Supply Chain · Watch Saturday · 20 June 2026 End-of-day synthesis 4 watches · 23 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — Microsoft pinned last week's 140-package Mastra AI npm compromise on North Korea's BlueNoroff while the agent stack kept failing in public — a third critical-class Langflow hole now on CISA KEV, fresh cross-tenant breaks in the agent-memory stores, and another MCP-server SSRF and path-traversal cluster.

The agent supply chain didn't get a quieter day — it got a state actor. Microsoft attributed the 140-plus package Mastra AI npm compromise, tracked here since 17 June, to North Korea's Sapphire Sleet / BlueNoroff, turning an opportunistic token-theft into a persistent state campaign.

Underneath the attribution, the week's self-auditing pattern kept running. Langflow shipped its third critical-class hole in a month — a BaseFileComponent arbitrary-file-read that chains to RCE at CVSS 9.6 — on a project already carrying a CISA KEV entry, alongside an unauthenticated upload DoS. The agent-memory stores kept leaking across tenants (stigmem-node's BOLA cluster, network-ai's ungated ApprovalInbox and sandbox-escape bugs), the MCP servers kept under-validating the URLs and paths they fetch (mcp-searxng's unbounded read, mcpvault's non-recursive denylist, appium-mcp's MCP-UI XSS), and OpenBao drew a second wave of namespace-isolation advisories. The bright spot is that nearly all of it is pre-exploitation disclosure with fixes already shipped — the live exceptions are the Langflow KEV entry and, now, the Mastra campaign.

→ Operational priority for the night if you pulled any Mastra-ecosystem npm package in the compromise window, treat every harvested token as in BlueNoroff's hands — rotate now and hunt for post-compromise TTPs, not just the original dropper — then pin Langflow to the patched release and get it behind authentication, because three criticals and a KEV listing make it hostile-by-default.

18:00 ET · First Watch

Medium · GHSA · parse-server (npm) ·added 18:00 ET

Parse Server: LiveQuery discloses object data to a subscriber after an ACL read-access change

Parse Server's LiveQuery keeps streaming an object to a subscriber whose read access was revoked mid-subscription, so an ACL change that should cut off a client doesn't — the live feed leaks data the subscriber is no longer entitled to. Parse Server backs a large install base of mobile and web apps, so this is a real-time confidentiality gap wherever LiveQuery enforces per-object ACLs. Upgrade, and don't treat an ACL revocation as effective against an already-open LiveQuery subscription until you're on the fixed release.

Context · GHSA · langflow (pip) ·added 18:00 ET

Langflow: logout does not clear the server-side session

Langflow's logout button drops the client token but leaves the server-side session valid, so a captured session survives the user 'logging out'. Minor on its own, but it's the fourth Langflow disclosure on the board today and reinforces the same posture: treat Langflow as hostile-by-default and rely on the proxy/auth layer, not the app's own session handling. Upgrade with the rest of today's Langflow fixes.

Context · GHSA · sveltia-cms (npm) ·added 18:00 ET

Sveltia CMS: stored XSS in Markdown/RichText preview via an unsandboxed same-origin iframe

Sveltia CMS renders Markdown/RichText preview inside a same-origin iframe with no sandbox, so stored content can execute script in the CMS origin. Niche, but the shape is the recurring one — a preview pane that trusts authored content — and an editor with same-origin script execution can reach the CMS session. Upgrade if you run Sveltia for untrusted contributors.

Context · GHSA · mediawiki EmbedVideo ext ·added 18:00 ET

StarCitizenWiki EmbedVideo extension: stored XSS via a malformed src URL

The StarCitizenWiki fork of the MediaWiki EmbedVideo extension allows stored XSS through a malformed embed src when $wgEmbedVideoEnableXSSCheck is relied upon. Low reach beyond MediaWiki installs that use this fork, logged for completeness. Upgrade the extension if you run it; don't depend on the XSS-check flag alone.

