Featured Posts

Spring CVEs Didn't Slow Down. June 2026 Brought 67.

The spring surge kept climbing, and the versions Broadcom no longer evaluates are where the real exposure now lives.

CVE-2026-41855: Spring Framework JMS Jackson Deserialization Flaw

How Jackson-based JMS message converters allow gadget class instantiation in untrusted broker environments

Spring Boot 3.5 EOL: Scanner Findings, Audit Risk, and Remediation Options

Migrate, self-patch, get covered, or accept the risk — each is right in the right situation, and each breaks when the timeline doesn't match

CVE-2026-41003: Spring Security SAML XSS via RelyingPartyRegistration

CWE-79 in Spring Security's SAML 2.0 service-provider components writes unencoded values into auto-generated HTML forms

NumPy 2.0 Reaches End of Life on June 17, 2026

Why an unsupported version of the library beneath pandas, scikit-learn, and PyTorch is a foundational risk

Angular's 2026 CVE Surge: 21 New Advisories, No Patches for EOL Apps

Angular CVE disclosures are accelerating, AI is driving the discovery, and end-of-life Angular versions are the most exposed software you run.

Spring Boot 3.5 Is the Next One: How to Think About the Decision Before You Have to Make It

Spring shipped 30 CVEs in two months of 2026 — here's how to make the 3.5 → 4 decision on your timeline, not someone else's

CVE-2026-50555 & CVE-2026-50556 - Two High-Severity XSS Vulnerabilities in Angular SSR's DOM Serialization Layer

Inside the two server-side rendering XSS vulnerabilities affecting Angular 19 through 22, and why EOL versions can't patch

CVE-2026-50178 Angular Language Service VS Code Extension RCE

How unsanitized JSDoc hover content and a trusted Markdown renderer let a crafted project file execute arbitrary shell commands on a developer's machine

Ingress NGINX End of Life (March 2026): Risks, Migration Paths, and Support Options

Ingress NGINX reached end of life in March 2026. What is actually EOL, the security and compliance risks of staying, every migration path compared, and how to keep running it with full support while you migrate.

Spring Boot 4.0 Is Coming, and Your 3.x Apps Won't Just Recompile

Spring Boot 3.5 reaches open-source end of life on June 30, 2026. A new community guide from Steve Poole maps all 115 breaking changes in the move to 4.0, sorted by what breaks your build, your runtime, and your results.

Node.js Is Moving to One Release a Year. The People Who Ship It Explain Why.

HeroDevs sat down with Node.js TSC members Matteo Collina and Marco Ippolito to unpack the new annual release schedule, the paused bounty program, AI in vulnerability reports, and why so many teams still run end-of-life Node.js.

CVE-2026-40987: Spring Integration Remote-File Synchronizer File Write

How a remote-file synchronizer that writes a server-supplied filename under localDirectory without canonicalization lets a malicious FTP/SFTP/SMB server plant files anywhere on the client

CVE-2026-50168: Angular SSR SSRF Allowlist Bypass via URL Parser Differential in @angular/platform-server

CVE-2026-50168: Understanding the Angular SSRF Allowlist Bypass

TinyMCE XSS: Four Sanitization Bypass CVEs (CVE-2026-47759 to 47762)

How four separate content-sanitization gaps in TinyMCE let attacker-supplied editor content execute arbitrary JavaScript in any embedding application