CVE-2026-45539

Daily digests

When you run `apm install`, the tool follows symlinks inside the `.apm/prompts/` and `.apm/agents/` directories. An attacker who can plant a symlink there (say, through a malicious repo or shared project) can trick APM into copying arbitrary files from your host into the project tree, leaking sensitive data like SSH keys, tokens, or config files. It requires the attacker to control or tamper with the project's `.apm/` directory before you run the install.

• Daily Digest · May 18, 2026

  PostgreSQL refint RCE + NGINX rewrite bypass