This archive includes all published incident pages. Page 5 of 16.
Each page is intended to help a security team answer three questions quickly: why the issue is AI-relevant, what part of the workflow may be exposed, and what actions should happen first.
Selection criteria and correction policy are documented in Methodology & Editorial Policy.
Incident date: February 24, 2026 | Published: February 25, 2026
A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary The use of the fiber_flash cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary **Description** A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows.
Incident date: February 24, 2026 | Published: February 25, 2026
Impact Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests.
Incident date: February 24, 2026 | Published: February 25, 2026
The affected versions of Wasmtime can panic if the host embedder drops the future returned by wasmtime::component::[Typed]Func::call_async before it resolves. ### Details Starting with Wasmtime 39.0.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because strings.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences ( %xx ) it compares against the request's escaped path without lowercasing.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary Two swallowed errors in ClientAuthentication.provision() cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary Missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information.