cybersec

CVE Reconstruction

Weekly CVE deep dives. Real-world analysis. No fluff.

cybersec

May 29, 2026 · 9 min Unsandboxed RCE

CVE-2026-26009: When `installScript` Was Just a Polite Name for `bash -c`

A 9.9-CVSS root-RCE in Catalyst, a game-server orchestration panel, where any operator with `template.create` or `template.update` could ship a "template" whose install script was executed verbatim by the node agent — running as root, on every node, with no container, no chroot, no nothing.

— the sandbox was a strongly-worded comment

May 27, 2026 · 6 min EXPLOITABLE Code Injection

CVE-2026-1615: When "Static" Evaluation Wasn't That Static

— static-eval was never the sandbox you thought

May 25, 2026 · 7 min EXPLOITABLE Address Disclosure

CVE-2026-22778: cannot identify image file `<_io.BytesIO object at 0x7a95e299e750>`

— PIL snitched, ASLR cried, three bits remained

May 22, 2026 · 7 min EXPLOITABLE Command Injection

CVE-2026-1802: When `os.execute` Met an HTTP Form Value

— A debug flag is forever, apparently

May 20, 2026 · 6 min EXPLOITABLE Code Injection

CVE-2026-25141: When Your String Escaper Forgets It's Also a Comment Escaper

— Six characters is a complete language

May 20, 2026 · 7 min EXPLOITABLE Heap OOB Write

CVE-2026-31705: When the Padding Forgot to Ask

— The alignment ate the heap

May 19, 2026 · 8 min EXPLOITABLE Bounds-Check Inversion

CVE-2026-31635: When the Bounds Check Faced the Wrong Way

— one character, one workqueue, one panic

May 19, 2026 · 8 min EXPLOITABLE Block Device Confusion

CVE-2026-24054: The Bind-Mount That Convinced Kata to Hotplug Your Host Disk

— stat dot dev is not consent

May 16, 2026 · 30 min UNKNOWN kernel-disk-hook

Fast16: The Ghost in the Machine That Predated Stuxnet

— When mathematics lies, the real world breaks

May 16, 2026 · 13 min EXPLOITABLE trust-boundary

YellowKey and the BitLocker Zero-Days: What Just Got Disclosed

— When recovery becomes the attack vector

May 15, 2026 · 6 min EXPLOITABLE Confused Deputy

CVE-2026-22039: The Namespaced Policy That Wasn't

— the controller's token is not yours

May 15, 2026 · 6 min UNKNOWN Cross-Site Scripting

CVE-2026-42897: An Exchange XSS That Microsoft Calls "Spoofing"

— encoders are contextual, parsers are unforgiving

May 13, 2026 · 5 min EXPLOITABLE Missing Authorization

CVE-2026-20888: The Cancel Button That Forgot to Ask Who You Were

— Two doors, one lock, predictable consequences

May 6, 2026 · 5 min EXPLOITABLE SQL Injection

CVE-2026-22850: When Your Own Export File Comes Back As A Bomb

— stored data is still tainted data

Apr 29, 2026 · 6 min EXPLOITABLE Type Confusion

CVE-2026-21683: When the Tag Lied About What It Was

— Trust the vtable, not the file

Apr 25, 2026 · 6 min UNKNOWN Missing Authorization

CVE-2025-69359: The WordPress LMS That Forgot to Ask Who You Are

— Permission callbacks are not vibes

Apr 24, 2026 · 5 min EXPLOITABLE Stack Buffer Overflow

CVE-2026-0640: When sscanf Became gets() Again

— scanf is still gets, apparently

Apr 24, 2026 · 6 min EXPLOITABLE Algorithm Confusion

CVE-2026-5194: The Digest That Wasn't Big Enough

— half a check is half your security

Apr 24, 2026 · 6 min EXPLOITABLE Blind SQL Injection

CVE-2025-59379: The Login Page That Answered Questions It Shouldn't Have

— Parameterise the query, hash the password

Apr 24, 2026 · 6 min EXPLOITABLE Type Confusion

CVE-2026-21493: Type Confusion in iccDEV Curve Serializer — When a Type Tag Isn't a C++ Type

— Tag bytes aren't vtables, friend

Apr 23, 2026 · 5 min EXPLOITABLE URL Parsing (SSRF-adjacent)

CVE-2025-62718: The Trailing Dot That Leaked Your Localhost

— normalize before you compare, always