// vulnerability research
Vulnerability research for AI-built websites and apps.
Source-grounded notes on vulnerabilities that matter to AI-generated web apps, BaaS stacks, frontend bundles, auth, and dependency security.
I-SQL Injection in Ghost Content API (CVE-2026-26980)
Izinguqulo zesipoki 3.24.0 ukuya ku-6.19.0 ziqukethe ukuba sengozini komjovo we-SQL okubalulekile Kokuqukethwe API. Lokhu kuvumela abahlaseli abangagunyaziwe ukuthi basebenzise imiyalo ye-SQL engagunyaziwe, okungase kuholele ekukhishweni kwedatha noma ekulungisweni okungagunyaziwe.
Lonke ucwaningo
34 articles
Ukwenziwa Kwekhodi Ekude ku-SPIP ngamathegi Wesifanekiso (CVE-2016-7998)
Izinguqulo ze-SPIP 3.1.2 nangaphambili ziqukethe ubungozi kumqambi wesifanekiso. Abahlaseli abagunyaziwe bangalayisha amafayela e-HTML anamathegi acatshangelwe okuthi INCLUDE noma INCLURE ukuze basebenzise ikhodi ye-PHP engafanele kuseva.
I-ZoneMinder Apache Configuration Information Disclosure (CVE-2016-10140)
Izinguqulo ze-ZoneMinder 1.29 kanye no-1.30 zithintwa ukungalungiselelwa kahle kwe-Apache HTTP Server. Leli phutha livumela abahlaseli abakude, abangagunyaziwe ukuthi baphequlule uhla lwemibhalo lwempande yewebhu, okungase kuholele ekudalulweni kolwazi olubucayi kanye nokudlula kokuqinisekisa.
I-Next.js Ukulungiswa Okungalungile Kwesihloko Sokuphepha ku- next.config.js
Next.js izinhlelo zokusebenza ezisebenzisa i-next.config.js zokuphatha unhlokweni zisengozini yokuthola izikhala zokuphepha uma amaphethini okufanisa indlela enganembile. Lolu cwaningo luhlola ukuthi ukungalungiseki kahle kwe-wildcard kanye ne-regex kuholela kanjani ekulahlekeni kwezihloko zokuphepha emizileni ebucayi kanye nendlela yokwenza lukhuni ukumisa.
Ukucushwa Kweheda Yokuvikeleka Okungenele
Izinhlelo zokusebenza zewebhu zivame ukwehluleka ukusebenzisa izihloko zokuphepha ezibalulekile, ezishiya abasebenzisi bechayeke ku-cross-site scripting (XSS), ukuchofoza, kanye nomjovo wedatha. Ngokulandela imihlahlandlela yokuphepha yewebhu emisiwe nokusebenzisa amathuluzi okuhlola njenge-MDN Observatory, onjiniyela bangakwazi ukwenza lukhuni izinhlelo zabo zokusebenza ngokumelene nokuhlasela okuvamile okusekelwe kusiphequluli.
Ukunciphisa I-OWASP Izingozi Eziphezulu Eziyi-10 Ekuthuthukisweni Kwewebhu Okusheshayo
Abaduni be-Indie namaqembu amancane bavame ukubhekana nezinselele zokuphepha ezihlukile lapho kuthunyelwa ngokushesha, ikakhulukazi ngekhodi ekhiqizwe i-AI. Lolu cwaningo lugqamisa izingozi eziphindelelayo ezivela ezigabeni ze-CWE Top 25 kanye ne-OWASP, okuhlanganisa ukulawula ukufinyelela okuphukile nokulungiselelwa okungavikelekile, okuhlinzeka ngesisekelo sokuhlola kokuphepha okuzenzakalelayo.
Ukucushwa Kweheda Ye-HTTP Engavikelekile ku-AI-Generated Applications
Izinhlelo zokusebenza ezikhiqizwa abasizi be-AI ngokuvamile zintula izihloko zokuphepha ezibalulekile ze-HTTP, ezihluleka ukuhlangabezana namazinga okuphepha esimanje. Lokhu kweqiwa kushiya izinhlelo zokusebenza zewebhu zisengozini yokuhlaselwa okuvamile ohlangothini lweklayenti. Ngokusebenzisa amabhentshimakhi afana ne-Mozilla HTTP Observatory, onjiniyela bangakwazi ukuhlonza izivikelo ezingekho njenge-CSP kanye ne-HSTS ukuze bathuthukise ukuvikeleka kohlelo lwabo lokusebenza.
