V1Plugin.Decrypt panics on empty ciphertext (Remote DoS)

Bug reported by Miso Poop was disclosed at May 28, 2026, 4:40 pm   |   Array Index Underflow

A vulnerability was discovered in the aws-encryption-provider component of the pkg/plugin/plugin.go file at revision 4341c70. The vulnerability caused the V1Plugin.Decrypt function to panic when passed an empty ciphertext, crashing the entire gRPC server process. This was due to the function accessing the Cipher field without checking if the slice was non-empty.

V2Plugin.Decrypt panics on empty ciphertext (Remote DoS)

Bug reported by Miso Poop was disclosed at May 28, 2026, 4:35 pm   |   Array Index Underflow

A vulnerability was discovered in the "aws-encryption-provider" component where the "V2Plugin.Decrypt" function accessed the ciphertext slice without checking if it was empty, leading to a panic and crashing the entire gRPC server process.

iOS Brave Playlist "Open in Private Tab" bypasses FaceID requirement for Private Tabs

Bug reported by Aaron was disclosed at May 28, 2026, 3:40 pm   |   Improper Authentication - Generic

A vulnerability was discovered in the Brave iOS browser that allowed users to bypass the FaceID requirement for accessing Private Tabs. The vulnerability was related to the "Open in Private Tab" option in the Brave Playlist feature. This allowed users to access the content of Private Tabs without the required FaceID or passcode authentication.