treatment as StegaBin 🕸️ Popular Wordpress extension SiteOrigin Page Builder didn't keep its template discovery well-contained (CVE-2026-2448) For details on the hackerbot-claw campaign and those other stories, check out our latest Last Week In AppSec feature: checkmarx.com/zero-post/ai-f… #LastWeekInAppSec #AISecurity #SupplyChainSecurity #ApplicationSecurity #Cybersecurity

📢 CVSS 10.0 Critical RCE disclosed in OpenClaw npm module prior to 2026.2.14 Remote Code Execution in openclaw results in full host takeover, exposed when an attacker manages to authenticate to gateway, meaning this is an elevation of privilege allowing lateral movement and increased access. Fixed in openclaw@2026.2.14. 📦 github.com/advisories/GHS… #RCE #OpenClaw #Vulnerability #AISecurity

Following up on yesterday's alert regarding the reactivation of the "Contagious Interview" campaign on #npm, we've identified 18 new malicious packages. At the time of writing, three of them are still up in npm: chai-as-confirmed chai-as-refined js-nodecat This time, some of these packages include variations with "chain", and other typosquatting names of known packages (e.g., argonnode instead of argon, js-nodecat instead of nodecat). Developers must stay vigilant: 🔍 Review your installed packages and dependencies carefully. 🚫 Do not install any package containing `smoke:pino` or `smoke:file` in the "scripts" section of package.json.

A critical #RCE vulnerability has been identified in #Langflow prior to version 1.8.0. The CSV Agent node hardcodes allow_dangerous_code=True, exposing the LangChain Python REPL tool. This misconfiguration allows attackers to exploit prompt injection to execute arbitrary Python and OS commands, resulting in full remote code execution. Stay safe by updating Langflow to version 1.8.0. devhub.checkmarx.com/cve-details/CV…

A new #XSS vulnerability has been identified in #Angular (@angular/core) affecting versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19. Improper sanitization in the internationalization (i18n) pipeline allows malicious translations containing unsafe HTML to execute arbitrary JavaScript. This can lead to credential theft, session hijacking, or page manipulation if translation files are compromised and a strict Content Security Policy (CSP) is not enforced. Stay safe by updating Angular to the latest patched version and enforcing a strict CSP. devhub.checkmarx.com/cve-details/CV…

Last Week In AppSec we're seeing yet more ways in which researchers are able to trick AI code assistants by abusing trust in sources of context: like configuration files in code repositories and the contents of bug reports. 👩🏼‍💻 Config files in repos can be hijacked, in some cases causing Claude Code to run malicious commands without prompting the user 🐞 GitHub Issues can contain hidden prompt injections that cause serious problems when developers start Codespaces that include GitHub Copilot sessions Read more: checkmarx.com/zero-post/last… #ApplicationSecurity #LastWeekInAppSec #AISecurity #ClaudeCode #GitHubCopilot #AI #LLM #AIAgent

We've identified another rash of over 50 malicious packages that appear to be associated with the "Contagioius Interview" campaign. Some are targeting high-profile packages like 'chai', 'dotenv', and 'pino' -- with tens of millions of weekly downloads each. Fortunately, the community has been working with npm to ensure these get taken down. And of course we promptly added them to our Malicious Package Database for our customers. So right now there's no cause for panic. But it is something to pay attention to. This round of the campaign leverages Typosquatting — uploading packages with very similar names to legitimate ones, so that typing mistakes by developers result in an infection. Unlucky developers will end up with malware that accesses their files and network resources, and hunts for secrets like API keys for exfiltration to the attackers. This campaign isn't a "script kiddie" attack, either: the payloads are obfuscated using tactics designed to bypass sandboxing and make deobfuscation difficult for defenders and researchers.

Claude Code Security, and the Claude Code "security-reviewer" feature it's based on, gains its best security capabilities from the Opus 4.6 model. Is this model living up to the hype? Our researchers are pushing it to see what it can do—and where it falls short. Learn: 🔍 Where limitations of the model and AI security tools lie 🔍 How context shapes the quality of the LLM's analysis 🔍 Where it can augment your Application Security program checkmarx.com/zero-post/lear… #ClaudeCode #ApplicationSecurity #AppSec #AI #LLM #AISecurity

Malware is targeting developers through open-source libraries: we can't keep having our only response be telling devs to "be careful". And you can't just buy a product about it. You need a strategy for keeping your developers (and your CI/CD and production systems!) safe. Darren lays out a framework for an effective solution, based on over 20 years of Application Security leadership and research in our most recent article: checkmarx.com/zero-post/prot… #CICD #OpenSource #ApplicationSecurity #DevSec #SoftwareSupplyChainSecurity #Security #MaliciousPackages #Malware

⏳ With EOL in March, Ingress #NGINX has 4 newly disclosed vulnerabilities: 🔴 CVE-2026-1580 and CVE-2026-24512 allow for configuration injection via the "nginx.ingress.kubernetes.io/auth-method" ingress annotation and the "rules.http.paths.path" ingress field, respectively 🟡 CVE-2026-24514 is a #DoS in the ingress-nginx admission controller, triggered by sending large requests. ⚪ CVE-2026-24513 is a bypass of the protection afforded by the "auth-url" ingress when a misconfiguration is in place. We recommend that you migrate to F5's NGINX Ingress: github.com/nginx/kubernet… If you can’t migrate yet, update to v1.14.3.

