Venmo, a social payment system, defaults to public disclosure of payments made on the system.
https://arstechnica.com/tech-policy/2018/07/venmos-terrible-idea/
Scott Simmons has some terriffic advice about using Same-Origin policy as a control for CSRF.
https://www.appsecconsulting.com/blog/using-the-same-origin-policy-to-control-for-cross-site-request-forgery
Open redirect flaw in Electron exploites in the new Google Hangouts Chat application.
https://blog.bentkowski.info/2018/07/vulnerability-in-hangouts-chat-aka-how.html?m=1
F5 has released their annual Application Protection report. Worth a read.
https://www.f5.com/labs/articles/threat-intelligence/2018-Application-Protection-Report
DOMpurify, a common control for DOM based XSS, has a vulnerability - update if you are using it (you probably are).
http://www.thespanner.co.uk/2018/07/29/bypassing-dompurify-with-mxss/