Recently Added
The most recent resources added to appsec.fyi, across all topics. Subscribe to the RSS feed to stay updated.
| Date | Topic | Link | Excerpt |
|---|---|---|---|
| 2026-06-22 | Supply Chain | Homebrew to Packages: No ID No Service | This article discusses a security vulnerability in Homebrew's package management system related to how it handles anonymous users. When users interact with Homebrew without authentication, it can lead to potential issues, as evidenced by the "No ID, No Service" title. The linked content likely elaborates on the technical details of this vulnerability and its implications for users and the Homebrew ecosystem. Specific payout amounts for bug bounties were not mentioned in the provided information. |
| 2026-06-22 | SQLi | SQL Injection: Why It Persists and How to Prevent It | SQL Injection: Why It Persists and How to Prevent It https://ift.tt/lIwH9hU |
| 2026-06-22 | RCE | Critical Command Execution Vulnerability Patched in Cisco ISE | Cisco has released security updates to address a critical command execution vulnerability in Cisco Identity Services Engine (ISE). This flaw could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability, identified as CVE-2024-20258, has been patched by Cisco. Users are strongly advised to update their Cisco ISE deployments to the latest versions to mitigate this risk. No specific bounty payout amount was mentioned in the provided content. |
| 2026-06-22 | API Security | AI-Powered iOS Applications Expose LLM API Credentials Through Network Traffic | AI-powered iOS applications are inadvertently exposing sensitive Large Language Model (LLM) API credentials within their network traffic. This vulnerability allows attackers to potentially gain unauthorized access to these APIs, leading to misuse or data breaches. Developers are urged to implement robust security measures to prevent the leakage of such credentials in their applications. |
| 2026-06-22 | SQLi | Vibe-Coding's Hidden Danger: SQL Injection Risks Go Live | This article highlights a critical security vulnerability discovered in Vibe-Coding's platform, specifically a prevalent SQL injection risk that has been exposed. The exposé suggests that these risks are not theoretical but have gone live, meaning they are actively exploitable. The content warns of the potential dangers associated with such vulnerabilities, which can allow unauthorized access and manipulation of sensitive data. Further details regarding the exact nature of the exploit and its potential impact are available at the provided link. |
| 2026-06-22 | SQLi | pgAdmin 4 Released With Fixes for Seven Security Vulnerabilities and New Features | pgAdmin 4 has been released with fixes for seven security vulnerabilities. The update addresses issues that could have impacted user security and data integrity. Alongside these crucial security patches, the new version also introduces several new features and improvements, enhancing the overall user experience and functionality of the popular PostgreSQL GUI tool. No bug bounty payout amount was specified in the provided content. |
| 2026-06-22 | SQLi | pgAdmin 4 Released with Patches for Seven Vulnerabilities and Feature Enhancements | pgAdmin 4 Released with Patches for Seven Vulnerabilities and Feature Enhancements https://ift.tt/XSbOx5u |
| 2026-06-22 | AI | OrcaRouter Releases AI Threat Report 2026 and Makes Its Security Controls Free Amid Rise in Prompt-Injection Attacks | OrcaRouter has released its AI Threat Report 2026, highlighting a significant increase in prompt-injection attacks. In response to this growing threat, the company is making its security controls freely available. This move aims to help organizations better protect themselves against evolving AI-related vulnerabilities. The report likely details the nature and impact of these attacks, providing valuable insights for cybersecurity professionals. |
| 2026-06-22 | Supply Chain | North Korean hackers behind supply chain attack on AI platform: Microsoft | Microsoft has identified North Korean hackers as the perpetrators of a recent supply chain attack targeting an AI platform. This attack exploited vulnerabilities within the software supply chain to gain unauthorized access. The specific details of the platform and the full extent of the compromise are still under investigation. This incident highlights the growing threat of state-sponsored cyberattacks, particularly those targeting critical infrastructure and emerging technologies like AI. |
| 2026-06-22 | RCE | Critical flaw in popular SSH library enable hackers hijack systems remotely | A critical vulnerability has been discovered in a widely-used SSH library, potentially allowing hackers to remotely hijack systems. This flaw poses a significant security risk, as it could grant unauthorized access and control over compromised devices. The details of the vulnerability and its implications are still emerging, but it highlights the importance of keeping SSH implementations up-to-date and secured. |
| 2026-06-22 | SQLi | New pgAdmin 4 Version Patches Seven Security Flaws and Adds Features | The latest pgAdmin 4 release addresses seven security vulnerabilities and introduces new features. The update enhances the platform's security by patching these flaws. Specific details on the vulnerabilities patched and the new functionalities are available in the full release notes. No bug bounty payout amounts are mentioned in the provided content. |
| 2026-06-22 | RCE | [News] RCE found in Meccha Chameleon | A critical Remote Code Execution (RCE) vulnerability has been discovered in Meccha Chameleon. This flaw allows attackers to execute arbitrary code on affected systems, posing a significant security risk. Further details regarding the impact and specific exploits are expected to be released. No bounty payout amount was mentioned in the provided content. |
| 2026-06-22 | XSS | Exploiting Auth0 Defaults in XSS Attacks - elttam | This article details how attackers can exploit misconfigurations in Auth0's default settings to execute cross-site scripting (XSS) attacks. The author, elttam, demonstrates techniques that leverage Auth0's default behavior, specifically in how it handles redirect URLs and custom domains, to achieve XSS payloads. The focus is on identifying and exploiting these insecure defaults, highlighting the critical need for proper Auth0 configuration to prevent such vulnerabilities. |
| 2026-06-22 | Recon | Scanning malicious websites with 'infinite' number of VPN tunnels (Part 1) | This article, "Scanning malicious websites with 'infinite' number of VPN tunnels (Part 1)," explores a novel method for analyzing malicious websites. The core idea involves using an "infinite" number of VPN tunnels to conduct comprehensive scans. While the content hints at advanced techniques for website analysis, it does not mention any specific bug bounty payout amounts. |
| 2026-06-22 | AI | Improve MTTR with Wiz’s AI-powered remediation guidance using Microsoft Azure OpenAI service | Wiz now offers AI-powered remediation guidance to help organizations reduce their mean time to remediate (MTTR). This new feature leverages Microsoft Azure OpenAI service to generate actionable steps for security teams. By providing intelligent, AI-driven insights, Wiz aims to streamline the remediation process and enhance overall security posture. |
| 2026-06-22 | Supply Chain | Security Posture Management for GitHub: spotting and fixing risks in your GitHub organization just got a lot easier | Wiz's Security Posture Management (SPM) tool simplifies the process of identifying and resolving security risks within your GitHub organization. It provides enhanced visibility into potential vulnerabilities, enabling teams to proactively address issues and strengthen their overall security posture in their version control systems. |
