Critical Authentication and Deserialization Flaws Disclosed

Traefik has disclosed a critical authentication bypass vulnerability affecting its ForwardAuth and snippet-based authentication middleware, tracked as CVE-2026-39858 and CVE-2026-35051. These flaws allow attackers to circumvent security controls, potentially leading to unauthorized access to protected backend services. The issues are present in versions prior to 2.11.43, 3.6.14, and 3.7.0-rc.2. Given the role of Traefik as a primary reverse proxy and load balancer in many modern infrastructure stacks, these vulnerabilities pose a significant risk to perimeter security. Administrators should prioritize upgrading to the patched versions immediately to mitigate the risk of unauthorized access.

Apache MINA is affected by two critical deserialization vulnerabilities, CVE-2026-42779 and CVE-2026-42778, resulting from incomplete patches for previous security issues in the 2.1.X and 2.2.X branches. These flaws involve the AbstractIoBuffer.resolveClass() and AbstractIoBuffer.getObject() methods, which fail to properly validate classes during deserialization. An attacker could exploit these weaknesses to achieve remote code execution by providing crafted serialized objects. Because Apache MINA is a foundational library for many Java-based networking applications, the impact of these vulnerabilities is widespread. Users are urged to verify their dependency versions and apply the latest updates provided by the Apache project.

The MixPHP Framework is vulnerable to unsafe deserialization in versions 2.x through 2.2.17, as detailed in CVE-2026-42473 and CVE-2026-42472. The framework's session and cache handlers utilize the PHP unserialize() function on data retrieved from the filesystem or Redis without sufficient sanitization. This pattern allows an attacker who can influence the stored data to trigger arbitrary code execution within the application context. Given that these handlers are core components of the framework, this represents a critical risk for any application relying on MixPHP for session management or caching. Developers should move to update their framework versions or implement strict validation for all serialized data.

Several critical vulnerabilities have been identified in WordPress plugins, including authentication bypass and arbitrary file upload flaws. The User Verification by PickPlugins plugin (CVE-2026-7458) uses a loose PHP comparison operator to validate OTP codes, allowing attackers to bypass authentication entirely. Additionally, the User Registration Advanced Fields plugin (CVE-2026-4882) is susceptible to arbitrary file uploads due to a lack of file type validation in its AJAX handler. These vulnerabilities are frequently targeted by automated scanners, making them high-priority items for site administrators. Users should audit their plugin installations and ensure all components are updated to the latest secure versions.

Hashcat, the widely used password recovery tool, is impacted by multiple critical buffer overflow vulnerabilities in version 7.1.2, specifically CVE-2026-42484, CVE-2026-42483, and CVE-2026-42482. These flaws exist in the PKZIP hash parser, Kerberos hash parser, and the rule engine's mangle functions, respectively. An attacker providing a maliciously crafted hash or rule file could trigger a heap or stack-based buffer overflow, potentially leading to a crash or arbitrary code execution. While Hashcat is typically run locally, these vulnerabilities could be exploited in environments where Hashcat is integrated into automated processing pipelines or web-based interfaces. Users should update to the latest version to address these memory safety issues.