Checkmarx Zero

⚪ CVE-2026-24513 is a bypass of the protection afforded by the "auth-url" ingress when a misconfiguration is in place.

🔴 CVE-2026-1580 and CVE-2026-24512 allow for config #injection via the "nginx.ingress.kubernetes.io/auth-method" ingress annotation and the "rules.http.paths.path" ingress field, respectively.

🟡 CVE-2026-24514 is a #DoS in the ingress-nginx admission controller, triggered by sending large requests.

GitHub - nginx/kubernetes-ingress: NGINX and NGINX Plus Ingress Controllers for Kubernetes NGINX and NGINX Plus Ingress Controllers for Kubernetes - nginx/kubernetes-ingress

⏳ With EOL in March, Ingress #NGINX has 4 newly disclosed vulnerabilities:
#CVE-2026-1580, CVE-2026-24512, CVE-2026-24513, and CVE-2026-24514.

We recommend that you migrate to F5's NGINX Ingress: buff.ly/vqTJvPK
If you can’t migrate yet, update to v1.14.3.

More details on each CVE below.

We’re constantly shutting down attacks on developers, including in the #VSCode marketplace and the OpenVSX marketplace. And we’re super appreciative of the fast responses to our reports from their security teams. Working together makes the community safer!

Solidity devs targeted again: Malicious VS Code extension drops ScreenConnect-based remote access trojan (RAT) - Checkmarx A fake Solidity VS Code extension impersonated Juan Blanco and installed ScreenConnect/ConnectWise Control for remote access—takedown in 24h. IoCs + mitigation.

This attempt to compromise #Solidity / #Etherium developers was particularly aggressive: it didn’t just try to exfiltrate data, it installed a Remote Access Trojan. Not to worry, we got it shut down within a day.

👉 Read about it: buff.ly/9e55Xgy

Last Week in AppSec for 29. January 2026 - Checkmarx Denial of Service in Java SE and React server, and pnpm lets a directory traversal (Zip) slip in. Last week in AppSec.

Looking at the #LastWeekInAppSec, we see two widely-used application components with #DoS, and a nasty little path traversal in a package manager.

Details, mitigations, context for making risk-based decisions all on our blog: buff.ly/xL4NKOg

#React #NodeJS #Java #pnpm #npm #CVE #Vulnerability

Did you know Checkmarx Zero has a newsletter? Avoid the whims of The Algorithm: get an email synopsis when new Checkmarx Zero research or analysis is published on our blog, plus subscriber-exclusive content.

Visit buff.ly/Ao3m5kC and click on the "Subscribe" control at the bottom.

Exploit guidance from researchers or adversaries often increases the risk of exploitation in the future, accelerating development of adversarial automation. This data is important for defenders as well, but it's important to be mindful of the increased risk that comes with.

Due to detailed #exploit guidance in the wild, the priority of patching this #Redis XACKDEL #vulnerability increased this week. CVE-2025-62507 buff.ly/NJvVjvS

‼️ if you haven't yet upgraded your Redis installs, you should increase the priority of that.

#CVE #ApplicationSecurity #ProductSecurity

An email message, with personal information redacted, showing that Checkmarx Zero reached out to the VSMarketplace team on 31. Oct 2025 about the ChatMoss / WhenSunset extension's suspicious behavior

Yes, we heard about the #ChatMoss / #WhenSunset #VSCode extension that appears to be malicious. We reported it to the marketplace on 31. Oct 2025. It's not new, it's not news, but it is a good reminder to be cautious; marketplaces don't always remove sketchy extensions.
#Malware #SupplyChainSecurity

As of 16. Jan 2026, this chart shows the number of #CVE submissions in "Awaiting Analysis" status in the US-NVD

Unless something changes with #NVD's capacity (which seems unlikely given NIST's current priorities), we as an industry need to find a different path. This isn't sustainable.

Last Week in AppSec for 15. January 2026 - Checkmarx Potentially serious flaws, depending on your uses, in sigstore, n8n, and pnpm made last week in appsec all about tools in the software supply chain.

This #LastWeekInAppSec is a great reminder that automation and dev tooling is part of an organizations attack surface. #Sigstore, #pnpm, and #n8n all have vulns to pay attention to, but (mostly) not panic over.

👉 should you worry? read: buff.ly/ATRNVz3

#AppSec #ProductSecurity #DevSecOps #DevOps

CVE-2026-22688: #CommandInjection in #MCP stdio configuration in #WeKnora. Authenticated users can inject commands into the MCP stdio settings, causing the server to create subprocesses and executing the injected commands. buff.ly/CyMafWP

Update to v0.2.5 or higher!

🚨 Alert #WeKnora users! 2 High Severity #CVEs were released.
CVE-2026-22687: #SQLi in the Agent service DB query tool. Due to insufficient backend checks an attacker can use prompt‑based bypass to avoid query restrictions and obtain sensitive information from the server and DB. buff.ly/kQXicrG

HITL Dialog Forging (aka Lies-in-the-Loop) | OWASP Foundation HITL Dialog Forging (aka Lies-in-the-Loop) on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.

