TechBriefing

Java · React 일일 브리핑

2026.05.17 (Sun)

70
릴리즈
55
CVE
44
아티클

🎯 오늘의 헤드라인

Backend/Java tier S CVE · 05-12 · score 10.0
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. U…
CVSS 9.1 · CRITICAL
Runtime tier S CVE · 05-12 · score 10.0
sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted.…
CVSS 9.1 · CRITICAL
React Core tier S CVE · 05-13 · score 9.41
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS p…
CVSS 7.5 · HIGH
Language/Eco tier S CVE · 05-15 · score 8.67
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo daemon commands and task runs. A malicious…
Meta-Framework tier S CVE · 05-07 · score 8.56
Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the serve() HTTP handler. T…
CVSS 8.6 · HIGH

🚀 릴리즈 & 보안 21건

New Releases · 8
Tooling · 05-17 · score 7.46
## 🐛 Bug Fixes - Trim `threadConfiguration` to accept input surrounded with spaces ([#12042](https://github.com/apache/maven/pull/12042)) @slawekjaranowski - Backport: Maven 3.10.x fixed plugin resolu…
Runtime · 05-13 · score 7.4
### Commits * \[[`4f780905c5`](https://github.com/nodejs/node/commit/4f780905c5)] - **crypto**: fix potential null pointer dereference when BIO\_meth\_new() fails (Nora Dossche) [#61788](https://githu…
React Core · 05-14 · score 7.02
See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7151
Tooling · 05-14 · score 7.0
Please refer to [CHANGELOG.md](https://github.com/vitejs/vite/blob/plugin-legacy@8.0.2/packages/plugin-legacy/CHANGELOG.md) for details.
Tooling · 05-14 · score 7.0
Please refer to [CHANGELOG.md](https://github.com/vitejs/vite/blob/v8.0.13/packages/vite/CHANGELOG.md) for details.
Tooling · 05-11 · score 6.54
Please refer to [CHANGELOG.md](https://github.com/vitejs/vite/blob/create-vite@9.0.7/packages/create-vite/CHANGELOG.md) for details.
Tooling · 05-11 · score 6.54
Please refer to [CHANGELOG.md](https://github.com/vitejs/vite/blob/v8.0.12/packages/vite/CHANGELOG.md) for details.
React Core · 05-06 · score 6.5
## React Server Components - Type hardening and performance improvements ([#36425](https://github.com/facebook/react/pull/36425) by @eps1lon and @unstubbable)
Breaking Changes · 5
Backend/Java · 05-17
# Hibernate ORM 7.3.5.Final released Today, we published a new release of Hibernate ORM 7.3: 7.3.5.Final. You can find the full list of 7.3.5.Final changes [here](https://hibernate.atlassian.net/issue…
Backend/Java · 05-17
# Hibernate ORM 7.1.27.Final released Today, we published a new release of Hibernate ORM 7.1: 7.1.27.Final. You can find the full list of 7.1.27.Final changes [here](https://hibernate.atlassian.net/is…
Backend/Java · 05-17
# Hibernate ORM 7.2.15.Final released Today, we published a new release of Hibernate ORM 7.2: 7.2.15.Final. You can find the full list of 7.2.15.Final changes [here](https://hibernate.atlassian.net/is…
Tooling · 05-12
The Gradle team is excited to announce Gradle 9.5.1. Here are the highlights of this release: - Task provenance in reports and failure messages - Type-safe accessors for precompiled Kotlin Settings pl…
Runtime · 05-07
### Notable Changes #### Experimental `node:ffi` module Node.js now includes an experimental `node:ffi` module for loading dynamic libraries and calling native symbols from JavaScript. The API is gate…
CVE · 6
CVE-2026-43515CVSS 9.1 · CRITICAL
매칭 키워드: tomcat · 05-12
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.…
CVE-2026-43512CVSS 9.8 · CRITICAL
매칭 키워드: tomcat · 05-12
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 th…
CVE-2026-41293CVSS 9.8 · CRITICAL
매칭 키워드: tomcat · 05-12
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support…
CVE-2026-45091CVSS 9.1 · CRITICAL
매칭 키워드: node.js · 05-12
sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload o…
CVE-2026-26956CVSS 9.8 · CRITICAL
매칭 키워드: node.js · 05-04
vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host coopera…
CVE-2026-26332CVSS 9.8 · CRITICAL
매칭 키워드: node.js · 05-04
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.
Deprecations · 2
Runtime · 05-05
React Core · 04-17

📈 키워드 트렌드 상승 가중치 기준

https 동반: com, github, pull w 404.6
com 동반: https, github, pull w 345.2
github 동반: https, com, pull w 332.8
this 동반: vulnerability, issue, https w 257.1
react 동반: framework, applications, building w 253.1
node 동반: prior, can, open w 236.0
데이터 소스: GitHub Releases · NVD CVE · 공식 블로그 RSS (Spring · React · Kotlin · TypeScript · Next.js · Vite).
중요도 score = tier + source weight + CVSS boost − age penalty (0~10).
생성 시각: 2026-05-17 21:30
구독을 원하지 않으시면 여기에서 해지할 수 있습니다.