https://iasquad.ai/en/ What changed, who it affects, what to do today. en https://iasquad.ai/en/js/eslint/eslint-10-5-0-released/ https://iasquad.ai/en/js/eslint/eslint-10-5-0-released/ js Sat, 13 Jun 2026 09:04:32 GMT ESLint version 10.5.0 is now available. This is an AST-based pattern checker for JavaScript. https://iasquad.ai/en/js/tailwindcss/tailwindcss-4-3-1-released/ https://iasquad.ai/en/js/tailwindcss/tailwindcss-4-3-1-released/ js Sat, 13 Jun 2026 09:04:25 GMT Release of tailwindcss version 4. https://iasquad.ai/en/php/grumpydictator-firefly-iii/firefly-iii-stored-xss-piggy-bank-names/ https://iasquad.ai/en/php/grumpydictator-firefly-iii/firefly-iii-stored-xss-piggy-bank-names/ php Sat, 13 Jun 2026 09:04:18 GMT Stored XSS vulnerability: piggy bank names are rendered unsanitized in audit log views, allowing arbitrary JavaScript execution. https://iasquad.ai/en/js/langchain-langgraph-checkpoint-mongodb/langgraph-checkpoint-mongodb-nosql-injection-fix/ https://iasquad.ai/en/js/langchain-langgraph-checkpoint-mongodb/langgraph-checkpoint-mongodb-nosql-injection-fix/ js Sat, 13 Jun 2026 09:04:10 GMT A NoSQL injection vulnerability in MongoDBSaver where checkpoint identifier fields from config. https://iasquad.ai/en/js/budibase/budibase-executequery-ssrf-automation/ https://iasquad.ai/en/js/budibase/budibase-executequery-ssrf-automation/ js Sat, 13 Jun 2026 09:04:01 GMT The executeQuery automation step accepts a queryId from inputs and passes it to the query execution controller without validation, enabling SSRF when combined w https://iasquad.ai/en/js/budibase-backend-core/budibase-backend-core-csrf-bypass-unanchored-route-regex/ https://iasquad.ai/en/js/budibase-backend-core/budibase-backend-core-csrf-bypass-unanchored-route-regex/ js Sat, 13 Jun 2026 09:03:52 GMT The buildMatcherRegex() and matches() functions in packages/backend-core/src/middleware/matchers. https://iasquad.ai/en/python/pypdf/pypdf-vulnerability-large-memory-usage-layout-mode/ https://iasquad.ai/en/python/pypdf/pypdf-vulnerability-large-memory-usage-layout-mode/ python Sat, 13 Jun 2026 09:03:34 GMT A vulnerability in pypdf allows an attacker to craft a PDF that leads to large memory usage when extracting text in layout mode with large character offsets. https://iasquad.ai/en/python/pypdf/pypdf-denial-of-service-crafted-cross-reference-stream/ https://iasquad.ai/en/python/pypdf/pypdf-denial-of-service-crafted-cross-reference-stream/ python Sat, 13 Jun 2026 09:03:26 GMT A security vulnerability in pypdf allows crafted PDFs with cross-reference streams using /W [0 0 0] and large /Size values to cause long runtimes, leading to po https://iasquad.ai/en/python/tornado/tornado-buffer-overread-websocket-mask/ https://iasquad.ai/en/python/tornado/tornado-buffer-overread-websocket-mask/ python Sat, 13 Jun 2026 09:03:18 GMT Tornado's optional native extension `tornado. https://iasquad.ai/en/php/typo3-html-sanitizer/typo3-html-sanitizer-whitespace-variant-closing-tags-bypass/ https://iasquad.ai/en/php/typo3-html-sanitizer/typo3-html-sanitizer-whitespace-variant-closing-tags-bypass/ php Sat, 13 Jun 2026 09:03:09 GMT When ALLOW_INSECURE_RAW_TEXT is enabled, the sanitizer fails to recognize whitespace-variant closing tags (e. https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-xss-in-indexed-search/ https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-xss-in-indexed-search/ php Sat, 13 Jun 2026 09:03:01 GMT Cross-Site Scripting vulnerability in Indexed Search plugin: page titles with HTML markup are stored in search index without sanitization and rendered without o https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-missing-read-permission-check-in/ https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-missing-read-permission-check-in/ php Sat, 13 Jun 2026 09:02:54 GMT Backend users could insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, allowing unauthorized information gatheri https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-missing-permission-checks-backend-api/ https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-missing-permission-checks-backend-api/ php Sat, 13 Jun 2026 09:02:46 GMT Authenticated backend users could retrieve file metadata via Backend API routes without proper permission checks, allowing access to files outside their permitt https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-path-allowance-check-bypass/ https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-path-allowance-check-bypass/ php Sat, 13 Jun 2026 09:02:38 GMT The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret. https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-variablefrontend-registry-php-object-injection/ https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-variablefrontend-registry-php-object-injection/ php Sat, 13 Jun 2026 09:02:30 GMT VariableFrontend and Registry now deserialize PHP payloads with integrity validation