| 2026-06-22 | RCE | Backdoor in XZ Utils allows RCE: everything you need to know | A critical supply chain compromise, CVE-2024-3094, has been discovered in the XZ Utils data compression library. This vulnerability allows for Remote Code Execution (RCE). Organizations are urged to detect and mitigate this threat by patching their systems immediately. |
| 2026-06-22 | Talks | Top security talks from KubeCon Europe 2024 | KubeCon Europe 2024 featured numerous security-focused talks from Europe's largest open-source community conference. This blog highlights favorite security sessions from the event, all of which are available online. The content focuses on the discussions and learnings shared at the conference regarding Kubernetes security. No specific bug bounty payout amounts were mentioned. |
| 2026-06-22 | Supply Chain | Defense in depth: XZ Utils | The XZ Utils vulnerability presents a critical security risk. This article outlines a "defense in depth" approach, detailing strategies for **assessment** to identify affected systems, **prevention** measures to block exploitation, and **detection** methods to uncover ongoing attacks. The goal is to provide organizations with a comprehensive framework to protect themselves from this sophisticated threat. |
| 2026-06-22 | AI | Wiz Research finds architecture risks that may compromise AI-as-a-Service providers and consequently risk customer data; works with Hugging Face on mitigations | Wiz researchers identified architectural vulnerabilities that could jeopardize AI-as-a-Service providers and expose customer data. Collaborating with Hugging Face, they developed and implemented mitigations to address these risks. The findings highlight potential security weaknesses in AI service infrastructure, emphasizing the importance of ongoing security research and partnerships for robust protection of sensitive information. |
| 2026-06-22 | Supply Chain | Finding the needle in the haystack: effortless SBOM search in your cloud with Wiz | Find out quickly where OS and open-source packages or libraries are deployed in your cloud environments and secure them before potential issues arise. |
| 2026-06-22 | AI | Boosting efficiency with Wiz's AI-driven remediation steps powered by Amazon Bedrock | Wiz introduces AI-remediation steps powered by Amazon Bedrock to empower customers to remediate risks quickly. |
| 2026-06-22 | RCE | CVE-2024-4040 exploited in the wild: everything you need to know | CVE-2024-4040, a critical vulnerability affecting CrushFTP, is actively being exploited. Organizations using CrushFTP are strongly urged to apply patches immediately to mitigate the risk of compromise. The vulnerability's active exploitation highlights the urgency of securing systems against this threat. |
| 2026-06-22 | AI | 4 Advantages of using AI code review | AI code review offers significant advantages, primarily by identifying critical bugs in real-time and providing actionable fix suggestions. This immediate feedback loop accelerates the development process and improves code quality. While the provided content doesn't mention specific payout amounts, it highlights the efficiency and accuracy benefits of AI in code review, suggesting it helps developers resolve issues more effectively and prevent them from reaching production. |
| 2026-06-22 | AI | Nightfall AI and Snyk unite to deliver AI-powered secrets scanning for developers | Snyk and Nightfall AI are collaborating to enhance developer security by integrating AI-powered secrets scanning. This partnership addresses the growing risk of exposed secrets in cloud environments. Snyk, already a provider of comprehensive software supply chain security, will leverage Nightfall AI's capabilities to offer advanced secrets scanning directly within its platform, further protecting developers from sensitive data breaches. |
| 2026-06-22 | Bug Bounty | Snyk Fetch the Flag CTF 2023 writeup: Audiopolis | This content is a write-up for the "Audiopolis" challenge from Snyk's 2023 Fetch the Flag CTF. It aims to guide readers through the solution to this specific challenge. The text does not mention any bug bounty payout amounts. |
| 2026-06-22 | Bug Bounty | Snyk Fetch the Flag CTF 2023 writeup: Silent Cartographer | This content is a write-up for the "Silent Cartographer" challenge from Snyk's 2023 Fetch the Flag CTF. It aims to guide participants through the solution to this specific challenge. The article serves as a walkthrough, providing the steps and reasoning behind solving the puzzle presented in the challenge. No bug bounty payout amount is mentioned. |
| 2026-06-22 | Bug Bounty | Snyk Fetch the Flag CTF 2023 writeup: Protect The Environment | This writeup details the solution to the "Protect The Environment" challenge from Snyk's 2023 Fetch the Flag CTF. It aims to guide participants through the steps required to solve the puzzle. The content focuses on providing the answer and a walkthrough for those who participated in the event. |
| 2026-06-22 | Bug Bounty | Snyk Fetch the Flag CTF 2023 writeup: Honey Baked Messages | This content is a write-up for the "Honey Baked Messages" challenge from Snyk's 2023 Fetch the Flag CTF. It aims to guide participants through the solution of this specific challenge. No bug bounty payout amount is mentioned. |
| 2026-06-22 | Bug Bounty | Snyk Fetch the Flag CTF 2023 writeup: I Do Math | If you were at Snyk’s 2023 Fetch the Flag and are looking for the answer to the I Do Math challenge, you’ve come to the right place. Let’s walk through the solution together! |
| 2026-06-22 | Bug Bounty | Snyk Fetch the Flag CTF 2023 writeup: Off the SETUID | This content is a write-up for the "Off the SETUID" challenge from Snyk's 2023 Fetch the Flag CTF. It aims to guide readers through the solution to this specific challenge. |
| 2026-06-22 | Authentication | Secure password hashing in Go | This content discusses secure password hashing techniques in the Go programming language. It likely covers best practices and recommended libraries for implementing strong password storage, emphasizing the importance of using modern algorithms like bcrypt or Argon2 to prevent common vulnerabilities. The focus is on providing developers with the knowledge to protect user credentials effectively. |
| 2026-06-22 | Python | Code injection in Python: examples and prevention | This content highlights the significant risks of code injection in Python applications. It emphasizes the importance of adopting secure coding conventions to prevent these vulnerabilities. The article likely explores common patterns of code injection and provides practical methods for developers to safeguard their Python code against such attacks. |
| 2026-06-22 | Authentication | Top 3 security best practices for handling JWTs | This blog post outlines three essential security best practices for managing JSON Web Tokens (JWTs). It aims to provide practical guidance with Python examples and demonstrate how Snyk can assist developers in discovering and fixing security weaknesses related to JWT handling within their applications. |
| 2026-06-22 | Authentication | Common SAML vulnerabilities and how to remediate them | This blog post offers a concise overview of common SAML vulnerabilities and provides examples of how to remediate them. It focuses on practical solutions for addressing security weaknesses within SAML implementations. |
| 2026-06-22 | RCE | AutoJack: How a single page can RCE the host running your AI agent | This article, "AutoJack: How a single page can RCE the host running your AI agent," details a critical vulnerability in AutoJack's AI agent. By crafting a malicious single HTML page, an attacker can achieve Remote Code Execution (RCE) on the host system running the AI agent. This exploit highlights a significant security flaw, allowing unauthorized control over the affected infrastructure. The article likely delves into the technical specifics of the exploit and its implications for users of AutoJack. |