12:00 ET · Forenoon Watch

Critical · BleepingComputer · Mastra AI / Sapphire Sleet ·added 12:00 ET

Microsoft attributes the Mastra AI npm compromise (140+ packages) to North Korea's Sapphire Sleet / BlueNoroff

Microsoft has attributed last week's Mastra AI supply-chain attack — the compromise of 140+ npm packages tracked here since 17 Jun — to the North Korean group Sapphire Sleet (BlueNoroff). The attribution moves this from an opportunistic token-theft incident to a state-actor campaign, which raises the odds of follow-on, targeted use of anything those packages exfiltrated rather than a smash-and-grab. If you pulled any Mastra-ecosystem package in the affected window, treat harvested credentials and tokens as in the hands of a persistent actor: rotate now and review for the BlueNoroff post-compromise TTPs, not just the initial dropper.

High · GHSA · stigmem-node (pip) · 3 advisories ·added 12:00 ET

stigmem-node: cross-tenant BOLA across decay sweep, quarantine review, and right-to-be-forgotten tombstones

`stigmem-node`, a multi-tenant memory store for agents, drew a cluster of cross-tenant BOLA advisories: the decay sweep expires and counts facts across all tenants, the quarantine-review surface exposes and mutates other tenants' quarantined facts, and right-to-be-forgotten tombstones are mis-attributed so deletions suppress reads tenant-blind. Each one breaks the tenant boundary an agent-memory layer exists to enforce — one tenant's facts leak into, or get deleted from, another's. This is the same multi-tenant-isolation failure shape recurring across agent-memory packages this week (cf. EverOS, network-ai); pin to 0.9.0a12 and verify tenant-scoping on every read, sweep, and deletion path.

Medium · GHSA · network-ai (npm) · 3 further advisories ·added 12:00 ET

network-ai: AgentRuntime sandbox path-prefix bypass plus more restore/backup traversal

Beyond this morning's unauthenticated ApprovalInbox, `network-ai` added an `AgentRuntime` sandbox bypass — path-prefix checks let the agent read files outside its configured base directory — alongside further `EnvironmentManager` restore path-traversal and backup symlink-follow variants. The sandbox escape is the notable one: the file-access boundary the runtime advertises doesn't hold under a crafted relative path. Upgrade past 5.12.1 and don't rely on prefix-string comparisons for sandbox containment.

Medium · GHSA · @bitbonsai/mcpvault (npm) ·added 12:00 ET

MCPVault: PathFilter denylist not applied to nested restricted directories

`@bitbonsai/mcpvault`'s `PathFilter` denied its restricted directories (`.git`, `.obsidian`, `node_modules`) only at the vault root, so a nested copy of any of them was readable through the MCP server. An MCP file vault whose denylist doesn't recurse leaks exactly the directories it set out to protect — including `.git`. Upgrade to 0.11.5.

Medium · GHSA · openbao (go) · 3 further advisories ·added 12:00 ET

OpenBao: cross-namespace lease revoke/renew (incomplete fix), unauthorized namespace management, transit crash

A second wave of OpenBao advisories lands after this morning's LDAP-injection item: cross-namespace lease revocation/renewal via the canonical `sys/leases/{revoke,renew}` paths (CVE-2026-55774, an incomplete fix of CVE-2026-45808), unauthorized management of a containing namespace through the System Backend (CVE-2026-55775), and a transit-engine crash on `derived: true` asymmetric key creation (CVE-2026-55776). The namespace-isolation pair is the operationally serious part — in a multi-tenant secrets manager, lease and namespace boundaries are the product. Upgrade to the patched build and audit namespace-scoped lease operations.

Medium · GHSA · authzed/spicedb (go) · CVE-2026-55866 ·added 12:00 ET

SpiceDB: caveated checks can return unconditional permission where conditional was expected

SpiceDB checks involving relations with caveats could resolve to unconditional permission when only a conditional grant was intended (CVE-2026-55866) — an authorization engine handing out more access than the policy describes. The CVSS is low but the blast radius is trust itself: if SpiceDB is your permission system, a check that silently upgrades conditional to unconditional is a quiet authz bypass that won't show up in normal testing. Upgrade to 1.54.0 and re-run policy tests against any caveated relations.

