VulncastBriefing archive

Daily Brief - 2026-06-22

· 4 vulnerabilities · 5 min listen

▶ Listen to this briefing

CVE-2026-56265

critical · CVSS 9.8 · Crawl4AI Crawl4AI

Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality.

  • Authentication Bypass
  • web application
  • api
  • docker

CVE-2026-56378

low · CVSS 3.7 · ImageMagick ImageMagick

ImageMagick before 7.1.2-15 (and 6.x before 6.9.13-40) contains a heap out-of-bounds read in the PCD coder's DecodeImage loop. A crafted PCD file can trigger a one-byte heap out-of-bounds read during image decoding, resulting in denial of service and potential disclosure of an adjacent heap byte.

  • Out-Of-Bounds Read
  • Information Disclosure
  • image processing

CVE-2026-56382

high · CVSS 7.2 · Craft CMS Craft CMS

Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.

  • Remote Code Execution
  • web application
  • php

CVE-2026-56406

medium · CVSS 6.9 · libexpat libexpat

libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.

  • Integer Overflow
  • xml parser
  • c library