| 2026-06-22 | RCE | Android Multiple Vulnerabilities | Bulletin detailing multiple vulnerabilities in Android 17, impacting security patch levels prior to 2026-07-01. Exploits can lead to denial of service, remote code execution, elevation of privilege, and sensitive information disclosure. Specific CVEs include CVE-2022-25836, CVE-2022-25837, CVE-2023-40108, CVE-2023-40132, and several CVEs in the 2025 and 2026 range. Applying vendor-issued fixes is recommended. |
| 2026-06-22 | RCE | Microsoft Edge Multiple Vulnerabilities | Bulletin regarding multiple vulnerabilities in Microsoft Edge, impacting versions prior to 149.0.4022.80. These issues, identified by CVEs such as CVE-2026-12437, CVE-2026-12439, and CVE-2026-12440, can lead to spoofing, remote code execution, denial of service, security restriction bypass, and sensitive information disclosure. Users are advised to update to version 149.0.4022.80 or later. |
| 2026-06-21 | OSINT | The 10 Top OSINT Tools of 2026 | Library for Open Source Intelligence (OSINT) gathering, featuring tools like theHarvester for early-stage reconnaissance, Shodan for identifying internet-connected devices, and Maltego for visual data mining and relationship mapping. OSINT Framework serves as a categorized directory, while ShadowDragon's Horizon platform offers advanced intelligence software for professional investigators. These resources help uncover hidden connections and insights from public sources. |
| 2026-06-21 | Supply Chain | Microsoft Links Mastra AI npm Supply Chain Attack to North Korean Sapphire Sleet Hackers | Microsoft has linked the Mastra AI npm supply chain attack to North Korean hackers, identified as Sapphire Sleet. This group, also known by other aliases, is accused of compromising an npm package to inject malicious code, potentially impacting developers using the Mastra AI tool. The attack highlights the ongoing threat of sophisticated supply chain compromises orchestrated by nation-state actors. |
| 2026-06-21 | RCE | Multiple Vulnerabilities in Firefox 152 Enables Remote Code Execution Attacks | Firefox 152 contains multiple vulnerabilities that allow for remote code execution. These security flaws could enable attackers to compromise user systems by exploiting these weaknesses. The provided link offers more details on these critical vulnerabilities. |
| 2026-06-21 | API Security | WordPress Email Plugin Flaw Triggers 17 Million Attacks: Gravity SMTP Leaks Live API Keys | Library for WordPress email plugins, specifically addressing CVE-2026-4020 in Gravity SMTP, which allowed unauthenticated retrieval of sensitive configuration data including live API keys for services like Amazon SES, Google, Mailjet, Resend, and Zoho. This vulnerability, despite its medium severity rating, led to over 17 million exploit attempts, exposing credentials and site software versions to attackers for potential further exploitation. |
| 2026-06-21 | API Security | Hackers Exploit Klue Integration to Steal Salesforce CRM Data Using OAuth Tokens | Hackers are exploiting a vulnerability in the Klue integration with Salesforce CRM to steal sensitive data. The attackers are leveraging compromised OAuth tokens to gain unauthorized access to Salesforce accounts. This allows them to exfiltrate customer information and other critical business data stored within the CRM. The exploit highlights the risks associated with third-party integrations and the importance of securing OAuth tokens. |
| 2026-06-21 | Supply Chain | npm Supply Chain Attack: North Korea Backdoored 144 AI Packages in 88 Minutes | Library for detecting and mitigating npm supply chain attacks, as demonstrated by North Korea's Sapphire Sleet group. The attack compromised 144 @mastra AI packages by exploiting dormant account permissions and npm's semantic versioning to inject a malicious easy-day-js package with a postinstall hook. This hook deployed a cross-platform RAT to steal LLM API keys, cloud credentials, and cryptocurrency wallets, bypassing traditional CVE-based scanners. Detection and mitigation strategies include behavioral supply-chain monitoring, with tools like Socket and StepSecurity's Harden Runner offering protection. |
| 2026-06-21 | API Security | Hackers Exploit Gravity SMTP WordPress Plugin Vulnerability | Hackers are actively exploiting a vulnerability in the Gravity SMTP WordPress plugin. The exploit allows them to send emails from compromised websites without the site owner's knowledge, potentially for phishing or spam campaigns. This poses a significant security risk to websites using the affected plugin. Users are advised to update to the latest version to patch this vulnerability and protect their sites. |
| 2026-06-21 | RCE | Active Exploitation of Critical CVE-2026-20253 in Splunk Enterprise: Unauthenticated RCE via PostgreSQL Sidecar Service | Writeup detailing active exploitation of CVE-2026-20253 in Splunk Enterprise, a critical vulnerability allowing unauthenticated remote code execution via the PostgreSQL Sidecar Service. This flaw, cataloged by CISA, enables attackers to create or truncate arbitrary files by abusing backup and restore endpoints, leading to potential system compromise. The article covers exploitation mechanics, including chaining operations to write malicious scripts, and provides example exploit requests, detection indicators, and mitigation steps like upgrading Splunk or disabling the affected service. |
| 2026-06-21 | RCE | Windows Server 2016 Security Update Failures and CVE-2024-49116 RCE Vulnerability: Analysis and Mitigation Strategies | Analysis of CVE-2024-49116, a critical RCE vulnerability in Windows Remote Desktop Services, details use-after-free and race condition flaws exploitable by unauthenticated requests. This entry also addresses Windows Server 2016 update failures leading to domain controller restarts, resolved by KB5091572. Mitigation strategies include applying December 2024 security updates, disabling Remote Desktop Gateway services, restricting network access, and enabling NLA. Affected versions span Windows Server 2016 through 2025. |
| 2026-06-21 | RCE | Active Exploitation Alert: Critical CVE-2026-42945 NGINX Rift Vulnerability in NGINX and F5 ProductsPatch Immediately | Writeup of CVE-2026-42945, dubbed "NGINX Rift," a critical heap-based buffer overflow in NGINX and F5 products. This vulnerability, affecting numerous NGINX Open Source and Plus versions, enables unauthenticated remote code execution and denial-of-service via crafted HTTP requests, particularly when using rewrite and set directives. A public PoC exploit exists, and active exploitation is confirmed. Related vulnerabilities include CVE-2026-42946 and CVE-2026-40701. Mitigation involves immediate patching or replacing unnamed PCRE captures with named ones. |
| 2026-06-21 | RCE | Chaining Security Bugs in Discuz! X5.0: from Race Condition to Pre-Auth RCE | Library for chaining vulnerabilities in Discuz! X5.0, demonstrating a pre-authentication RCE attack. The exploit combines a Cross-Context Token Reuse leading to a Race Condition and Authentication Bypass, a custom OCR model for CAPTCHA bypass, and an administrative Local File Inclusion (LFI) vulnerability to achieve full server control. |
| 2026-06-21 | AI | The risk in malicious AI models: Wiz Research discovers critical vulnerability in AI-as-a-Service provider, Replicate | Library detailing a critical vulnerability in Replicate, an AI-as-a-service provider. The vulnerability, discovered by Wiz Research, allowed for remote code execution via a malicious Cog container. This RCE enabled attackers to access a shared Redis instance, then use TCP injection via tools like `rshijack` to bypass authentication and inject Lua scripts. These scripts could modify customer prompts and redirect webhook notifications, potentially leading to cross-tenant data leakage and interference with AI model predictions. |
