The day's spine is File Browser. The week-long disclosure run that opened with a single share-link bug crested this afternoon with six more advisories dropped together, the maintainers visibly choosing to empty the queue in one batch rather than drip-feed it.
The set is a guided tour of one codebase's blind spots: an unauthenticated public-share rebasing leak (CVE-2026-54091) that exposes files the owner explicitly blocked, a one-request login DoS that crashes the container, a Windows zip-slip that turns a downloaded archive into arbitrary file write, symlink escapes past the per-user scope, and a formal re-disclosure of the command-execution allowlist bypass — a feature the project disabled by default back in 2.33.8 and is now burying for good. Off to the side, esbuild took an 8.1: its Deno module fetches the native binary with no SHA-256 check (the Node installer has one, the Deno path never did), so anyone who can set NPM_CONFIG_REGISTRY in CI earns build-time code execution, and the Radius controller's confused-deputy container delete plus a second Fleet ORDER BY oracle round out a day whose through-line is trusted inputs evaluated against the wrong boundary. The bright spot is the File Browser team's own posture — defaulting the dangerous command-exec feature off and disclosing the whole class at once is the responsible shape for a queue this size.
→ Operational priority for the night if you run File Browser anywhere internet-facing, pull past 2.63.13 now — the unauthenticated public-share leak and the one-packet login DoS need no credentials — confirm the command-execution feature is off, then bump esbuild to 0.28.1 in any Deno-based build.