Welcome back friends. This week's theme is simple: self-hosted tools are bleeding critical flaws, and the CVSS scores keep hitting the ceiling. When Veeam, n8n, and Coolify all ship fixes for vulnerabilities rated 9.0 or higher (including two perfect 10.0s), you're watching the tax bill come due on convenience and automation. Meanwhile, the industry's having a reckoning about whether AI-generated code and AI agents are security accelerants or just faster ways to ship vulnerabilities at scale.
TLDR
A critical flaw in the n8n automation platform allows authenticated users to execute malicious code. Both self-hosted and cloud versions are at risk of full instance compromise.
A new RCE bug in Backup & Replication software lets operators gain control via the postgres user. While no active exploits are reported yet, Veeam's history as a ransomware target makes this a priority fix.
The self-hosted PaaS platform revealed a series of vulnerabilities that could lead to full server takeover. Attackers can escape containers or grab root SSH keys through insecure database and git functions.
The talent shortage is becoming a structural shift where automation is the only way to keep pace with threats. Since nearly half of AI-generated code contains security flaws, humans must pivot from manual tasks to high-level oversight.
As AI moves from answering questions to autonomously calling APIs and accessing databases, static policies are no longer enough. Security teams need to shift toward real-time behavioral governance to manage these active digital agents.
Blog Highlight - Fighting AI with AI
With AI churning out nearly half of all new code riddled with security flaws, security teams face a choice: fight fire with fire, or get burned. Our latest post explores how defenders are deploying their own AI agents to scan, validate, and catch vulnerabilities before they ship. Read our full breakdown to see what automated security looks like in practice.
THIS WEEK’S TAKE
Self-Hosted Software = Security Liability
Look, I get the appeal of self-hosting. You control your data, you customize everything, you feel like a digital homesteader. But this week's parade of catastrophic vulnerabilities in self-hosted platforms (n8n with a perfect 10.0 CVSS score, Coolify with eleven critical flaws, Veeam getting hammered again) should make it clear most organizations have no business running their own infrastructure.
These platforms shipped with command injection bugs that let any authenticated user execute code as root, not sophisticated attacks. Basic security hygiene failures. And the thing is the vendors eventually found and fixed them, but how many self-hosted instances are still running vulnerable versions right now? How many IT teams are even aware patches exist? You're not just responsible for deploying the software anymore. You're responsible for monitoring security advisories, testing patches, maintaining update schedules, and hoping you catch the vulnerability before someone else does. Meanwhile, the same vendors offering self-hosted versions also run cloud instances where they handle all of this for you. The cloud versions got patched immediately. Your self-hosted box? That's on you. And if you're honest about your team's bandwidth and expertise, you know how that story ends.
- Shawn Booker | OX Security