Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

aikido

Persistent XSS/RCE using WebSockets in Storybook's dev server

Mar 3, 2026 By Robbe Verwilghen In Aikido
Aikido Attack, our AI pentest product, found a WebSocket hijacking vulnerability in Storybook's dev server that can lead to persistent XSS, remote code execution, and, in the worst case, supply chain compromise. Storybook's WebSocket server has no authentication or access control, so if the dev server is publicly accessible, an attacker can exploit this without any user interaction at all. In the more common local setup, a developer just has to visit the wrong website while Storybook is running.
Read Post
outpost 24

Stove Off, Windows Closed: What CMDB Accuracy Has to Do with Home Security

Mar 2, 2026 By Daniel Imber In Outpost 24
Have you ever left your home without checking if all the windows were closed? And have you ever sat in the office wondering whether you turned off the stove? When it comes to our own homes, most of us care a lot about safety. But what about corporate IT? Have you turned off the virtual stove and secured all doors and windows against unauthorized access? Do you even know how many doors and windows exist in your IT environment?
Read Post

AI on the Radar: Securing AI Driven Development

Mar 2, 2026 By Snyk In Snyk
Join Vandana and Rob in this insightful webinar exploring the rapidly evolving landscape of AI security. As we shift from simple query-response models to complex autonomous agents that can plan, execute code, and access sensitive APIs, the traditional security "locks" are no longer sufficient. This session dives deep into the OWASP AI Exchange, a community-driven initiative providing practical guidance and technical controls for securing AI systems.
View Video
Arctic Wolf

CVE-2026-27825: Critical Unauthenticated RCE and SSRF in mcp-atlassian

Feb 28, 2026 By Julian Tuin In Arctic Wolf
On February 24, 2026, sooperset, the mcp-atlassian project maintainer, released fixes for a critical vulnerability in mcp-atlassian, tracked as CVE-2026-27825. The flaw arises from missing directory confinement and inadequate path traversal validation in the Confluence attachment download tools which could allow a remote (network-adjacent), unauthenticated threat actor to write files to arbitrary paths, enabling local privilege escalation and remote code execution.
Read Post
foresiet

CVE-2026-20127: In-Depth Analysis of the Cisco Catalyst SD-WAN Authentication Bypass Vulnerability

Feb 27, 2026 By foresiet In Foresiet
Software-defined networking (SD-WAN) has transformed enterprise infrastructure, enabling dynamic connectivity between sites with centralized management and control. But when the control plane itself becomes vulnerable, network integrity is no longer a given.
Read Post

React2Shell (CVSS 10.0): Patch React & Next.js NOW | Unauth RCE Explained

Feb 27, 2026 By Sysdig In Sysdig
A maximum-severity vulnerability is hitting React Server Components - and if you're running Next.js, you may be vulnerable by default. React disclosed CVE-2025-55182, nicknamed React2Shell, an unauthenticated remote code execution (CVSS 10.0) affecting React Server Components via the Flight protocol. Next.js tracks downstream exposure as CVE-2025-66478: That means internet-wide scanning is likely. Who’s affected?
View Video

Copyright © 2026 OpsMatters™. All rights reserved.