What you need to know today.

CVE-2026-57231 — Podman environment variable injection. A container image that defines an environment variable with only a key and no value can trick Podman (versions 1.8.1 through 5.8.4) into leaking that variable from the host into the container. This is a subtle but dangerous information-disclosure vector: an attacker who can supply a crafted container image — or trick a user into pulling one — can exfiltrate host environment variables that may contain API keys, secrets, or configuration data. The fix is available in Podman 5.8.4 and later. Given Podman's widespread use in CI/CD pipelines and Kubernetes-adjacent deployments, teams should prioritize upgrading any Podman instances that pull images from untrusted registries.

CVE-2026-55677 — Echo Go web framework path-traversal vulnerability. Echo versions prior to 4.15.3 and 5.2.0 contain a routing inconsistency: the router matches paths using the raw encoded URL (preserving %2F as-is), while StaticDirectoryHandler unescapes the path before serving files. An attacker can exploit this mismatch to bypass route-level access controls and read arbitrary files from the server's filesystem. This is a classic path-traversal pattern made worse by the framework's popularity — Echo is used in thousands of Go-based APIs and microservices. Upgrading to Echo 4.15.3 or 5.2.0 resolves the issue.

CVE-2026-56123 — socat SOCKS5 heap buffer overflow. socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based buffer overflow in the SOCKS5 proxy client code. A malicious SOCKS5 proxy server can exploit a sign-extension flaw in the DOMAINNAME reply parser to overwrite adjacent heap memory, potentially leading to remote code execution. socat is a ubiquitous networking Swiss-army knife used in embedded systems, containers, and network troubleshooting — any deployment that connects to untrusted SOCKS5 proxies is at risk. The fix is available in socat 1.8.1.2.

CVE-2026-56876 — extract-zip symlink traversal. The extract-zip npm package does not validate symlink targets when extracting zip archives. A malicious zip file containing a symlink with a relative path like ../../../../etc/passwd will be extracted as-is, allowing arbitrary file write outside the extraction directory. This is a supply-chain risk: any CI/CD pipeline or application that automatically extracts user-uploaded zip files with this package is vulnerable. No patch version was specified in the bundle; teams should audit their use of extract-zip and consider replacing it with a safer alternative.

CVE-2026-6658 — Jupyter nbconvert XSS via Mermaid diagrams. nbconvert versions through 7.17.0 fail to sanitize text/vnd.mermaid output in HTML exports. An attacker who can control Mermaid diagram content in a Jupyter notebook can inject arbitrary JavaScript that executes when the exported HTML is viewed. This is a classic stored XSS vector targeting data-science teams who share rendered notebooks as HTML reports. The fix is available in nbconvert 7.18.0.

CVE-2026-9640 and CVE-2026-9639 — Canonical LXD privilege escalation and denial of service. Two flaws in LXD (versions 6.0 before 6.9, 5.21 before 5.21.5, and 5.0 before 5.0.7) affect project-restriction policy enforcement during snapshot restoration (CVE-2026-9640) and a nil-pointer dereference in CreateCustomVolumeFromBackup (CVE-2026-9639). An authenticated project operator can bypass project-restriction policies during snapshot restoration, and a user with can_create_storage_volumes permissions can cause a denial of service via a crafted custom-volume backup. LXD is widely used in Canonical's container and VM management ecosystem; these flaws should be patched promptly in multi-tenant deployments.