and class restrictions, preventing PHP Object Injection. https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-move-record-permission-bypass/ https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-move-record-permission-bypass/ php Sat, 13 Jun 2026 09:02:22 GMT Backend users could move records to a different page without edit permissions on the source page. https://iasquad.ai/en/php/typo3-html-sanitizer/typo3-html-sanitizer-namespace-attribute-encoding-bypass/ https://iasquad.ai/en/php/typo3-html-sanitizer/typo3-html-sanitizer-namespace-attribute-encoding-bypass/ php Sat, 13 Jun 2026 09:02:14 GMT Namespace attributes are not encoded correctly during HTML serialization, allowing bypass of the cross-site scripting prevention mechanism in typo3/html-sanitizer before version 2. https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-open-redirect-sanitizelocalurl/ https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-open-redirect-sanitizelocalurl/ php Sat, 13 Jun 2026 09:02:06 GMT Applications using GeneralUtility::sanitizeLocalUrl are vulnerable to open redirect attacks if the URL is used after sanitization. https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-recycler-privilege-escalation/ https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-recycler-privilege-escalation/ php Sat, 13 Jun 2026 09:01:59 GMT Backend users with Recycler module access could restore soft-deleted records on unauthorized pages or tables. https://iasquad.ai/en/js/esbuild/esbuild-dev-server-path-traversal-windows/ https://iasquad.ai/en/js/esbuild/esbuild-dev-server-path-traversal-windows/ js Sat, 13 Jun 2026 09:01:51 GMT The esbuild development server on Windows has a path traversal vulnerability. https://iasquad.ai/en/js/fabric/fabric-js-xss-gradient-colorstops-tosvg/ https://iasquad.ai/en/js/fabric/fabric-js-xss-gradient-colorstops-tosvg/ js Sat, 13 Jun 2026 09:01:43 GMT A Cross-Site Scripting (XSS) vulnerability was discovered in Fabric. https://iasquad.ai/en/js/budibase-server/budibase-server-ssrf-vulnerability/ https://iasquad.ai/en/js/budibase-server/budibase-server-ssrf-vulnerability/ js Sat, 13 Jun 2026 09:01:34 GMT OAuth2 token fetch in packages/server/src/sdk/workspace/oauth2/utils. https://iasquad.ai/en/js/budibase-server/budibase-server-unauthenticated-webhook-schema-update/ https://iasquad.ai/en/js/budibase-server/budibase-server-unauthenticated-webhook-schema-update/ js Sat, 13 Jun 2026 09:01:17 GMT The webhook schema-building endpoint at POST /api/webhooks/schema/:instance/:id is incorrectly bypassed by authorization middleware, allowing unauthenticated us https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-unauthorized-file-download-fallback-storage/ https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-unauthorized-file-download-fallback-storage/ php Sat, 13 Jun 2026 09:00:57 GMT Backend users with file download permissions could download files from the fallback storage of the file abstraction layer (FAL) via the Media Module, potentiall https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-file-upload-bypass-sql-injection/ https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-file-upload-bypass-sql-injection/ php Sat, 13 Jun 2026 09:00:50 GMT Backend users with file write permissions can upload form definition files with mixed-case extensions (e. https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-form-framework-sql-injection/ https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-form-framework-sql-injection/ php Sat, 13 Jun 2026 09:00:42 GMT Backend users with write access to the form_definition table can bypass Form Framework's persistence validation and permission checks via DataHandler, allowing https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-missing-authorization-check-file-mounts/ https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-missing-authorization-check-file-mounts/ php Sat, 13 Jun 2026 09:00:36 GMT Non-privileged backend users with file mount access could perform write operations (move, delete, rename) on root folders of active file mounts due to missing a https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-form-framework-file-inclusion/ https://iasquad.ai/en/php/typo3-cms-core/typo3-cms-core-form-framework-file-inclusion/ php Sat, 13 Jun 2026 09:00:28 GMT Backend users with Form Framework access could use files not ending in . https://iasquad.ai/en/js/esbuild/esbuild-deno-binary-integrity/ https://iasquad.ai/en/js/esbuild/esbuild-deno-binary-integrity/ js Sat, 13 Jun 2026 09:00:20 GMT The esbuild Deno module (lib/deno/mod. https://iasquad.ai/en/php/laravel-news/laracon-us-2026-speaker-lineup-announced/ https://iasquad.ai/en/php/laravel-news/laracon-us-2026-speaker-lineup-announced/ php Fri, 12 Jun 2026 09:03:03 GMT Laracon US 2026 announced its full speaker lineup for July 28-29 in Boston, including Taylor Otwell, Aaron Francis, Nuno Maduro, and Kent C.