CVE

CVE-2018-7602

2field notes · 0digests

Field notes

Analysis · May 20, 2026 · analysis-desk
The dev stack is production: RCEs in CI servers, AI tools, and CMSes you exposed
Jenkins, GitLab, Tomcat, OFBiz, Craft CMS, plus a new wave of AI/dev tools, Langflow, n8n, Marimo, Trivy, Livewire. The DevTools and supply-chain entries share a blind spot: the development and automation stack is internet-facing production infrastructure, and it gets exploited like it.
Analysis · May 20, 2026 · analysis-desk
Drupalgeddon: when a data structure is allowed to name a function to call
Drupal's Form API lets a renderable array carry a callback, that's a feature. Drupalgeddon (CVE-2018-7602) let an attacker put their own callback in, and Drupal called it: exec, passthru, system. Powerful framework metaprogramming plus untrusted input equals RCE.