| 2026-06-21 | AI | Wiz AI-SPM model scanning: Securely innovate with AI community models | Library for scanning hosted AI models, including PyTorch and Tensorflow formats sourced from Hugging Face or elsewhere. This library detects malicious models, such as those using pickle files for arbitrary code execution, and provides visibility into AI pipelines with an AI Bill of Materials (AI-BOM). It addresses supply chain risks associated with open-source models and offers runtime protection against suspicious model behavior. |
| 2026-06-21 | RCE | Critical RCE vulnerability in PHP CGI: everything you need to know | Writeup of CVE-2024-4577, a critical RCE in PHP CGI, details its exploitation by TellYouThePass ransomware via argument injection on Windows systems. The vulnerability, particularly affecting Chinese and Japanese locales, leverages Windows' Best-Fit encoding feature to bypass previous protections. Affected PHP versions include 8.3 before 8.3.8, 8.2 before 8.2.20, and 8.1 before 8.1.29, as well as end-of-life versions. Mitigation involves upgrading PHP, applying temporary rewrite rules, or disabling CGI for XAMPP installations. |
| 2026-06-21 | API Security | Custom runtime rules and runtime response policies: new layers of defense | Library introducing custom runtime rules and runtime response policies for cloud environments. These features enhance defense-in-depth by providing real-time threat detection through flexible rule creation based on process execution, network connections, DNS queries, network listening, and actors. Matches can trigger alerts, update security graphs, or initiate automated response policies, which can block high-certainty threats to mitigate damage and reduce manual effort. |
| 2026-06-21 | AI | GenAI risks to be aware of — and prepare for — according to Gartner® | Report from Gartner identifies four major security risks associated with Generative AI (GenAI) and Large Language Models (LLMs): privacy and data security due to inadequate anonymization and third-party sharing; enhanced attack efficiency through sophisticated "smart malware" and automated attacks; misinformation spread via realistic synthetic content; and fraud and identity risks from deepfakes undermining biometric authentication. The report suggests vendors should integrate GenAI security considerations into product strategies to address these emerging threats and opportunities. |
| 2026-06-21 | RCE | Probllama: Ollama Remote Code Execution Vulnerability (CVE-2024-37032) – Overview and Mitigations | Writeup of CVE-2024-37032, "Probllama," a Remote Code Execution vulnerability in Ollama, the popular open-source AI model deployment tool. The vulnerability stems from insufficient input validation in the `/api/pull` endpoint, allowing path traversal to overwrite arbitrary files. This can be leveraged to achieve arbitrary file reads and ultimately remote code execution, particularly in Docker deployments where the server runs with root privileges. Users are advised to upgrade to Ollama version 0.1.34 or newer. |
| 2026-06-21 | RCE | RCE vulnerability in OpenSSH: everything you need to know | Library detailing CVE-2024-6387, a critical RCE-as-root vulnerability in OpenSSH (sshd) dubbed "regreSSHion." This signal handler race condition affects default configurations on 32-bit glibc-based Linux distributions, potentially leading to heap corruption and arbitrary code execution. Exploitation requires specific environmental conditions, making widespread attacks unlikely but possible against targeted, patient adversaries. Patches are available for affected versions, and organizations should upgrade and restrict internet-facing SSH access. |
| 2026-06-21 | API Security | How Wiz customers are flippin' vulnerabilities this July 4th weekend | Library demonstrating how three companies, Schrödinger, Schibsted, and a financial services firm, achieved zero critical cloud vulnerabilities by leveraging Wiz for enhanced visibility, proactive remediation, and DevSecOps integration. The approach includes using the Wiz Command Line Interface for early detection, integrating with JIRA for issue tracking, centralizing security across multiple brands, and automating security settings via API queries, enabling cross-team collaboration and informed risk prioritization. |
| 2026-06-21 | API Security | Enhance existing security workflows with high-fidelity cloud security data from Wiz in ServiceNow | Library for integrating Wiz's cloud security data into ServiceNow, enhancing existing IT, vulnerability response, compliance, and configuration management workflows. This integration populates ServiceNow Vulnerability Response with enriched vulnerability fields, Container Vulnerability Response with container image context, Configuration Compliance with misconfiguration findings mapped to frameworks, and the CMDB with accurate cloud inventory via a Service Graph Connector. It also generates tickets in ServiceNow ITSM for issue tracking and remediation, enabling teams to prioritize and fix cloud security issues with greater context and efficiency. |
| 2026-06-21 | AI | SAPwned: SAP AI vulnerabilities expose customers’ cloud environments and private AI artifacts | Library for auditing SAP AI Core, exposing a vulnerability chain dubbed "SAPwned." This chain allows arbitrary code execution within SAP AI Core pods, bypassing network restrictions via `shareProcessNamespace` and `runAsUser`. Exploitable findings include leaked AWS tokens from Loki, unauthenticated EFS shares with customer AI data, and an unauthenticated Helm server compromising internal Docker registries and Artifactory. The Helm server also provides cluster-admin privileges on the Kubernetes cluster, enabling access to customer secrets, cloud credentials for AWS and Azure, and private AI artifacts. |
| 2026-06-21 | API Security | Your control tower to secure code across GitHub, GitLab, and Azure Repos | Library that unifies code security across GitHub, GitLab, and Azure Repos. It leverages a Security Graph for holistic visibility, detailed ownership mapping, and risk prioritization. Wiz scans code for vulnerabilities, IaC misconfigurations (Terraform, CloudFormation, Kubernetes), secrets, and malware. It also checks VCS configurations against benchmarks like OpenSSF SCM Best Practices and OWASP TOP10 CI/CD. WizCLI integrates with CI/CD pipelines, offering a unified policy engine and consolidated findings for secure code delivery. |
| 2026-06-21 | Bug Bounty | Introducing the Prompt Airlines CTF: Test Your AI Security Skills | Library for testing AI security skills, the Prompt Airlines CTF challenges participants to identify and exploit vulnerabilities in AI systems. The CTF provides a hands-on environment to explore common AI security risks, including those found in large language models and other AI integrations. Success in the CTF demonstrates proficiency in securing AI applications and understanding their unique attack surfaces. |
| 2026-06-21 | AI | Is your team on the *security* naughty or nice list? | Library for application security teams, this guide highlights "nice" practices like conducting AppSec gap analyses, integrating security into CI/CD pipelines, scanning AI-generated code, and prioritizing fixes holistically beyond just CVSS scores. It contrasts these with "naughty" approaches such as ad hoc security measures, assuming AI code is secure, and neglecting asset inventory. The library emphasizes viewing security as an enabler, using the principle of least privilege with LLMs, and leveraging tools like Snyk for AppSec posture management (ASPM). |
