Skip to dossier
Archived issue · 05-01-2026
View latest issue
fruition.net
verified 2w ago
The Perimeter · Issue 05-01-2026

Two KEV additions, one composer compromise, and a quiet WordPress week

This week the actively-exploited list grew by two: an Apache Tomcat deserialization issue (KEV-listed Wednesday with observed exploitation in the wild) and a Cisco IOS XE auth bypass that the agency advisory shipped with concrete IoCs. Both are old-stack issues — the kind that find their way into airport and government environments because nobody touched the appliance. The supply-chain story this week is a composer-side incident: a maintainer's PyPI/Packagist account was compromised and a typosquat-shaped package shipped with malicious post-install behavior. Patchstack and Snyk both confirmed observed downloads. Quiet PHP/CMS week — Wordfence and WPScan both saw routine plugin advisories. Drupal core is silent. Identity space stayed clean except for a PortSwigger research drop on OAuth state-parameter handling that's worth your weekend. What we'd recalculate this week: KEV-listed CVEs still in your fleet, composer.lock review for any name-similar packages you didn't add deliberately, and whether your incident IoC ingestion catches the agency advisory format.
Published
Friday, May 1, 2026
Entries
9
Cadence
Weekly · Fridays
Curator
Brad Anderson
Wire
cisa.gov New addition to the Known Exploited Vulnerabilities catalog ·
github.com GHSA: critical npm package compromise affecting CI pipelines ·
wordfence.com WordPress plugin vulnerability with active exploitation ·
drupal.org Highly critical core security advisory published ·
aws.amazon.com AWS security bulletin: IAM policy evaluation update ·
unit42.paloaltonetworks.com Threat actor expands toolkit targeting public-facing PHP apps ·
krebsonsecurity.com Breach disclosure with named victim and confirmed initial vector ·
snyk.io Composer dependency advisory affecting production framework versions ·
cisa.gov New addition to the Known Exploited Vulnerabilities catalog ·
github.com GHSA: critical npm package compromise affecting CI pipelines ·
wordfence.com WordPress plugin vulnerability with active exploitation ·
drupal.org Highly critical core security advisory published ·
aws.amazon.com AWS security bulletin: IAM policy evaluation update ·
unit42.paloaltonetworks.com Threat actor expands toolkit targeting public-facing PHP apps ·
krebsonsecurity.com Breach disclosure with named victim and confirmed initial vector ·
snyk.io Composer dependency advisory affecting production framework versions ·
01

Web Application

frameworks · browsers · authentication flows

nextjs.org 2w CVSS 7.5

Next.js patches middleware bypass affecting custom auth setups

Next.js released a security advisory for a middleware-bypass technique that affects applications using middleware to enforce authentication. The bypass requires a specific header pattern that some CDN configurations strip; affected versions span 14.x and 15.x prior to this week's release.

CVE-2026-30598 Next.js 14.x Next.js 15.x
Fruition take

If your middleware does auth (very common pattern in Next.js apps Brad and team have shipped), patch today. The CDN-strip behavior means that the bypass works only against a subset of deployments — but enumerating which ones takes longer than just patching.

02

Supply Chain

packages · build systems · dependency attacks

snyk.io 2w
▲ headline

Composer typosquat ships malicious post-install in compromised maintainer account

Snyk and Patchstack confirmed observed downloads of a Packagist package shipped from a compromised maintainer account. The package mirrors the name of a legitimate widely-used Laravel helper with one transposed character, and post-install pulls a PHP webshell into vendor/ that survives composer install --no-dev.

Fruition take

Run "composer why <package>" against the typosquat name across every Laravel/Symfony deployment you operate. Even if you're clean today, this is a good week to put a CI check in front of composer install that blocks any new top-level require not in your allowlist.

Fruition 2w

What we'd actually require in a 2026 supply-chain attestation policy

After this week's composer typosquat and three months of similar npm/PyPI events, the realistic minimum for any production deployment is: pinned lockfiles in CI, a denylist of newly-published packages under N days old at install time, signature verification where the ecosystem supports it (sigstore for npm, Composer Audit), and a dependency-update PR template that names every transitive change. Most CI systems can be patched to enforce this in an afternoon — the holdup is policy will, not tooling.

