<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Sat, 18 Jul 2026 14:26:48 +0000</lastBuildDate>
    <item>
      <title>81fc52e0-ec19-4583-ab1f-727307588111</title>
      <link>https://vulnerability.circl.lu/sighting/81fc52e0-ec19-4583-ab1f-727307588111/export</link>
      <description>{"uuid": "81fc52e0-ec19-4583-ab1f-727307588111", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49852", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mqur7v4av42e", "content": "CVE-2026-49852 - joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)\nCVE ID : CVE-2026-49852\n \n Published : July 17, 2026, 8:17 p.m. | 17\u00a0minutes ago\n \n Description : joserfc is a Python library that provides an implementatio...", "creation_timestamp": "2026-07-17T22:08:26.483021Z"}</description>
      <content:encoded>{"uuid": "81fc52e0-ec19-4583-ab1f-727307588111", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49852", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mqur7v4av42e", "content": "CVE-2026-49852 - joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)\nCVE ID : CVE-2026-49852\n \n Published : July 17, 2026, 8:17 p.m. | 17\u00a0minutes ago\n \n Description : joserfc is a Python library that provides an implementatio...", "creation_timestamp": "2026-07-17T22:08:26.483021Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/81fc52e0-ec19-4583-ab1f-727307588111/export</guid>
      <pubDate>Fri, 17 Jul 2026 22:08:26 +0000</pubDate>
    </item>
    <item>
      <title>67ca58a5-1e7a-4e92-97e1-70b3a07feeba</title>
      <link>https://vulnerability.circl.lu/sighting/67ca58a5-1e7a-4e92-97e1-70b3a07feeba/export</link>
      <description>{"uuid": "67ca58a5-1e7a-4e92-97e1-70b3a07feeba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49858", "type": "seen", "source": "https://gist.github.com/alon710/a56efdb02fd3817ca2ff1035bbcd74e4", "content": "# CVE-2026-49858: CVE-2026-49858: Cross-User Attribute and Relation Leak in API Platform Core Serializers\n\n&amp;gt; **CVSS Score:** 5.9\n&amp;gt; **Published:** 2026-07-10\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-49858\n\n## Summary\nCVE-2026-49858 is a vulnerability in API Platform Core's JSON:API and HAL item normalizers where conditionally secured attributes are cached globally in memory. When deployed in long-running PHP execution environments such as FrankenPHP worker mode, Swoole, or RoadRunner, this persistent caching bypasses property-level security constraints, allowing unprivileged users to access sensitive, unauthorized fields cached during privileged requests.\n\n## TL;DR\nUnsafe in-memory caching in API Platform Core's JSON:API and HAL normalizers leaks sensitive properties across different user contexts when running under persistent PHP environments like FrankenPHP or RoadRunner.\n\n## Technical Details\n\n- **CWE ID**: CWE-524\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1**: 5.9 (Medium)\n- **EPSS Score**: 0.00197\n- **Impact**: High Confidentiality Exposure\n- **Exploit Status**: None (No public exploit or PoC)\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- API Platform Core\n- api-platform/core\n- api-platform/hal\n- api-platform/json-api\n- **api-platform/core**: &amp;gt;= 4.1.0, &amp;lt; 4.1.29 (Fixed in: `4.1.29`)\n- **api-platform/core**: &amp;gt;= 4.2.0, &amp;lt; 4.2.26 (Fixed in: `4.2.26`)\n- **api-platform/core**: &amp;gt;= 4.3.0, &amp;lt; 4.3.12 (Fixed in: `4.3.12`)\n\n## Mitigation\n\n- Upgrade the API Platform Core package to version 4.1.29, 4.2.26, 4.3.12 or higher.\n- Temporarily disable persistent application workers (FrankenPHP worker mode, Swoole, RoadRunner) and fallback to stateless PHP-FPM runtime environments.\n- Decorate the SerializerContextBuilder to explicitly nullify the cache_key parameter during serialization of HAL and JSON:API formats.