Interesting bug where by using the <audio> tag and the range parameter inside a service worker, a site could remotely load any content from any other site, bypassing CORS completely (Cross-Origin Resource Sharing). Several browsers were vulnerable at some point, but only Edge was left. You can find the technical write-up here.
Nothing groundbreaking after all the unsecured MongoDB and Redis instances, but a good reminder to make sure you secure your Firebase implementation properly.
Using just the public key or key ID, one could spoof a digital signature that would be seen as valid by the PGP implementation. Lot's of tools have received patches.
DNS Rebinding is getting more attention these days. The article explains the vulnerability well, and shows how a researcher was able to use it to remotely control Google Home, Roku and Sonos devices.
gVisor is a sandbox system to run untrusted containers in isolation, integrated with Docker and Kubernetes.
It's been known in forensics for years, so consider it more of a head's up: when using Quicklook or Finder for files on an encrypted drive, the thumbnail (both for images and documents) can be stored on a non-encrypted location.
Interesting blogpost on the upcoming iOS feature that auto-fills two-factor SMS tokens. It would be a great convenience, but it might come with risks too.