| 2026-06-21 | Python | Command injection in Python: examples and prevention | Library for preventing command injection vulnerabilities in Python applications, detailing how unsanitized user input passed to system shells via methods like `os.system()`, `subprocess.run(shell=True)`, dynamic command construction, and `eval()` can lead to exploits. It covers common scenarios, including vulnerabilities found in MLflow and PaddlePaddle, and emphasizes proactive mitigation through rigorous input validation, sanitization, and the use of parameterized queries to keep commands and data separate. |
| 2026-06-21 | Supply Chain | Kroger’s approach to supply chain security | Library integrating a shift-left approach to software supply chain security, utilizing Snyk Code and APIs for proactive vulnerability detection and SBOM generation. Kroger’s implementation emphasizes developer efficiency and risk management, with features that scan pull requests, alert on suspicious package downloads, and automate compliance for PCI DSS 4.0 requirements. The platform supports the company’s efforts in navigating complex technology stacks and addressing open-source dependency risks. |
| 2026-06-21 | RCE | Krampus delivers an end-of-year Struts vulnerability | Analysis of CVE-2023-50164, a critical Struts path traversal vulnerability, with a proof-of-concept exploit. This vulnerability allows attackers to upload files to arbitrary locations within an application's web-served directories, potentially leading to remote code execution. The article details remediation steps, including upgrading Struts to version 2.5.33 or 6.3.0.2 and implementing custom code checks using Snyk's SAST and SCA tools to prevent malicious file uploads and identify vulnerable dependencies. |
| 2026-06-21 | API Security | Build and deploy a Node.js security scanning API to Platformatic Cloud | Library for building a Node.js security scanning API using Platformatic and Fastify. This resource details how to scaffold a Node.js service with Platformatic, integrate the Snyk CLI and API for vulnerability detection, and create a POST endpoint to test npm packages. It emphasizes securing API tokens using environment variables and IDE extensions like the Snyk VS Code extension for secret detection. |
| 2026-06-21 | AI | How to choose a security tool for your AI-generated code | Guide on selecting security tools for AI-generated code, emphasizing real-time IDE analysis powered by Snyk's DeepCode AI, accurate risk management avoiding AI hallucinations through hybrid AI and human oversight, thorough interfile analysis of entire applications, and automated in-platform reporting for compliance. The guide highlights Snyk's approach to secure development workflows for generative AI. |
| 2026-06-21 | Python | Mastering Python virtual environments: A complete guide to venv, Docker, and securing your code | Library for managing Python virtual environments using `venv`, `virtualenv`, and `pipenv`, and securing Dockerized Python applications with Snyk. It details the creation, activation, and usage of isolated Python environments to prevent dependency conflicts, ensuring reproducible development workflows. The library also covers containerizing Python applications with Docker, including Dockerfile creation and execution, and vulnerability scanning with Snyk to enhance application security. |
| 2026-06-21 | XSS | Understanding and mitigating the Jinja2 XSS vulnerability (CVE-2024-22195) | Reference detailing CVE-2024-22195, a cross-site scripting vulnerability in Jinja2 versions prior to 3.1.3. The vulnerability arises from the `xmlattr` filter when processing user input with spaces in keys, allowing attackers to inject arbitrary HTML attributes and potentially execute untrusted scripts. Mitigation involves upgrading to Jinja2 3.1.3 and utilizing tools like Snyk for continuous monitoring and detection of vulnerable dependencies in Python projects and Docker containers. |
| 2026-06-21 | AI | 3 tips from Snyk and Dynatrace’s AI security experts | Talk from Snyk and Dynatrace AI experts highlights three key takeaways for secure generative AI adoption. Prioritizing AI governance, involving cross-functional teams for ethics, request ingestion, and communication is crucial. Taking a patient and considered approach to new technologies is advised, with a focus on understanding data flow, explainability, and transparency in AI tools. Finally, balancing AI opportunities with risks in development necessitates rigorous code security practices, including threat management scanning and clear documentation of AI-generated code, to avoid vulnerabilities and data overexposure. |
| 2026-06-21 | Bug Bounty | 7 tips to become a successful bug bounty hunter | Guide offering seven tips for aspiring bug bounty hunters, emphasizing starting with Vulnerability Disclosure Programs (VDPs) to hone skills before engaging in competitive bug bounty programs. It advises finding a niche like XSS, SSRF, or IDOR, committing to continuous learning, maintaining consistency, collaborating within the security community, and automating repetitive tasks. The guide also encourages stepping outside comfort zones and taking necessary breaks to avoid burnout. |
| 2026-06-21 | AI | Snyk & Atlassian: How to embed security in AI-assisted software development | Library that integrates with AI-assisted development to address risks from tools like GitHub Copilot and Amazon CodeWhisperer. It scans AI-generated code in real-time within the IDE, flagging vulnerabilities stemming from bad training data or hallucinations, and provides quick fixes. The library is presented as a method to verify code against known standards, ensuring trust and security are embedded throughout the SDLC, much like safety measures on a construction site. |
| 2026-06-21 | SQLi | Preventing SQL injection attacks in Node.js | Library for Node.js developers detailing SQL injection prevention techniques, including constructing vulnerable Express applications with PostgreSQL to demonstrate how user input manipulation leads to data leaks. It emphasizes using query placeholders and prepared statements with the `pg` library, validating and sanitizing input via `express-validator`, and utilizing tools like `npm audit` and the Snyk IDE extension for identifying known vulnerabilities in dependencies. |
| 2026-06-21 | SSRF | Preventing server-side request forgery in Node.js applications | Tool for preventing server-side request forgery (SSRF) in Node.js applications, detailing how attackers exploit input tampering and URL manipulation to make unintended server requests. It covers basic and blind SSRF types, referencing a significant Amazon breach. Mitigation strategies include using updated libraries, employing firewalls, sanitizing user input, enforcing URL schemas like HTTP/HTTPS, and creating allowlists for trusted domains, exemplified by code adjustments in an Express and Axios application. |
| 2026-06-20 | RCE | Critical Cisco ISE Vulnerability Enables Remote Code Execution Attacks | A critical vulnerability has been discovered in Cisco Identity Services Engine (ISE) that allows for remote code execution. This flaw could enable attackers to compromise systems without user interaction, posing a significant security risk. The vulnerability's nature suggests it could be exploited by malicious actors to gain unauthorized access and control over affected devices. Further details regarding the specific exploit and its impact are available at the provided link. No payout amount was specified. |
| 2026-06-20 | RCE | Critical Firefox 152 Vulnerabilities Enable Remote Code Execution | Critical vulnerabilities in Firefox 152 have been discovered, allowing for remote code execution. These security flaws could enable attackers to compromise user systems by tricking them into visiting a malicious website. Further details about the specific vulnerabilities and potential impacts are available at the provided link. No bug bounty payout amount is mentioned in this content. |
