Threat Modeling and Security by Design

Arch Linux AUR Supply Chain Compromise — A massive supply chain attack has compromised over 400 packages in the Arch User Repository (AUR), distributing a Linux rootkit combined with infostealer malware. The malware targets sensitive credentials, access tokens, and SSH keys from compromised systems. All organizations and individuals using Arch-based systems with AUR packages should audit their environments immediately. What Happened In June 2026,…

VMware Tanzu has published a coordinated security advisory covering eight new vulnerabilities across multiple Spring ecosystem modules. The affected projects include Spring Integration (1 CVE), Spring Web Services (4 CVEs), Spring Web Flow (2 CVEs), and Spring Boot (1 CVE). The vulnerabilities span arbitrary file writes, authentication and signature bypasses, expression language injection, cross-site scripting, hostname verification weaknesses, weak cryptographic defaults, and replay attack…

GitLab Security Advisory — June 2026 (Second Release) 4 New CVEs | CVSS Range: 5.3 – 7.5 | All fixed in GitLab 18.10.8, 18.11.5, and 19.0.2 This is the second GitLab security release this period, following the June 11 advisory covering 8 CVEs. The combined total now stands at 12 CVEs for this release cycle. GitLab has published a supplemental security advisory addressing 4…

CVE: CVE-2026-8464 | CVSS 4.0: 8.3 (HIGH) | CWE: CWE-22 | Vendor: Golem | Product: Golem OEE MES | Affected versions: < 11.6.0 What Is the Vulnerability CVE-2026-8464 is a high-severity path traversal vulnerability in the Golem OEE MES (Overall Equipment Effectiveness Manufacturing Execution System) that allows unauthenticated attackers on the local network to read arbitrary files from the server operating system. The vulnerability…

CVE: CVE-2026-10795 | CVSS 3.1: 8.1 (HIGH) | CWE: CWE-306 | Vendor: UpdraftPlus | Product: UpdraftPlus: WP Backup & Migration Plugin | Affected versions: ≤ 1.26.4 | Installations: 3+ million What Is the Vulnerability UpdraftPlus includes a remote communications (RPC) protocol that allows authenticated remote control of the plugin’s backup, restore, and migration functions. This protocol relies on cryptographic signature verification to authenticate incoming…

CVE-2026-11561 is a critical vulnerability in Soagen Apinizer, an API management platform, with a CVSS score of 9.8 (CRITICAL). Classified under CWE-917: Expression Language Injection, this flaw affects Apinizer versions 2026.04.0 through 2026.04.5. Successful exploitation could allow an unauthenticated attacker to execute arbitrary code on the Apinizer server, leading to complete system compromise. What Is the Vulnerability This is an Expression Language (EL) injection…