\n\n**Remediation Steps:**\n1. Run 'composer update api-platform/core' to pull the latest security patch.\n2. Verify the installed version of API Platform Core using 'composer show api-platform/core'.\n3. Restart long-running persistent PHP worker processes to purge any compromised cache states from memory.\n\n## References\n\n- [GHSA-pjhx-3c3w-9v23 Security Advisory](https://github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23)\n- [CVE-2026-49858 authoritative CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-49858)\n- [NVD - CVE-2026-49858 Detailed Report](https://nvd.nist.gov/vuln/detail/CVE-2026-49858)\n- [Fix Git Commit for ItemNormalizers Cache Key Gating](https://github.com/api-platform/core/commit/019fd901225a969b1903e093a1773f26ee551dfc)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49858) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T15:41:54.376580Z"}</description>
      <content:encoded>{"uuid": "67ca58a5-1e7a-4e92-97e1-70b3a07feeba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49858", "type": "seen", "source": "https://gist.github.com/alon710/a56efdb02fd3817ca2ff1035bbcd74e4", "content": "# CVE-2026-49858: CVE-2026-49858: Cross-User Attribute and Relation Leak in API Platform Core Serializers\n\n&amp;gt; **CVSS Score:** 5.9\n&amp;gt; **Published:** 2026-07-10\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-49858\n\n## Summary\nCVE-2026-49858 is a vulnerability in API Platform Core's JSON:API and HAL item normalizers where conditionally secured attributes are cached globally in memory. When deployed in long-running PHP execution environments such as FrankenPHP worker mode, Swoole, or RoadRunner, this persistent caching bypasses property-level security constraints, allowing unprivileged users to access sensitive, unauthorized fields cached during privileged requests.\n\n## TL;DR\nUnsafe in-memory caching in API Platform Core's JSON:API and HAL normalizers leaks sensitive properties across different user contexts when running under persistent PHP environments like FrankenPHP or RoadRunner.\n\n## Technical Details\n\n- **CWE ID**: CWE-524\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1**: 5.9 (Medium)\n- **EPSS Score**: 0.00197\n- **Impact**: High Confidentiality Exposure\n- **Exploit Status**: None (No public exploit or PoC)\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- API Platform Core\n- api-platform/core\n- api-platform/hal\n- api-platform/json-api\n- **api-platform/core**: &amp;gt;= 4.1.0, &amp;lt; 4.1.29 (Fixed in: `4.1.29`)\n- **api-platform/core**: &amp;gt;= 4.2.0, &amp;lt; 4.2.26 (Fixed in: `4.2.26`)\n- **api-platform/core**: &amp;gt;= 4.3.0, &amp;lt; 4.3.12 (Fixed in: `4.3.12`)\n\n## Mitigation\n\n- Upgrade the API Platform Core package to version 4.1.29, 4.2.26, 4.3.12 or higher.\n- Temporarily disable persistent application workers (FrankenPHP worker mode, Swoole, RoadRunner) and fallback to stateless PHP-FPM runtime environments.\n- Decorate the SerializerContextBuilder to explicitly nullify the cache_key parameter during serialization of HAL and JSON:API formats.\n\n**Remediation Steps:**\n1. Run 'composer update api-platform/core' to pull the latest security patch.\n2. Verify the installed version of API Platform Core using 'composer show api-platform/core'.\n3. Restart long-running persistent PHP worker processes to purge any compromised cache states from memory.\n\n## References\n\n- [GHSA-pjhx-3c3w-9v23 Security Advisory](https://github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23)\n- [CVE-2026-49858 authoritative CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-49858)\n- [NVD - CVE-2026-49858 Detailed Report](https://nvd.nist.gov/vuln/detail/CVE-2026-49858)\n- [Fix Git Commit for ItemNormalizers Cache Key Gating](https://github.com/api-platform/core/commit/019fd901225a969b1903e093a1773f26ee551dfc)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49858) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T15:41:54.376580Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/67ca58a5-1e7a-4e92-97e1-70b3a07feeba/export</guid>