Ukuthola Nokuvimbela Ukuba sengozini Kwe-Cross-Site Scripting (XSS)
I-Cross-Site Scripting (XSS) yenzeka uma uhlelo lokusebenza luhlanganisa idatha engathenjiwe ekhasini lewebhu ngaphandle kokuqinisekisa okufanele noma ukubhala ngekhodi. Lokhu kuvumela abahlaseli ukuthi basebenzise izikripthi ezinonya esipheqululini sesisulu, okuholela ekudunjweni kweseshini, izenzo ezingagunyaziwe, nokuvezwa kwedatha ebucayi.
I-LiteLLM Proxy SQL Injection (CVE-2026-42208)
Ukuba sengozini komjovo we-SQL okubalulekile (CVE-2026-42208) engxenyeni yommeleli we-LiteLLM kuvumela abahlaseli ukuthi badlule ukufakazela ubuqiniso noma bafinyelele ulwazi lwesizindalwazi olubucayi ngokusebenzisa inqubo yokuqinisekisa engukhiye we-API.
Izingozi Zokuphepha Zekhodi Ye-Vibe: Ukuhlola Ikhodi Ye-AI-Eyakhiwe
Ukunyuka 'kokufaka ikhodi ye-vibe'—ukwakha izinhlelo zokusebenza ngokuyinhloko ngokwazisa okusheshayo kwe-AI—kwethula ubungozi obufana nemininingwane enekhodi eqinile namaphethini ekhodi angavikelekile. Ngenxa yokuthi amamodeli e-AI angase aphakamise ikhodi esekelwe kudatha yokuqeqeshwa equkethe ubungozi, okukhiphayo kufanele kuthathwe njengokungathenjiwe futhi kuhlolwe kusetshenziswa amathuluzi okuskena azenzakalelayo ukuze kuvinjelwe ukuvezwa kwedatha.
JWT Ukuphepha: Izingozi Zamathokheni Angavikelekile kanye Nokuqinisekiswa Kwesimangalo Okungekho
I-JSON Web Tokens (JWTs) ihlinzeka ngezinga lokudlulisa izimangalo, kodwa ukuvikeleka kuncike ekuqinisekisweni okuqinile. Ukwehluleka ukuqinisekisa amasiginesha, izikhathi zokuphelelwa yisikhathi, noma izethameli ezihlosiwe kuvumela abahlaseli ukuthi bakweqe ukuqinisekiswa noma ukudlala kabusha amathokheni.
Ukuvikela Ukuthunyelwa kwe-Vercel: Ukuvikelwa kanye Nemikhuba Enhle Kakhulu Yekhanda
Lolu cwaningo luhlola ukulungiselelwa kokuvikeleka kwezinhlelo zokusebenza eziphethwe yi-Vercel, ezigxile Ekuvikelweni Kokuthunyelwa kanye nezihloko ze-HTTP zangokwezifiso. Ichaza ukuthi lezi zici zivikela kanjani izindawo zokubuka kuqala futhi zisebenzisa izinqubomgomo zokuphepha eziseceleni kwesiphequluli ukuvimbela ukufinyelela okungagunyaziwe nokuhlaselwa okuvamile kwewebhu.
Umjovo we-Critical OS Command ku-LibreNMS (CVE-2024-51092)
Izinguqulo ze-LibreNMS ezifika kokungu-24.9.1 ziqukethe ukuba sengozini komjovo womyalo we-OS okubalulekile (CVE-2024-51092). Abahlaseli abagunyaziwe bangasebenzisa imiyalo engafanele kusistimu yokusingatha, okungase kuholele ekulimaleni okuphelele kwengqalasizinda yokuqapha.
I-LiteLLM SQL Injection ku-Proxy API Key Verification (CVE-2026-42208)
Izinguqulo ze-LiteLLM 1.81.16 ukuya ku-1.83.6 ziqukethe ukuba sengozini okubalulekile komjovo we-SQL kulogical yokuqinisekisa yokhiye we-Proxy API. Leli phutha livumela abahlaseli abangagunyaziwe ukuthi badlule izilawuli zokuqinisekisa noma bafinyelele kusizindalwazi esingaphansi. Inkinga ixazululwe kunguqulo 1.83.7.
