Home/ Blog/ Deep dive/ Article
Blog · Deep dive

Signal: We triaged 3,560 vulnerabilities this week. The dangerous ones were already old.

We triaged 3,560 vulnerabilities in a week. The classes that actually shipped are the same five from 2010, even in new AI tooling. The pattern, and what to do.

Signal: We triaged 3,560 vulnerabilities this week. The dangerous ones were already old.
By Suriq's Jack · ·Deep dive · 5 min read Mitigate now

This week the Suriq threat desk logged a decision on 3,560 vulnerabilities and judged 43 of them worth publishing. The headlines were AI agents and nation-state backdoors. The bugs that actually shipped were the same five we have been patching since 2010.

This week in numbers3,560 vulnerabilities triaged, about 77 flagged as exploited, 43 published.This week in numbers3,560triaged77flagged exploited (approx.)43published

The flaw types we logged most often tell the same story. Cross-site scripting led at 173, command injection and remote code execution close behind at 169, then account takeover (119), SQL injection (114), path traversal (98), and server-side request forgery (78). Those are the leading categories, not the full 3,560: most advisories never name a clean flaw type, so the long tail is wide. But the pattern at the top is the point. The top five have all been on the OWASP Top Ten for a decade. None of them new. All of them still working.

Vulnerabilities by flaw type, this weekHorizontal bar chart. cross-site scripting: 173. command injection / RCE: 169. authentication / account takeover: 119. SQL injection: 114. path traversal / file read: 98. SSRF: 78.The flaw types we triaged most oftencross-site scripting173command injection / RCE169account takeover119SQL injection114path traversal98SSRF78
The leading flaw types among the vulnerabilities we triaged this week, classified from advisory titles. These are the top categories, not a complete breakdown of the total. Source: Suriq threat-desk, last 7 days.

The new tools are shipping the oldest bugs

The interesting part is where these turned up. The software getting the most security attention right now is the AI agent stack, and that stack spent the week reintroducing flaws that predate it by twenty years.

The Appium MCP server shipped a cross-site scripting flaw in how it rendered locator data that could hijack the agent driving it. Crawl4AI's Docker image had a server-side request forgery hole reachable with no login at all. The LangSmith SDK's tracing middleware read arbitrary files off the server. Different products, different vendors, one pattern: a brand-new category of software, built fast, shipping the bug classes a 2005 web app would have failed a pentest for.

The frontier moved. The mistakes did not.

The root cause is a trust boundary nobody drew

Look closer and the recurring failure is not really cross-site scripting or SQL injection. It is a confusion about who is trusted. Modern self-hosted software keeps handing real power to a role it assumes is friendly, then discovers that role is reachable by an attacker.

Budibase let a workspace builder read the server's secret files, including the token-signing key, because a builder was assumed to be staff. Ultimate Member let a low-privilege contributor reach every account, admins included. Central Dogma shipped a default secret that handed over the whole cluster to anyone who read the docs.

This is not only a problem for young AI startups. The same week, two pieces of mature, self-hosted infrastructure that hosting teams actually run failed the same way: Unraid's web panel had a command injection in a logged-in action, and Quest NetVault Backup shipped a SQL injection that ran as the database. Both treated an authenticated user as trusted. Both were wrong.

That is the through-line connecting the boring bugs. Input validation and output encoding are the symptoms people quote. The real disease is drawing the trust boundary in the wrong place, then letting an attacker stand on the trusted side of it.

Why the boring bugs keep winning

If these classes are so well understood, why do they keep shipping? The honest answer is economics, not ignorance. New software is rewarded for the demo, not the threat model. A working feature ships on the deadline; the trust-boundary review is the line item that gets cut when the deadline slips. The AI tooling wave has poured a generation of fast-moving projects into production with exactly that incentive, and the result is a brand-new attack surface carrying the oldest mistakes.

For anyone running this software, that economics is the part that matters. When you self-host a tool, you inherit whatever review the vendor skipped under their own deadline. The flaw was introduced upstream, but the exposure is yours, on your network, reachable from your perimeter. That is why a week of advisories about other people's code is still a worklist for your own estate: the same five classes, in the same trusted-role pattern, are almost certainly sitting in something you run today.