      <pubDate>Fri, 10 Jul 2026 15:41:54 +0000</pubDate>
    </item>
    <item>
      <title>5e1dd53e-97ce-4bcb-b6e7-c1e3e3a9b426</title>
      <link>https://vulnerability.circl.lu/sighting/5e1dd53e-97ce-4bcb-b6e7-c1e3e3a9b426/export</link>
      <description>{"uuid": "5e1dd53e-97ce-4bcb-b6e7-c1e3e3a9b426", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49851", "type": "published-proof-of-concept", "source": "https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p", "content": "", "creation_timestamp": "2026-07-10T00:35:02.577008Z"}</description>
      <content:encoded>{"uuid": "5e1dd53e-97ce-4bcb-b6e7-c1e3e3a9b426", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49851", "type": "published-proof-of-concept", "source": "https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p", "content": "", "creation_timestamp": "2026-07-10T00:35:02.577008Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/5e1dd53e-97ce-4bcb-b6e7-c1e3e3a9b426/export</guid>
      <pubDate>Fri, 10 Jul 2026 00:35:02 +0000</pubDate>
    </item>
    <item>
      <title>f8f579d5-28c9-4654-8372-15a2b2d00d75</title>
      <link>https://vulnerability.circl.lu/sighting/f8f579d5-28c9-4654-8372-15a2b2d00d75/export</link>
      <description>{"uuid": "f8f579d5-28c9-4654-8372-15a2b2d00d75", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49851", "type": "seen", "source": "https://gist.github.com/alon710/ac77807be35ab79d5b8543a7caac77a2", "content": "# CVE-2026-49851: CVE-2026-49851: Algorithmic Complexity Denial of Service in Mistune Markdown Parser\n\n&amp;gt; **CVSS Score:** 7.5\n&amp;gt; **Published:** 2026-07-09\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-49851\n\n## Summary\nCVE-2026-49851 is a high-severity algorithmic complexity vulnerability in the Mistune Markdown parser. Under specific conditions involving dense, unmatched nesting of opening square brackets, the parser fallback loops degrade from linear execution time to a worst-case quadratic complexity. This allows unauthenticated remote attackers to trigger complete CPU exhaustion and subsequent Denial of Service with a highly compact payload.\n\n## TL;DR\nAn algorithmic complexity degradation in the Mistune Markdown parser allows unauthenticated remote attackers to exhaust CPU resources and cause a persistent denial of service via malformed nested bracket sequences.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-407\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 7.5 (High)\n- **CVSS v4.0 Score**: 8.7 (High)\n- **Impact**: Denial of Service / CPU Exhaustion\n- **Exploit Status**: PoC available\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Mistune Markdown Parser (PyPI Package)\n- **mistune**: &amp;lt; 3.3.0 (Fixed in: `3.3.0`)\n\n## Mitigation\n\n- Upgrade the Mistune dependency to version 3.3.0 or higher.\n- Deploy custom WAF rules to detect and drop payloads with consecutive open brackets.\n- Implement application-level input sanitization to filter or reject abnormal bracket nesting.\n\n**Remediation Steps:**\n1. Identify all python environments utilizing the mistune package.\n2. Execute pip install --upgrade mistune&amp;gt;=3.3.0 in the target environment.\n3. Deploy input inspection middleware to drop inputs containing sequence structures of 30 or more consecutive unmatched brackets.