CoreWCF auth bypass scores a perfect 10, Chrome sandbox escape close behind
A broken SAML token check in CoreWCF (CVE-2026-54782, CVSS 10.0) lets anyone forge tokens and impersonate users. Chrome on Android has a 9.6 use-after-free sandbox escape via Autofill, plus a NATS Server auth skip (8.8), a GStreamer DTLS stack overflow (7.5), and a Dynamics 365 XSS (9.3).
Two big ones today, neither exploited yet, but both worth your attention right now. CoreWCF's SAML token validation is completely broken: attackers can forge tokens and impersonate any federated user without authentication (CVE-2026-54782, CVSS 10.0). On top of that, a Chrome sandbox escape on Android (CVSS 9.6) is exactly the kind of bug that gets weaponized fast.
Today's CVEs
Sorted by urgencyCVE-2026-54782
NVDCoreWCF's SAML token validation is fundamentally broken when you use IdentityConfiguration with federated bindings. It doesn't properly check the issuer signing key or enforce that tokens are signed, so an unauthenticated remote attacker can forge SAML tokens and impersonate any user your trusted STS would normally issue for. CVSS 10.0, no exploitation reported yet, but this is a full authentication bypass with zero user interaction required.
- Affected estate
- .NET developers and sysadmins running services built on CoreWCF 1.8.x or 1.9.x that use SAML-based federated authentication
- How to check
- Check your project's NuGet package references for CoreWCF packages. Run 'dotnet list package' in the project directory and look for CoreWCF versions below 1.8.1 or 1.9.1.
- Included because
- unauthenticated; remote; CVSS 10.0; full authentication bypass; no user interaction
- Action
- Update the CoreWCF NuGet packages to 1.8.1 or 1.9.1, rebuild, and redeploy.
- Why it matters
- An unauthenticated attacker can forge identity tokens and impersonate any user, fully bypassing authentication on your service.
- Source
- CoreWCF project advisory
Evidence trail
- NVD: View source
CVE-2026-58253
NVDWhen NATS Server has no_auth_user configured, a parser shortcut meant for regular client connections accidentally applies to route and leafnode listeners too. That means an unauthenticated peer can skip inter-server CONNECT authentication and get the full privileges of a route or leafnode connection. CVSS 8.8. If your NATS cluster is reachable by untrusted hosts, this is an easy privilege escalation path.
- Affected estate
- Anyone running NATS Server with no_auth_user enabled, especially clusters where route or leafnode ports are network-accessible
- How to check
- Run 'nats-server --version' and review your server config for the no_auth_user directive. If it's present and you're on a vulnerable version, you're exposed.
- Included because
- unauthenticated; network-accessible; authentication bypass on inter-server connections; CVSS 8.8
- Action
- Upgrade to 2.14.0, 2.12.7, or 2.11.16. As a temporary mitigation, restrict network access to route and leafnode ports to trusted hosts only.
- Why it matters
- An unauthenticated peer can join your cluster as a trusted route or leafnode, giving it full inter-server privileges.
- Source
- NATS project advisory
Evidence trail
- NVD: View source
CVE-2026-59692
NVDGStreamer's DTLS plugin copies the peer certificate's Subject Distinguished Name into a fixed 2048-byte stack buffer with no bounds check during the handshake. A remote unauthenticated attacker can send a certificate with an oversized Subject DN to overflow the buffer and crash the process. This is a denial-of-service bug (CVSS 7.5), not confirmed for code execution, but any GStreamer pipeline using DTLS (common in WebRTC scenarios) is vulnerable.
- Affected estate
- Anyone running GStreamer pipelines that use the DTLS plugin, particularly WebRTC media servers and endpoints
- How to check
- Run 'gst-inspect-1.0 dtls' to check if the DTLS plugin is present, then check your GStreamer package version against your distro's security tracker.
- Included because
- unauthenticated; remote; stack overflow; denial of service; common in WebRTC deployments
- Action
- Update the GStreamer DTLS plugin package to the patched version. If no patch is available yet, restrict DTLS endpoints to trusted peers or disable the plugin if not needed.
- Why it matters
- A remote attacker can crash any GStreamer process using DTLS with a single malformed certificate, taking down media streams.
- Source
- GStreamer project advisory
Evidence trail
- NVD: View source
CVE-2026-15113
NVDA use-after-free bug in Chrome's Autofill feature on Android can let an attacker escape the browser sandbox through a crafted web page. CVSS 9.6. No user interaction beyond visiting the page is needed. Sandbox escapes are rare and serious: if exploited, the attacker gets access beyond the browser process itself. No exploitation in the wild yet, but this is the kind of bug that gets weaponized fast.
- Affected estate
- Anyone managing Chrome on Android devices, including MDM-managed fleets and BYOD environments
- How to check
- Open Chrome on the device, go to Settings > About Chrome, and check the version number. In MDM, query for Chrome browser versions below 150.0.7871.115.
- Included because
- unauthenticated; remote; sandbox escape; CVSS 9.6; no user interaction beyond visiting a page
- Action
- Force a Chrome update to 150.0.7871.115 or later through your MDM or instruct users to update via the Play Store.
- Why it matters
- A sandbox escape means a malicious web page can break out of Chrome's security boundary and potentially compromise the device.
- Source
- Chromium security advisory
Evidence trail
- NVD: View source
CVE-2026-47646
NVDA cross-site scripting (XSS) vulnerability in Microsoft Dynamics 365 Customer Voice lets an unauthorized attacker inject malicious content and spoof pages over the network. CVSS 9.3. This is a cloud service, so you can't patch it yourself, but you should verify your tenant is updated and watch for any indicators of spoofing or phishing through Customer Voice surveys.
- Affected estate
- Teams using Microsoft Dynamics 365 Customer Voice for surveys and feedback collection
- How to check
- Check the Microsoft 365 admin center or Service Health dashboard for advisories related to Dynamics 365 Customer Voice. Microsoft typically patches cloud services server-side.
- Included because
- unauthenticated; network-accessible; XSS with spoofing; CVSS 9.3; cloud-hosted service
- Action
- Verify the fix is applied in your tenant via the admin center. Alert users who manage Customer Voice surveys to watch for unusual or spoofed content.
- Why it matters
- Attackers can spoof survey pages to phish your customers or internal users through a trusted Microsoft domain.
- Source
- Microsoft Security Response Center
Evidence trail
- NVD: View source
One email, every Wednesday morning.
SubscribeFrom the field notes
From this beat
Read the rest of the field notes โ