This attempt to compromise #Solidity / #Etherium developers was particularly aggressive: it didn’t just try to exfiltrate data, it installed a Remote Access Trojan. Not to worry, we got it shut down within a day. 👉 Read about it: checkmarx.com/zero-post/soli… We’re constantly shutting down attacks on developers, including in the #VSCode marketplace and the OpenVSX marketplace. And we’re super appreciative of the fast responses to our reports from their security teams. Working together makes the community safer!

🚨 CVE-2026-22709 | VM2 — Sandbox Escape Leads To RCE A new #RCE vulnerability has been identified in #vm2 prior to version 3.10.2. An incomplete sanitization of critical elements is bypassable, allowing attackers to escape the sandbox and execute arbitrary code. This vulnerability can result in critical code injection risks. Stay safe by updating vm2 to version 3.10.2. #AppSec devhub.checkmarx.com/cve-details/CV…

Looking at the #LastWeekInAppSec, we see two widely-used application components with Denial of Service, and a nasty little path traversal in a package manager. ▷ Oracle's Java SE and GraalVM offerings have a denial of service (DoS) in specific cases where they're processing untrusted code. Worth updating if you have a product that's intended to run customer code in any way. CVE-2026-21945 ▷ React 19 has a DoS too, for apps using Server Function endpoints. This one is quite a bit easier to attack if you expose those endpoints (directly or indirectly), allowing an adversary to run up your cloud bill or even crash your application. CVE-2026-23864 ▷ pnpm, an alternative to the npm package manager (but that still uses the npm registry under the covers), has a nasty path traversal that leaves a door open for malicious packages to do a lot of damage. This one's a priority. CVE-2026-23888 Details, mitigations, context for making risk-based decisions all on our blog: checkmarx.com/zero-post/last… #React #NodeJS #Java #pnpm #npm #CVE #Vulnerability #DoS

Did you know Checkmarx Zero has a newsletter? Avoid the whims of The Algorithm: get an email synopsis when new Checkmarx Zero research or analysis is published on our blog, plus subscriber-exclusive content. Visit checkmarx.com/zero/?utm_sour… and click on the "Subscribe" control at the bottom.

Due to detailed exploit guidance in the wild, the priority of patching this #Redis XACKDEL #vulnerability increased this week. CVE-2025-62507. Redis's XACKDEL command, used to acknowledge and delete messages from a queue in a single operation, was implemented in a way that could cause a stack buffer overflow (which can in turn lead to RCE [Remote Command Execution]). The CVE was published in November 2025 with an original CVSS base score of 8.8 (since reduced to 7.7 due to further analysis), but it's in the news again this week because researchers from JFrog highlighted that test code in the Redis repo serves as exploitation guidance, and expanded that information with a detailed set of instructions to exploit the vulnerability. The existence of exploit guidance from researchers or adversaries often increases the risk of exploitation in the future, as it accelerates development of adversarial automation. While sharing this information has value to defenders as well, it does increase the urgency of patching. ‼️ if you haven't yet upgraded your Redis installs, you should increase the priority of that. #CVE #ApplicationSecurity #ProductSecurity #Exploit

Yes, we've heard a little noise about the semi-popular #ChatMoss #VSCode extension that appears to be malicious. We reported it on 31. Oct 2025, in fact; shortly after we began our ongoing campaign to monitor the VSCode and OpenVSX marketplaces. The extension ID is WhenSunset[.]chatgpt-china ; for whatever reason, in this case the marketplace folks decided to take no action. It's not new, it's not news, but it is a good reminder to be cautious; marketplace maintainers can be reluctant to remove things without "smoking gun" evidence of malice. #WhenSunset #VSCodeExtension #Malware #SupplyChainSecurity #OpenSourceSecurity

In case you missed it: you should take a second to understand the Sigstore / cosign audit log vulnerability if you use Sigstore in any capacity. CVE-2026-22703 isn't a "panic!" situation, but it's definitely the type of thing that ages poorly. It's worth understanding the issue to decide what priority to place on upgrading cosign. And if you're a maintainer, you should check your Rekor entries for any that are missing the usual metadata -- that could be a sign of a compromise or at least an attempt. This is, fortunately, pretty difficult to exploit; so it bears repeating not to panic. But it's still important to address in a measured way. Read more: #sigstore-cosign-patches-bug-that-would-allow-audit-log-spoofing" target="_blank" rel="nofollow noopener">checkmarx.com/zero-post/last…