Checkmarx Zero has contributed some of our work on Lies-in-the-Loop to the OWASP foundation. Thanks to our own Ori Ron for the efforts there, and to the OWASP community for the review and process of getting this important attack pattern documented with OWASP

See: buff.ly/KNzcahw

🔎 IoCs include
meow[.]undefined21[.]com:8040
c[.]undefined21[.]com:4444
ScreenConnect.ClientSetup.msi?e=Access&y=Guest
/tmp/.test.py
~/Library/LaunchAgents/com.example.testscript.plist
~/.config/systemd/user/testscript.service
%TEMP%\extension.bat
🧵 3/3

Windows: drops UAC-elevated script, adds Defender exclusion & installs ScreenConnect from meow[.]undefined21[.]com:8040.

macOS & Linux: drops Python reverse shell to c[.]undefined21[.]com:4444.
🧵 2/3

🚨 Malicious VS Code extension impersonating Solidity publishers: juanblan281.solid281 ; drops persistent remote-access kits on Windows, macOS, and Linux. If found on machines, quarantine and clean carefully. 🧵 1/3

#VSCode #Malware #AppSec #Developer #Solidity

Last Week in AppSec for 08. January 2026 - Checkmarx React2Shell keeps going, Shai-Hulud doesn't. MongoDB and RustFS have problems. AdonisJS could write arbitrary files. 08. January 2026: Last Week In AppSec

It's been a busy couple of weeks for #AppSec; including ongoing named vulns like React2Shell and MongoBleed, because what's a #vuln without a Brand™? Also AdonisJS, RustFS, and the Shai-Hulud that didn't happen

📑 READ more: buff.ly/xbVornQ

#JavaScript #npm #MongoDB #React #Rust

🚨 CVE-2026-21877 – #RCE in #n8n via Arbitrary File Write

Authenticated users may upload crafted files that could trigger remote code execution, potentially leading to full instance compromise, affecting both self-hosted and cloud instances.

Patch version 1.121.3+.
More information:

AI Model Confusion: An LLM/AI Model Supply Chain Attack - Checkmarx Checkmarx Zero research reveals the AI Model Confusion attack pattern against registries like Hugging Face, building on Dependency Confusion in OSS library registry. Learn what it is and how to…

Our own Ori Ron and Tal Folkman have been spending their time understanding how attackers can adapt open-source supply chain attack tactics to #AI model registries like #HuggingFace. In their most recent article, they discuss how they adapted #DependencyConfusion tactics into #ModelConfusion.

AI Model Confusion: An LLM/AI Model Supply Chain Attack - Checkmarx Checkmarx Zero research reveals the AI Model Confusion attack pattern against registries like Hugging Face, building on Dependency Confusion in OSS library registry. Learn what it is and how to…

#HuggingFace is great, but supply chain attacks against it and similar registries may mean you're potentially accepting some pretty toxic hugs from strangers. Do you know what to look for, and how to avoid adopting malicious models into your #AI workflows?

👉 buff.ly/1vNZNbv

2025 Was Quietly Good for Application Security - Checkmarx A grounded look at why 2025 was quietly good for developers and AppSec practitioners—real ecosystem changes, safer defaults, and community shifts that reduced risk without slowing teams down.

2025 wasn’t all new vulns and bad news for AppSec. It also brought real, material wins for developers and defenders: safer defaults, harder supply-chain abuse, better collaboration, and risk reductions that don’t slow teams down.

🚨 Attention MongoDB users: if you have yet to update your MongoDB to its latest version - now is the time to do so as it is currently being exploited in the wild. CVE-2025-14847, dubbed "MongoBleed", is a zlib buffer overread which allows attackers to read arbitrary server memory.

#AppSec #MongoDB

🚨CVE-2025-68613: Critical RCE in n8n via expression injection.
Auth users can craft workflow expressions that escape isolation and execute code as the n8n process risking full instance compromise.
Patch: upgrade to v1.122.0+ (1.120.4/1.121.1/1.122.0).
More info: devhub.checkmarx.com/cve-details/...

🧵4/4 ~ After the holiday season, we'll have more technical details and case studies!

#AI #SoftwareSupplyChain #LLM #ModelConfusion #ModelJacking #SupplyChainRisk #HuggingFace

🧵3/4 ~ We're helping orgs that are hit by these new LLM-registry attacks (which we're calling Model Confusion and Model Jacking; evolved versions of Dependency Confusion and Repo Jacking). We've helped these orgs either shut down attacks or harden themselves to reduce the risk of future harm.

🧵2/4 ~ As AI models enter the software supply chain for many organizations, attackers are evolving old supply chain tactics. Where open-source library registries like npm have been targeted, we're seeing the evolved tactics targeting LLM registries like HuggingFace.

We're working through the final stages of disclosure with several orgs who have been impacted by evolved forms of supply chain attacks targeting their LLM ecosystems on HuggingFace. 🧵

#AI #SoftwareSupplyChain #LLM #ModelConfusion #ModelJacking #SupplyChainRisk #HuggingFace

🚨 #Windows users of #NPM systeminformation be aware of #CVE-2025-68154. The fsSize function is vulnerable to OS Command #Injection. The drive parameter is added to a PowerShell command directly, allowing arbitrary commands when user input hits fsSize(). Upgrade to v5.27.14

Details: buff.ly/xexR3dP