\n\n## References\n\n- [GitHub Security Advisory GHSA-qcq2-496w-v96p](https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p)\n- [National Vulnerability Database record CVE-2026-49851](https://nvd.nist.gov/vuln/detail/CVE-2026-49851)\n- [Red Hat Security Advisory Record](https://access.redhat.com/security/cve/CVE-2026-49851)\n- [Red Hat Bugzilla Bug Tracker](https://bugzilla.redhat.com/show_bug.cgi?id=2492304)\n- [Red Hat Security CSAF VEX File Export](https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49851.json)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49851) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T00:11:46.559459Z"}</description>
      <content:encoded>{"uuid": "f8f579d5-28c9-4654-8372-15a2b2d00d75", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49851", "type": "seen", "source": "https://gist.github.com/alon710/ac77807be35ab79d5b8543a7caac77a2", "content": "# CVE-2026-49851: CVE-2026-49851: Algorithmic Complexity Denial of Service in Mistune Markdown Parser\n\n&amp;gt; **CVSS Score:** 7.5\n&amp;gt; **Published:** 2026-07-09\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-49851\n\n## Summary\nCVE-2026-49851 is a high-severity algorithmic complexity vulnerability in the Mistune Markdown parser. Under specific conditions involving dense, unmatched nesting of opening square brackets, the parser fallback loops degrade from linear execution time to a worst-case quadratic complexity. This allows unauthenticated remote attackers to trigger complete CPU exhaustion and subsequent Denial of Service with a highly compact payload.\n\n## TL;DR\nAn algorithmic complexity degradation in the Mistune Markdown parser allows unauthenticated remote attackers to exhaust CPU resources and cause a persistent denial of service via malformed nested bracket sequences.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-407\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 7.5 (High)\n- **CVSS v4.0 Score**: 8.7 (High)\n- **Impact**: Denial of Service / CPU Exhaustion\n- **Exploit Status**: PoC available\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Mistune Markdown Parser (PyPI Package)\n- **mistune**: &amp;lt; 3.3.0 (Fixed in: `3.3.0`)\n\n## Mitigation\n\n- Upgrade the Mistune dependency to version 3.3.0 or higher.\n- Deploy custom WAF rules to detect and drop payloads with consecutive open brackets.\n- Implement application-level input sanitization to filter or reject abnormal bracket nesting.\n\n**Remediation Steps:**\n1. Identify all python environments utilizing the mistune package.\n2. Execute pip install --upgrade mistune&amp;gt;=3.3.0 in the target environment.\n3. Deploy input inspection middleware to drop inputs containing sequence structures of 30 or more consecutive unmatched brackets.\n\n## References\n\n- [GitHub Security Advisory GHSA-qcq2-496w-v96p](https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p)\n- [National Vulnerability Database record CVE-2026-49851](https://nvd.nist.gov/vuln/detail/CVE-2026-49851)\n- [Red Hat Security Advisory Record](https://access.redhat.com/security/cve/CVE-2026-49851)\n- [Red Hat Bugzilla Bug Tracker](https://bugzilla.redhat.com/show_bug.cgi?id=2492304)\n- [Red Hat Security CSAF VEX File Export](https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49851.json)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49851) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T00:11:46.559459Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/f8f579d5-28c9-4654-8372-15a2b2d00d75/export</guid>
      <pubDate>Fri, 10 Jul 2026 00:11:46 +0000</pubDate>
    </item>
    <item>
      <title>8da11bc0-16b1-4ed0-b282-eebb6388292b</title>
      <link>https://vulnerability.circl.lu/sighting/8da11bc0-16b1-4ed0-b282-eebb6388292b/export</link>