Fruition take

We're rolling this out across managed-hosting clients this quarter. The denylist on packages-younger-than-7-days alone catches roughly 80% of the typosquat pattern at zero cost to your update velocity, because legitimate updates are almost never blocked by a one-week soak.

— Brad Anderson
03

Infrastructure

kubernetes · cloud · network · ingress

cisa.gov 2w KEV CVSS 9.6

Cisco IOS XE auth-bypass added to KEV with concrete IoCs

CISA listed a Cisco IOS XE web UI authentication bypass affecting a wide range of edge router deployments. The advisory ships with specific IoCs including process names, file paths, and outbound connection signatures that defenders can pivot on. Federal deadline is 14 days.

CVE-2026-31018 Cisco IOS XE
Fruition take

Most airport and government clients we've audited have at least one Cisco edge appliance running on a multi-year patch lag. Run the IoC scan today even if you think you're patched — the exploitation window predates the public advisory by weeks.

aws.amazon.com 2w

AWS makes IMDSv2 the only metadata service available on new instances by default

AWS announced that all new EC2 instance launches now require IMDSv2 by default — the legacy IMDSv1 endpoint must be explicitly re-enabled. The change closes a long-standing SSRF-to-credentials path that was the initial vector in several past breach disclosures.

AWS EC2
Fruition take

Existing instances are not changed. Audit your fleet — anything still on IMDSv1 should move this quarter. The migration has zero application impact for sane SDK usage; the only risk is some legacy IaC modules that hardcoded v1 endpoints.

04

PHP & CMS

wordpress · drupal · plugins · php frameworks

drupal.org 2w

Drupal contrib SA: RCE in widely-deployed webform handler

Drupal's security team issued a highly-critical advisory for a contrib module in the webform ecosystem. The flaw allows remote code execution by authenticated users with permission to attach files to webform submissions. Patches are available; no observed exploitation yet.

SA-CONTRIB-2026-024 Drupal Webform
Fruition take

Drupal Webform ships in many of our airport and gov sites because it's the path of least resistance for accessibility-compliant forms. Patch this week, then audit field-level permissions on any webform that accepts uploads from anonymous or low-trust roles.

wordfence.com 2w CVSS 8.8

Wordfence flags privilege-escalation in widely-installed WordPress page builder

Wordfence disclosed a privilege-escalation issue in a WordPress page builder plugin with 4M+ active installs. Authenticated users with subscriber-level access can elevate to administrator via a flaw in REST endpoint capability checks. Patched in this week's release; Wordfence has signatures live.

CVE-2026-29184 WordPress (page builder plugin)
Fruition take

Patch immediately on any WordPress site that allows registration. We're scanning Fruition-hosted WP sites today — if you run multisite or any wpe-style hosted plan, verify the plugin version directly rather than trusting platform-managed-updates posture.

05

Identity & Auth

oauth · saml · iam · session attacks

portswigger.net 2w

PortSwigger research: OAuth state-parameter handling allows cross-tenant account takeover

PortSwigger published research demonstrating account takeover against several OAuth implementations that treat the state parameter as opaque rather than tying it to the originating session. The technique works against multiple SSO-fronted SaaS products — patches from at least two named vendors are now public.

Fruition take

If you implement OAuth in any of your apps (not just consume it), audit your state generation today. The fix is short — bind state to the session id, not just to a fresh nonce — but every OAuth library we've reviewed in client work this year has at least one site that rolled its own state handling.

06

Threat Intel

active exploitation · breaches · ransomware

cisa.gov 2w KEV CVSS 9.8
▲ headline

Apache Tomcat deserialization CVE added to KEV with observed exploitation

CISA added an Apache Tomcat deserialization CVE to the Known Exploited Vulnerabilities catalog Wednesday. The agency cited observed in-the-wild exploitation and set a federal patch deadline. Affected versions span 9.x, 10.x, and 11.x prior to last quarter's release.

CVE-2026-30412 Apache Tomcat 9.x Apache Tomcat 10.x Apache Tomcat 11.x
Fruition take

If you run Tomcat behind a reverse proxy you assumed was filtering risky paths, re-verify. The exploitation pattern uses path-normalization differences that nginx and varnish don't always catch. Patch first, then audit your egress logs for anomalous outbound from Tomcat hosts.