Medium · GHSA · axllent/mailpit (go) · CVE-2026-55187 ·added 12:00 ET

Mailpit: incomplete SSRF protection in Link Check API via IPv6 transition addresses

Mailpit's Link Check API has incomplete SSRF protection — IPv6 transition mechanisms (mapped/translated addresses) slip past the private-address guard (CVE-2026-55187, CVSS 5.8). Mailpit is a dev-environment mail catcher, but it increasingly runs in shared CI, where an SSRF that reaches an internal IPv6 host is a pivot. Upgrade past 1.30.1, and block link-checking outright if Mailpit can see your internal network.

Context · GHSA · @outerbase/studio (npm) · CVE-2026-55650 ·added 12:00 ET

Outerbase Studio: stored XSS in Text Widget escalates to auth-token exposure

Outerbase Studio stores XSS in a Text Widget that escalates to authentication-token exposure (CVE-2026-55650). A database GUI that leaks its own session token through a saved dashboard widget turns shared-board access into credential theft. Upgrade past 0.10.2.

06:00 ET · Morning Watch

Critical · GHSA · langflow (pip) · CVE-2026-55447 ·added 06:00 ET

Langflow: BaseFileComponent nodes give arbitrary file read with an RCE chain (CVSS 9.6)

Every Langflow node built on `BaseFileComponent` — Read File, Docling, Unstructured API, NVIDIA Ingest, Video File — follows a user-controlled file path, giving arbitrary local file read that the advisory chains to remote code execution (CVSS 9.6). In a RAG deployment the file a user 'uploads' is the attack surface: aim a component at a config or key file and read it back out through the flow. This is the third critical-class Langflow disclosure in a month — it is already on CISA KEV for CVE-2025-34291 and picked up the `/api/v1/responses` IDOR yesterday — so treat Langflow as hostile-by-default and pin to the patched release now.

High · GHSA · langflow (pip) · CVE-2026-55446 ·added 06:00 ET

Langflow: unauthenticated DoS via oversized multipart boundary on file upload

`/api/v1/files/upload/` processes multipart form data before any auth check and stalls indefinitely on a pathological boundary (a huge run of hyphens), letting an unauthenticated attacker wedge the app for every user (CVSS 7.5). Same root-cause family as the day's other Langflow issues: the upload path trusts input it shouldn't and runs ahead of authentication. If Langflow is reachable beyond localhost, put it behind auth at the proxy and upgrade.

High · GHSA · appium-mcp (npm) ·added 06:00 ET

appium-mcp: unescaped locator data XSS in MCP-UI resource reaches arbitrary tool calls

`appium-mcp`'s `createLocatorGeneratorUI` interpolates attacker-controlled element attributes (`text`, `content-desc`, `resource-id`) straight into an HTML template with no escaping, so an app under test can inject script into the MCP-UI resource returned by `generate_locators` (CVSS 8.2). When the victim's MCP client renders it the script runs and can invoke arbitrary MCP tools via `window.parent` — the UI of the tested app becomes code execution in the operator's client. Upgrade, and treat any rendered MCP-UI resource as untrusted HTML.

High · GHSA · mcp-searxng (npm) ·added 06:00 ET

mcp-searxng: web_url_read size cap bypassed when Content-Length is absent (unbounded read DoS)

`mcp-searxng`'s `web_url_read` enforces its 5 MiB cap only by reading the `Content-Length` of a preliminary HEAD request, so any server that omits the header sails past the guard and `response.text()` buffers the entire body — unbounded memory/CPU from an attacker-controlled or redirecting URL (CVSS 7.5). This is the second `web_url_read` flaw in mcp-searxng in two days, after yesterday's DNS-rebinding private-host SSRF; the tool fetches attacker-influenced URLs and keeps under-validating them. Patch, and cap the read by bytes streamed rather than by a header you don't control.