      <description>{"uuid": "8da11bc0-16b1-4ed0-b282-eebb6388292b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49852", "type": "published-proof-of-concept", "source": "https://github.com/authlib/joserfc/security/advisories/GHSA-gg9x-qcx2-xmrh", "content": "", "creation_timestamp": "2026-07-02T20:35:04.805881Z"}</description>
      <content:encoded>{"uuid": "8da11bc0-16b1-4ed0-b282-eebb6388292b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49852", "type": "published-proof-of-concept", "source": "https://github.com/authlib/joserfc/security/advisories/GHSA-gg9x-qcx2-xmrh", "content": "", "creation_timestamp": "2026-07-02T20:35:04.805881Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/8da11bc0-16b1-4ed0-b282-eebb6388292b/export</guid>
      <pubDate>Thu, 02 Jul 2026 20:35:04 +0000</pubDate>
    </item>
    <item>
      <title>ac0bffe5-c8cc-4049-ab5f-dc83f82311d3</title>
      <link>https://vulnerability.circl.lu/sighting/ac0bffe5-c8cc-4049-ab5f-dc83f82311d3/export</link>
      <description>{"uuid": "ac0bffe5-c8cc-4049-ab5f-dc83f82311d3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49858", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mpnxsz3fif2y", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-49858 \u0432 API Platform Core: \u0443\u0433\u0440\u043e\u0437\u044b \u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u044b \u0437\u0430\u0449\u0438\u0442\u044b\n\n\n\nhttps://kripta.biz/posts/9D910C08-1BC3-407B-B293-48AC51C1EAB3", "creation_timestamp": "2026-07-02T11:52:41.311051Z"}</description>
      <content:encoded>{"uuid": "ac0bffe5-c8cc-4049-ab5f-dc83f82311d3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49858", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mpnxsz3fif2y", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-49858 \u0432 API Platform Core: \u0443\u0433\u0440\u043e\u0437\u044b \u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u044b \u0437\u0430\u0449\u0438\u0442\u044b\n\n\n\nhttps://kripta.biz/posts/9D910C08-1BC3-407B-B293-48AC51C1EAB3", "creation_timestamp": "2026-07-02T11:52:41.311051Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/ac0bffe5-c8cc-4049-ab5f-dc83f82311d3/export</guid>
      <pubDate>Thu, 02 Jul 2026 11:52:41 +0000</pubDate>
    </item>
    <item>
      <title>75e3157c-9120-4c6a-8843-cc9fe3b973ef</title>
      <link>https://vulnerability.circl.lu/sighting/75e3157c-9120-4c6a-8843-cc9fe3b973ef/export</link>
      <description>{"uuid": "75e3157c-9120-4c6a-8843-cc9fe3b973ef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49857", "type": "published-proof-of-concept", "source": "https://github.com/ymw0407/auth-fetch-mcp/security/advisories/GHSA-pvrj-8cg3-j5f8", "content": "", "creation_timestamp": "2026-07-01T20:35:16.009569Z"}</description>
      <content:encoded>{"uuid": "75e3157c-9120-4c6a-8843-cc9fe3b973ef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49857", "type": "published-proof-of-concept", "source": "https://github.com/ymw0407/auth-fetch-mcp/security/advisories/GHSA-pvrj-8cg3-j5f8", "content": "", "creation_timestamp": "2026-07-01T20:35:16.009569Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/75e3157c-9120-4c6a-8843-cc9fe3b973ef/export</guid>
      <pubDate>Wed, 01 Jul 2026 20:35:16 +0000</pubDate>
    </item>
    <item>
      <title>485af4ef-2e4a-4c4d-878a-e9715bc7dc04</title>
      <link>https://vulnerability.circl.lu/sighting/485af4ef-2e4a-4c4d-878a-e9715bc7dc04/export</link>
      <description>{"uuid": "485af4ef-2e4a-4c4d-878a-e9715bc7dc04", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49859", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mpgunxo6aw2d", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-49859 \u0432 Deno: \u0443\u0433\u0440\u043e\u0437\u0430 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u044b \u0437\u0430\u0449\u0438\u0442\u044b\n\n\n\nhttps://kripta.biz/posts/AAE9F3B6-608E-42A1-A7BD-B08E6F3C1744", "creation_timestamp": "2026-06-29T16:07:32.460117Z"}</description>
