CrowdStrike published an advisory for CVE-2026-40050, a critical unauthenticated path traversal vulnerability affecting its LogScale product. The flaw can allow a remote attacker to read arbitrary files from the server filesystem.
A Common Vulnerability Exposure (CVE) that cannot reach the privilege plane is operationally ineffective - even at a CVSS Score of 10. This should be a core philosophy that is embedded into the fabric of software engineering.
The admission comes after version 8.8.9 of the text editor was released on December 9. The "hardened" version verified the signature and certificate of downloaded installers during the update process. On December 27, version 8.9 was released, which dropped the use of a self-signed certificate. The project said: "Only the legitimate certificate issued by GlobalSign is now used to sign Notepad++ release binaries. We strongly recommend that users who previously installed the self-signed root certificate remove it."
Wiz Security's research team identified that a subset of repositories configured regular expressions for AWS CodeBuild webhook filters intended to limit trusted actor IDs, but these filters were insufficient, allowing a predictably acquired actor ID to gain administrative permissions. The four affected repositories that put the AWS Console supply chain at risk were the AWS SDK for JavaScript v3, the general-purpose cryptographic library aws-lc, amazon-corretto-crypto-provider, and awslabs/open-data-registry, a repository of publicly available datasets accessible from AWS resources.
Attackers are actively exploiting a critical vulnerability in React Native's Metro server to infiltrate development environments. The vulnerability, CVE-2025-11953, allows malicious actors to execute code on Windows and Linux systems via exposed development servers. Metro is React Native's default JavaScript bundler during application development and testing. In many configurations, this server runs locally, but by default, Metro can also bind to external network interfaces. This makes HTTP endpoints available that are intended for development. It is precisely this functionality that now constitutes an attack vector,