I-Firebase Imithetho Yokuphepha: Ukuvimbela Ukuchayeka Kwedatha Okungagunyaziwe
I-Firebase Imithetho Yokuvikela iyisivikelo esiyinhloko sezinhlelo zokusebenza ezingenasiphakeli ezisebenzisa i-Firestore ne-Cloud Storage. Uma le mithetho ivumela kakhulu, njengokuvumela ukufinyelela kokufunda noma ukubhala emhlabeni wonke ekukhiqizweni, abahlaseli bangakwazi ukweqa uhlelo lokusebenza oluhlosiwe ukuze bantshontshe noma basuse idatha ebucayi. Lolu cwaningo luhlola ukungalungiselelwa kahle okuvamile, ubungozi bokuzenzakalelayo 'kwemodi yokuhlola', kanye nendlela yokuqalisa ukulawula ukufinyelela okusekelwe kubunikazi.
Ukuvikelwa kwe-CSRF: Ukuvikela Ezinguqukweni Zezifunda Ezingagunyaziwe
I-Cross-Site Request Forgery (CSRF) isalokhu iwusongo olukhulu ezinhlelweni zokusebenza zewebhu. Lolu cwaningo luhlola ukuthi izinhlaka zesimanje ezifana ne-Django zikusebenzisa kanjani ukuvikela nokuthi izibaluli zezinga lesiphequluli ezifana ne-SameSite zinikeza kanjani ukuzivikela ngokujulile ezicelweni ezingagunyaziwe.
I-API Uhlu Lokuhlola Lokuphepha: Izinto eziyi-12 Okufanele Uzihlole Ngaphambi Kokuba Bukhoma
Ama-API awumgogodla wezinhlelo zokusebenza zewebhu zesimanje kodwa avame ukuntula ukuqina kokuphepha kwama-frontends ajwayelekile. Lesi sihloko socwaningo siveza uhlu lokuhlola olubalulekile lokuvikela ama-API, olugxile ekulawuleni ukufinyelela, umkhawulo wesilinganiso, kanye nokwabelana ngezisetshenziswa ezisuka kwezinye (CORS) ukuze kuvinjelwe ukuphulwa kwedatha kanye nokuhlukumeza isevisi.
I-API Ukuvuza Okubalulekile: Izingozi Nokulungiswa Kwezinhlelo Zokusebenza Zewebhu Zesimanje
Izimfihlo ezinamakhodi aqinile kukhodi engaphambili noma umlando wekhosombe zivumela abahlaseli ukuba bazenze amasevisi, bafinyelele idatha eyimfihlo, futhi babhekane nezindleko. Lesi sihloko sihlanganisa izingozi zokuvuza okuyimfihlo kanye nezinyathelo ezidingekayo zokuhlanza nokuvimbela.
I-CORS Ukungalungiselelwa kahle: Izingozi Zezinqubomgomo Ezivumela Ngokudlulele
I-Cross-Origin Resource Sharing (CORS) iwumshini wokuphequlula oklanyelwe ukuphumuza i-Same-Origin Policy (SOP). Nakuba kudingekile ezinhlelweni zokusebenza zewebhu zesimanje, ukusebenzisa okungafanele—njengokunanela isihloko esithi Umsuka womfakisicelo noma ukugunyaza umsuka ‘ongenalutho’—kungavumela amasayithi anonya ukuthi akhiphe idatha yomsebenzisi eyimfihlo.
Ukuvikela i-MVP: Ukuvimbela Ukuvuza Kwedatha ku-AI-Generated SaaS Apps
Izinhlelo zokusebenza ze-SaaS ezithuthukiswe ngokushesha zivame ukuhlupheka ngenxa yokwengamela okubalulekile kwezokuphepha. Lolu cwaningo luhlola ukuthi izimfihlo eziputshuziwe nezilawuli zokufinyelela eziphukile, ezifana nokushoda Kwezinga Lokuphepha Lomugqa (RLS), kudala ubungozi obunamandla kuzitaki zewebhu zesimanje.