What is actually new is a delivery vector, not a bug

It would be dishonest to say nothing changed. One thing did. Prompt injection showed up this week as a genuinely new way to deliver old outcomes. The macOS.Gaslight backdoor turned a prompt injection into code running on an analyst's machine. OpenClaw's skill marketplace became a software-supply-chain problem the moment an agent could install a stranger's code.

But notice what the attacker walks away with: code execution, data theft, account takeover. The same prizes as always. Prompt injection is a new front door to the same house. It does not replace the old locks that are still unlatched. It just gives an attacker one more way to reach them.

What to do about it

If you run self-hosted or AI tooling, the defense is unglamorous, and it is the same defense it has always been.

  • Re-draw your trust boundaries on paper. List every role your software calls builder, contributor, agent, or integration. Assume each one is attacker-controlled and ask what it can reach. The Budibase and Ultimate Member failures were both invisible until someone did exactly that.

  • Validate input and encode output at every boundary an untrusted role can cross, including the ones inside your own app. The AI tools failed here because they treated internal data as safe.

  • Hunt your defaults. Default secrets, default credentials, and example keys left in production are the cheapest full compromise on this list. Grep your configs this week.

  • Treat agent and plugin installs as supply chain. If an AI agent can pull and run third-party code, it is a package manager, and it needs the same scrutiny you give one.

The lesson the data keeps repeating is not that attackers got smarter. It is that we keep building new things on top of mistakes we already know how to prevent. This week's 3,560 vulnerabilities were a loud reminder: before you chase the novel threat, close the twenty-year-old one underneath it.

Topics
AI & LLM security

Frequently asked questions

What were the most common vulnerability types this week?

Across the 3,560 vulnerabilities the Suriq threat desk triaged in the last seven days, the most common flaw types were cross-site scripting (173), command injection and remote code execution (169), broken authentication and account takeover (119), SQL injection (114), and path traversal (98). All five have been on the OWASP Top Ten for more than a decade.

Why do old vulnerability classes still dominate?

The honest answer is economics, not ignorance. New software is rewarded for shipping features and demos, and the security review that would catch these flaws is the line item cut when a deadline slips. The same well-understood classes are the cheapest to introduce and the easiest to skip checking, so they keep appearing, now in fast-moving AI tooling.

Do AI and agent tools have new types of vulnerabilities?

Mostly they ship the old ones. This week the AI agent stack reintroduced cross-site scripting, server-side request forgery, and arbitrary file read. The one genuinely new element is prompt injection, but it is a delivery vector for old outcomes like code execution and data theft, not a new class of bug.

What is a trust boundary, and why does it matter here?

A trust boundary is the line between the code or users you trust and those you do not. Most of this week's serious bugs came from drawing it in the wrong place: software handed real power to a role it assumed was friendly, such as a builder, contributor, or agent, when that role was actually reachable by an attacker.

How can I protect self-hosted software from these flaws?

Treat every builder, contributor, agent, and integration role as attacker-controlled. Validate input and encode output at every boundary those roles can cross, including internal ones. Audit for default secrets and example keys left in production, and treat any agent that can install third-party code as a supply-chain risk.

Keep reading
Security news

Russia's Turla built a new backdoor for one reason: deleting one tool will not evict them

Google tied Russia's Turla to STOCKSTAY, a new .NET backdoor built as four swappable parts. Why deleting one piece does not evict the group, and what to hunt.

Suriq's Jack · Jun 26, 2026
Security news

Prinz Eugen ransomware hits your newest files first and never leaves a note

Prinz Eugen ransomware encrypts your most recently changed files first and drops no ransom note, defeating canary traps and note-based SOC alerts. What to do.

Noam Alum · Jun 21, 2026
Security news

Your Fortinet password reset won't lock the FortiBleed attacker out

CISA declared FortiBleed an emergency on June 18 after 86,644 Fortinet devices were hit. Resetting passwords is not enough: kill live sessions and fix the

Noam Alum · Jun 21, 2026

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.

Get Access Meet the clan