High · GHSA · @zenalexa/unicli (npm) ·added 06:00 ET

Uni-CLI: legacy HTTP MCP transport accepted browser-originated localhost requests

Uni-CLI before 0.225.2 served the legacy JSON-RPC-over-HTTP MCP transport on loopback without validating the browser `Origin` header, so a malicious web page could send a CORS-simple `text/plain` POST to the local `/mcp` endpoint and drive `tools/call` against the user's running server. The Streamable HTTP transport already enforced the browser-to-localhost boundary; the legacy path had drifted out of sync — the same localhost-MCP-without-origin-validation shape recurring across agent CLIs (cf. today's Uni-CLI and the broader pattern). Upgrade to 0.225.2.

High · GHSA · msgpack (pip) · CWE-416 ·added 06:00 ET

msgpack for Python: SEGV when an Unpacker is reused after a caught error (DoS)

`msgpack` for Python crashes with a SEGV if an `Unpacker` is reused after an error is caught, so code that reuses a streaming unpacker across untrusted input is a remote DoS (use-after-free, CVSS 7.5, fixed in 1.2.1). msgpack is a deep transitive dependency in many RPC, caching and serialization stacks, so this warrants a dependency sweep rather than a single-app fix. Upgrade to 1.2.1 and discard the Unpacker after any error instead of reusing it.

High · GHSA · gogs (go) ·added 06:00 ET

Gogs: stored XSS in .ipynb rendering via years-outdated notebookjs

Gogs renders Jupyter notebooks with notebookjs 0.4.2 — years behind 0.8.3 and missing its accumulated XSS fixes — so a crafted `.ipynb` in a repository executes script when a user views it. A self-hosted Git server that runs attacker-supplied content on view is the worst place for a stored XSS: any repo carrying notebooks becomes a payload host. Upgrade to a Gogs release that bumps notebookjs, or disable notebook rendering until you can.

Medium · GHSA · network-ai (npm) · 4 advisories ·added 06:00 ET

network-ai: unauthenticated ApprovalInbox plus backup/restore path-traversal and symlink-follow

The `network-ai` agent runtime drew a cluster of advisories: its `ApprovalInbox` HTTP server has no authentication — anyone who can reach the host can approve pending agent actions — alongside `EnvironmentManager` backup/restore bugs that traverse paths and follow symlinks to read or delete files outside the environment root. The no-auth approval surface is the one that matters: the human-in-the-loop gate meant to stop a runaway agent is itself ungated. Pin to the patched versions and bind the approval server to authenticated localhost only.

Medium · GHSA · openbao (go) ·added 06:00 ET

OpenBao: LDAP injection in ldaputil via the wrong escaping function

OpenBao's LDAP auth used the wrong escaping helper in `ldaputil`, leaving an LDAP-injection gap in a secrets manager's authentication path (CVSS 6.8). Wrong-escape-function bugs are easy to miss in review and land in exactly the component you least want injectable. Upgrade OpenBao; if you run the upstream Vault fork, check whether the same `ldaputil` path applies there too.

Medium · GHSA · symfony/ux-icons (composer) ·added 06:00 ET

symfony/ux-icons: stored XSS via unsanitized SVG from local files and Iconify on-demand

`symfony/ux-icons` renders SVG from local files and on-demand Iconify responses without sanitizing it, so a poisoned icon source yields stored XSS (CVSS 6.1). Icon libraries feel inert, which is exactly why an untrusted SVG source is an easy oversight in a widely deployed Symfony UX component. Upgrade, and treat Iconify-on-demand as untrusted remote content.

Medium · GHSA · py7zr (pip) · 2 advisories ·added 06:00 ET

py7zr: decompression-bomb and O(n^2) PackInfo parsing give unauthenticated DoS

Two `py7zr` advisories land together: an unchecked-extraction-size decompression bomb and O(n^2) parsing in `PackInfo._read()`, both unauthenticated DoS against any service that opens user-supplied 7z archives. py7zr shows up across ingestion, malware-scanning and backup pipelines, so the blast radius is wherever you accept archive uploads. Upgrade and enforce an extraction-size cap before unpacking.