| 2026-06-20 | RCE | Microsoft AutoJack exposes RCE via AI browsing agents | Writeup on AutoJack, a chained exploit affecting pre-release builds of AutoGen Studio (0.4.3.dev1, 0.4.3.dev2). A malicious webpage rendered by a local AI browsing agent bypasses origin checks, exploits missing authentication on Model Context Protocol (MCP) WebSocket endpoints, and leverages unsafe parameter handling to execute arbitrary processes on the host, leading to host-level RCE. The stable version 0.4.2.2 is unaffected, and a fix is available in GitHub main. This vulnerability highlights localhost trust abuse in agentic systems, similar to previous Semantic Kernel RCEs (CVE-2026-26030, CVE-2026-25592) and ChatGPhish. |
| 2026-06-20 | API Security | Mass Exploitation of Gravity SMTP Plugin Exposes Enterprise API Keys Globally | Tool for mass exploitation of Gravity SMTP plugin, registered as CVE-2026-4020, which leaks enterprise API keys globally. The vulnerability arises from an unauthenticated API endpoint that unconditionally returns "true" for permission checks, allowing attackers to retrieve detailed server configurations including web server versions, document roots, and active extensions. This high-fidelity reconnaissance data, alongside exposed API credentials for services like AWS, Google, Mailjet, and Zoho, facilitates targeted attacks and the weaponization of trusted email supply chains. |
| 2026-06-20 | Supply Chain | Microsoft links Mastra AI supply chain attack to North Korean hackers | Analysis of the Mastra AI supply chain attack, attributed to North Korean threat actor Sapphire Sleet (BlueNoroff), details a compromise of over 140 npm packages. Attackers hijacked an npm maintainer account to publish malicious updates, introducing a typosquatted dependency, "easy-day-js," which acted as a malware dropper. This dropper targeted Windows, Linux, and macOS systems, aiming to steal credentials, API keys, and cryptocurrency wallets, including those from MetaMask, Phantom, and Coinbase Wallet, utilizing tactics previously associated with Sapphire Sleet campaigns. |
| 2026-06-20 | SSRF | Arookiech: For the rest of the month I'll keep learning and focusing on the specific attack syntax till I know every bypass and every method to carry it out. #ssrf #bugbounty Then maybe I'll be able to build my own tool to automate it properly Thank you Jesus again and again | Arookiech is dedicating the rest of the month to mastering SSRF attack syntax, including bypasses and execution methods. Their goal is to gain such proficiency that they can develop their own tool for automating these attacks. This focus is part of their bug bounty efforts. |
| 2026-06-20 | Supply Chain | Supply chain attack hits widely-used AI package risks impacting thousands of companies | Library compromise targeting LiteLLM versions 1.82.7 and 1.82.8 highlights the risks of supply chain attacks. Malicious code within these versions was designed to exfiltrate sensitive data, including cloud credentials and API keys, and maintain persistence. This incident, attributed to a group called TeamPCP, emphasizes the potential for widespread impact, affecting developers, organizations, and downstream users due to LiteLLM's extensive use in AI systems and cloud environments. |
| 2026-06-20 | API Security | JetBrains Plugin Security Alert: 70000 Installs Linked to AI Key Theft | A JetBrains plugin with over 70,000 installations has been identified as a security risk, potentially stealing AI API keys. The plugin's malicious code was designed to exfiltrate sensitive authentication credentials. Users are strongly advised to uninstall the plugin immediately and to change their AI API keys. This incident highlights the importance of careful vetting of third-party software, especially in development environments where sensitive data is handled. No bounty payout amount is mentioned in the provided content. |
| 2026-06-20 | API Security | Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys | Writeup of CVE-2026-4020 in Gravity SMTP, a WordPress plugin that allows unauthenticated attackers to extract API keys and system details via an exposed REST API endpoint. Exploited versions can reveal sensitive data including PHP and web server versions, active plugins, WordPress configuration, and credentials for email integrations like Amazon SES and Google. Attackers leverage this information for further compromise. A patch is available in version 2.1.5. |
| 2026-06-20 | RCE | F5 Patches Critical High-Severity NGINX Vulnerabilities | Library updates from F5 address critical NGINX vulnerabilities, including CVE-2026-42530 and CVE-2026-42055, which could lead to code execution via use-after-free or heap-based buffer overflows. Patches also resolve high-severity flaws like CVE-2026-11311 and CVE-2026-50107 in NGINX Gateway Fabric, enabling authenticated configuration directive injection, sensitive data exposure, and denial-of-service conditions. Medium-severity vulnerabilities allowing memory disclosure and worker process restarts are also fixed. |
| 2026-06-20 | RCE | Use-after-free in the QPACK encoder of nginx HTTP/3 - CVE-2026-42530 | Writeup detailing CVE-2026-42530, a use-after-free vulnerability impacting the QPACK encoder within nginx's HTTP/3 implementation. The analysis provides insights into the specific flaw found in the popular web server software. |
| 2026-06-20 | Authentication | Emerging phishing campaign targeting AWS accounts | Writeup on an emerging phishing campaign targeting AWS accounts, detailing its use of redirect chains via services like squarespace.com and cli.re to reach credential harvesting pages, often visually cloning the legitimate AWS sign-in page. The campaign leverages Amazon SES and CloudFront, with observed attacker-controlled domains including consoleportal[.]tech. It emphasizes securing AWS environments by disabling root logins via SCP, using FIDO security keys for MFA, enforcing SSO, implementing least privilege, and enabling Amazon CloudTrail for logging and impact assessment. |
| 2026-06-20 | AuthZ | Defeating Kubernetes Privilege Escalation: A Cloud Detection & Response Case Study | Case study detailing a real-world attack where adversaries escalated privileges from Kubernetes to AWS control planes. The attack leveraged a newly published RCE CVE on an open-source application running on an EKS pod's EC2 instance, which was misconfigured with internet access. This allowed exploitation to gain access to the EC2 instance IAM role via the Instance Metadata Service (IMDS), highlighting the need for rapid, contextualized cloud detection and response. |
| 2026-06-20 | Authentication | AWS Console Session Traceability: How Attackers Obfuscate Identity Through the AWS Console | Writeup on the "Console Conceal" technique, which attackers can use to obfuscate their identity within AWS by manipulating role session names and exploiting a quirk in how AWS Console actions are logged in CloudTrail. This method bypasses standard traceability, making it difficult to attribute actions back to compromised credentials, especially when SourceIdentity is not configured. The analysis details how attackers can assume roles with misleading session names and how security teams can still investigate by correlating actions with the original AssumeRole events. |