      <content:encoded>{"uuid": "485af4ef-2e4a-4c4d-878a-e9715bc7dc04", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49859", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mpgunxo6aw2d", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-49859 \u0432 Deno: \u0443\u0433\u0440\u043e\u0437\u0430 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u044b \u0437\u0430\u0449\u0438\u0442\u044b\n\n\n\nhttps://kripta.biz/posts/AAE9F3B6-608E-42A1-A7BD-B08E6F3C1744", "creation_timestamp": "2026-06-29T16:07:32.460117Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/485af4ef-2e4a-4c4d-878a-e9715bc7dc04/export</guid>
      <pubDate>Mon, 29 Jun 2026 16:07:32 +0000</pubDate>
    </item>
    <item>
      <title>83afe1e3-1598-47ba-b7ce-081ab848cfce</title>
      <link>https://vulnerability.circl.lu/sighting/83afe1e3-1598-47ba-b7ce-081ab848cfce/export</link>
      <description>{"uuid": "83afe1e3-1598-47ba-b7ce-081ab848cfce", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49858", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mnj3tf3oaw2f", "content": "Top 3 CVE for last 7 days:\nCVE-2025-48595: 136 interactions\nCVE-2026-0257: 43 interactions\nCVE-2026-48778: 23 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-49858: 11 interactions\nCVE-2026-20230: 6 interactions\nCVE-2026-10737: 4 interactions\n", "creation_timestamp": "2026-06-05T02:30:47.601272Z"}</description>
      <content:encoded>{"uuid": "83afe1e3-1598-47ba-b7ce-081ab848cfce", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49858", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mnj3tf3oaw2f", "content": "Top 3 CVE for last 7 days:\nCVE-2025-48595: 136 interactions\nCVE-2026-0257: 43 interactions\nCVE-2026-48778: 23 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-49858: 11 interactions\nCVE-2026-20230: 6 interactions\nCVE-2026-10737: 4 interactions\n", "creation_timestamp": "2026-06-05T02:30:47.601272Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/83afe1e3-1598-47ba-b7ce-081ab848cfce/export</guid>
      <pubDate>Fri, 05 Jun 2026 02:30:47 +0000</pubDate>
    </item>
    <item>
      <title>aa01435f-1c85-4a48-ac84-415f5d37e2d8</title>
      <link>https://vulnerability.circl.lu/sighting/aa01435f-1c85-4a48-ac84-415f5d37e2d8/export</link>
      <description>{"uuid": "aa01435f-1c85-4a48-ac84-415f5d37e2d8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49858", "type": "seen", "source": "https://bsky.app/profile/soyuka.me/post/3mnhlnpjjpc23", "content": "\ud83d\udd12 API Platform CVE-2026-49858: JSON:API &amp;amp; HAL normalizers cached components across users on long-running runtimes (FrankenPHP, RoadRunner, Swoole).\n\nPatched in 4.1.29 / 4.2.25 / 4.3.8 \u2014 upgrade now.\n\ngithub.com/api-platform...", "creation_timestamp": "2026-06-04T12:08:39.389097Z"}</description>
      <content:encoded>{"uuid": "aa01435f-1c85-4a48-ac84-415f5d37e2d8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49858", "type": "seen", "source": "https://bsky.app/profile/soyuka.me/post/3mnhlnpjjpc23", "content": "\ud83d\udd12 API Platform CVE-2026-49858: JSON:API &amp;amp; HAL normalizers cached components across users on long-running runtimes (FrankenPHP, RoadRunner, Swoole).\n\nPatched in 4.1.29 / 4.2.25 / 4.3.8 \u2014 upgrade now.\n\ngithub.com/api-platform...", "creation_timestamp": "2026-06-04T12:08:39.389097Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/aa01435f-1c85-4a48-ac84-415f5d37e2d8/export</guid>
      <pubDate>Thu, 04 Jun 2026 12:08:39 +0000</pubDate>
    </item>
  </channel>
</rss>
