Last Week in AppSec for 29. January 2026

This bulletin highlights three recent vulnerabilities: a remotely triggerable Denial-of-Service in Oracle Java SE/GraalVM that can crash sandboxed client contexts (CVE-2026-21945); a resource-exhaustion DoS affecting React 19.x Server Function endpoints (CVE-2026-23864); and a path-traversal/Zip Slip in pnpm prior to 10.28.1 allowing attackers to write files arbitrarily—potentially enabling configuration tampering or RCE (CVE-2026-23888). Upgrading the affected packages and applying mitigations such as rate-limiting and monitoring are recommended.