| 2026-06-20 | API Security | Avoiding security incidents due to request collapsing | Library for mitigating security incidents caused by request collapsing in web caching, a feature of caching services like Amazon CloudFront that can return sensitive data intended for one user to multiple others. This behavior occurs when multiple identical requests for the same cache key arrive before the first response is returned, leading to delayed requests receiving a response that should not have been cached, even when Cache-Control: no-cache is used. The library suggests using the "CachingDisabled" managed cache policy or setting minimum TTL to 0 and configuring the origin to send Cache-Control: no-cache. |
| 2026-06-20 | Secrets | 5 Node.js security code snippets every backend developer should know | Library offering Node.js security code snippets covering the Permissions Model for restricting resource access, exemplified by preventing command injection in packages like `pdf-image`, and input validation using Fastify JSON schemas to mitigate SSRF and HTTP parameter pollution. It also touches upon secure password hashing with Bcrypt, and integrating tools like the Snyk VS Code extension to detect vulnerable dependencies. |
| 2026-06-20 | AI | Essential AI Tools to Boost Developer Productivity and Security | Library that categorizes AI developer tools, highlighting Security Companions like Snyk Code for real-time analysis of AI-generated and developer-written code. It also details Coding Assistants (GitHub Copilot, Amazon CodeWhisperer), Chatbots/LLMs (ChatGPT, Claude.AI), AI code search (Sourcegraph, Phind), and AI code testing (Codium), emphasizing the need to pair coding assistants with security tools. |
| 2026-06-20 | AI | 5 security best practices for adopting generative AI code assistants like GitHub Copilot | Checklist for safely adopting generative AI code assistants like GitHub Copilot and Amazon CodeWhisperer. This guide emphasizes continuous human validation of AI-generated code, integrating security scanning tools within the IDE, and utilizing Software Composition Analysis (SCA) for third-party dependencies. It also highlights the importance of automating security testing and implementing policies to protect intellectual property from being learned by AI models, referencing incidents like Samsung's ChatGPT ban. |
| 2026-06-20 | Supply Chain | GitHub “besieged” by malware repositories and repo confusion: Why you'll be ok | Library for securing open-source development against threats like malware repositories, repo confusion, typosquatting, and dependency confusion. It emphasizes code vetting, repository authentication, and provides best practices for developers and security teams. Tools like Snyk Advisor and Snyk Learn are mentioned for assessing package health and improving security knowledge. |
| 2026-06-20 | AI | How Snyk ensures safe adoption of AI | Library that uses DeepCode AI, a hybrid approach combining symbolic and machine learning AI, to secure AI-generated code. This technology analyzes code in real-time within the IDE, identifying vulnerabilities like those introduced by tools such as Copilot. It provides accurate results with reduced false positives by incorporating multi-file, interfile, and dataflow analysis, and offers AI-generated fix candidates that are validated for security before recommendation, mitigating risks of license infringement, IP violations, and software vulnerabilities. |
| 2026-06-20 | Supply Chain | Securing your SBOM on Google Cloud | Guidance on securing SBOMs details NSA recommendations for open source software management, secure repository creation, and crisis management. Practices include evaluating OSS, risk assessment, maintaining internal repositories, vulnerability response, and creating validated SBOMs with details on components, versions, and licenses. Snyk integrates with Google Cloud services like CloudBuild, Artifact Registry, and GKE to help users find and fix vulnerabilities, scan containers, and generate enriched SBOMs. |
| 2026-06-20 | Supply Chain | The XZ backdoor CVE-2024-3094 | Analysis of CVE-2024-3094, a critical backdoor in the liblzma library affecting Linux distributions like Debian and Fedora. The exploit, a sophisticated supply chain attack, targeted x86-64 Linux systems using glibc and GCC, aiming to bypass SSH authentication and potentially achieve remote code execution. The vulnerability leverages modified build files and the GNU C Library's IFUNC mechanism to compromise OpenSSH. Detection methods using Snyk CLI for applications and containers are also outlined. |
| 2026-06-20 | AI | Introducing Snyk’s partnership with Gemini Code Assist | Library integrating Snyk's security expertise with Google Gemini's AI coding assistance. This partnership delivers automated fixes and in-line security feedback for AI-generated code within IDEs like Google Cloud Code, providing full application context to identify vulnerabilities early. It leverages DeepCode AI for SAST and aims to accelerate development velocity without compromising security, allowing teams to adopt AI coding assistants confidently. |
| 2026-06-20 | AI | How SAS secures their AI-generated code | Talk from Snyk, moderated by Clinton Herget and featuring Brett Smith and Chris Knackstedt, addresses the security challenges of AI-generated code. The session explores risks such as code quality issues stemming from diverse training data, new attack vectors like prompt injection and library squatting, and AI hallucinations. It emphasizes the importance of developer education regarding AI tool limitations and IP protection, alongside reinforcing traditional security measures like static code analysis (SAST) with tools like Snyk Code to combat the increased velocity of vulnerable code injection. |
| 2026-06-20 | AI | An investigation into code injection vulnerabilities caused by generative AI | Analysis of 4000+ Python repositories reveals code injection vulnerabilities (CWE-94) stemming from generative AI's large language models (LLMs). Issues arise from treating LLM output as trusted, particularly when user input influences prompts (prompt injection) and when LLM responses are passed to insecure functions like Python's `eval()` for parsing expected JSON. This can lead to arbitrary code execution. Recommendations include replacing `eval()` with `json.loads()` and rigorously validating LLM-generated code before execution, ideally within sandboxed environments. |
| 2026-06-20 | Bug Bounty | Hacking in the age of AI: LLMs, agentic CLIs and MCP servers for Bug Bounty hunters | This article explores how AI, specifically Large Language Models (LLMs) and agentic CLIs, are transforming bug bounty hunting. It discusses leveraging AI tools for tasks like vulnerability discovery, code analysis, and exploit generation. The content highlights how LLMs can assist in understanding complex codebases and identifying potential weaknesses, while agentic CLIs can automate repetitive security testing processes. The integration of these AI technologies aims to enhance efficiency and effectiveness for bug bounty hunters in the evolving cybersecurity landscape. |
| 2026-06-20 | Bug Bounty | VulnHub — sunset: dawn | Full Walkthrough | This VulnHub machine, "sunset: dawn" by @whitecr0wz, is a beginner-to-intermediate Debian GNU/Linux 10 machine. The walkthrough details an attack path starting with SMB enumeration. This leads to discovering a writable share, which is directly mapped to a directory used by a root-owned cron job. This vulnerability allows for uploading a reverse shell. No bug bounty payout amount is mentioned. |
| 2026-06-20 | Bug Bounty | Web-RTA Exam Writeup — Passed | CyberWarFare Labs | The Web-RTA (Web Red Team Analyst) certification from CyberWarFare Labs is a practical, black-box exam focusing on web application penetration testing. It features two live web applications and requires capturing 16 flags, testing real-world vulnerabilities. The exam is designed for beginner to intermediate skill levels and does not include theoretical or multiple-choice questions. No bug bounty payout amount is mentioned in this content. |
| 2026-06-20 | Bug Bounty | CRTA Exam Writeup — Passed | CyberWarFare Labs | The CRTA (Certified Red Team Analyst) exam from CyberWarFare Labs is a practical, black-box assessment focused on hands-on red teaming. The certification requires users to compromise machines within a live lab environment and collect flags, with no theoretical questions. Success is determined solely by achieving root access and flag retrieval. |
| 2026-06-20 | OSINT | Phone Numbers and Emails to Hidden Subdomains: The OSINT Acquisition Pipeline That Uncovered a… | Phone Numbers and Emails to Hidden Subdomains: The OSINT Acquisition Pipeline That Uncovered a Critical Bug A deep technical blog on using phone numbers and email addresses to discover hidden domains,... |
| 2026-06-20 | XSS | “Bug Bounty Bootcamp #48: OAuth + XSS ” | This "Bug Bounty Bootcamp #48" article, titled "OAuth + XSS," explores a potent combination of vulnerabilities: OAuth and Cross-Site Scripting (XSS). The content suggests that by leveraging these two, attackers can achieve account takeovers, effectively describing it as an "ultimate account takeover one-two punch." The article is part of a series and can be found on InfoSec Write-ups. No specific bounty payout amount is mentioned. |
| 2026-06-20 | OSINT | BITSCTF 2026 Writeups | OSINT And Steganography / Forensics Challenges | This summary details solutions for OSINT and Steganography challenges from BITSCTF 2026. Tools like zsteg, cyberchef, reverse image search, strings, and exiftool were employed. One OSINT challenge involved identifying a "major event" in Copenhagen in early 2024, described by unusual geometric structures near a river. The event's difficulty was rated 6.5/10. No bug bounty payout amount was mentioned. |
| 2026-06-20 | IDOR | Breaking Down Two Simple Vulnerabilities That Exposed A School’s Admission Records | Security researchers discovered data-exposure vulnerabilities on a school's website, revealing sensitive admission records containing PII like names, emails, and addresses. The `/print-form.php?app_number=` endpoint was vulnerable to Insecure Direct Object Reference (IDOR), allowing access to records by manipulating application numbers. |
| 2026-06-20 | Secrets | Threat Brief: Mitigating Large-Scale Credential Attacks | Threat brief on "FortiBleed," a large-scale credential attack campaign targeting Fortinet, MSSQL, and Sophos devices, involving password spraying, configuration extraction, and offline cracking. The brief details threat actor techniques, recommends auditing remote access logs, and provides hardening guidelines such as requiring MFA, adopting Zero Trust Architecture, changing default credentials, disabling unused accounts, and updating software. Palo Alto Networks customers can leverage product protections and consulting services to defend against these attacks. |
| 2026-06-20 | RCE | Microsoft Working on Patch for RoguePlanet Zero-Day | Advisory for CVE-2026-50656, a privilege escalation vulnerability in Microsoft Defender's Malware Protection Engine, dubbed "RoguePlanet." Disclosed by researcher Nightmare Eclipse, it exploits a race condition to grant System privileges. A proof-of-concept exploit demonstrates local privilege escalation on Windows 11 and 10, with potential for remote code execution and applicability to Windows Server. This follows other zero-day disclosures by Nightmare Eclipse against Microsoft products, including BlueHammer, RedSun, and UnDefend. |
| 2026-06-20 | API Security | Node.js Fixes 12 Vulnerabilities Including 2 High-Severity Authentication Bypasses | Node.js has released security updates addressing 12 vulnerabilities. Two of these are high-severity authentication bypass flaws. While the specific payout amounts for these vulnerabilities are not mentioned, the fix addresses critical security weaknesses in the Node.js runtime, enhancing its overall security posture. Users are advised to update to the latest versions to protect against these newly resolved issues. |
| 2026-06-19 | SQLi | AI agent framework flaws hit 7000 servers | Flaws in an AI agent framework have affected approximately 7,000 servers, exposing them to potential security risks. The vulnerabilities could allow unauthorized access or control of these AI systems. |
| 2026-06-19 | RCE | Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure | Analysis of CVE-2026-20253, a critical Splunk Enterprise vulnerability allowing unauthenticated attackers to create or truncate arbitrary files via a PostgreSQL sidecar service, highlighting its immediate exploitation in attacks and inclusion in CISA's Known Exploited Vulnerabilities catalog. |
| 2026-06-19 | RCE | Rapid7 Analysis: CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability | Analysis of CVE-2020-12271 details a pre-authentication SQL injection vulnerability affecting Sophos XG Firewalls, which can lead to remote code execution. Exploited in the wild, this zero-day flaw, with a CVSSv3 score of 10, allows attackers to download malware, establish persistence, and exfiltrate credentials. Affected versions include 17.0, 17.1, 17.5, and 18.0. The analysis highlights reverse engineering efforts and ongoing threats even after a patch is available. |
| 2026-06-19 | RCE | Critical Splunk Vulnerability Actively Exploited | Writeup on CVE-2026-20253, a critical unauthenticated file manipulation flaw in Splunk, actively exploited after its June 10 patch release. The vulnerability, affecting Splunk Enterprise, allows attackers to create or truncate arbitrary files by targeting the PostgreSQL sidecar service endpoint without authentication. WatchTowr demonstrated chaining backup and restore APIs to achieve remote code execution, enabling the writing of malicious Python scripts to the Splunk filesystem. CISA has added this flaw to its Known Exploited Vulnerabilities catalog. |
| 2026-06-19 | API Security | API Sprawl | Analysis of API Sprawl discusses the security risks and inefficiencies arising from unmanaged and undocumented APIs. Fueled by factors like decentralized development, microservices architectures, and DevOps practices, API sprawl leads to an expanded attack surface, with instances of shadow and zombie APIs posing significant threats. Organizations like Imperva report having more active APIs than they are aware of, contributing to an average of 10% to 20% more. This proliferation, highlighted by SALT's survey showing 57% of organizations suffering API-related data breaches, underscores the urgent need for robust API management and governance to mitigate security vulnerabilities and costs. |
| 2026-06-19 | XSS | Microsoft's Exchange Server Updates Fix OWA XSS Flaw | Library update for Microsoft Exchange Server addresses CVE‑2026‑42897, a cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA). This flaw allows remote attackers to execute malicious JavaScript by sending specially crafted emails. Updates are available for Exchange Server Subscription Edition, 2019, and 2016, with support requirements for older versions. Administrators should use the Exchange Health Checker script and install the latest cumulative and security updates. |
| 2026-06-19 | AI | Agentic Security Threats: Prompt Injection Becomes Live Malware | Library for detecting and mitigating agentic security threats, specifically focusing on LLM prompt injection. It details the evolution of promptware into live malware, citing examples like IDPI, Check Point's Skynet sample, EchoLeak (CVE-2025-32711), and ESET's PromptLock. The resource outlines the seven-stage promptware kill chain, highlighting tactics such as indirect injection, runtime abuse, and package compromise. It also covers defensive measures including retrieval boundaries, architectural separation, adversarial training, and enhanced monitoring, along with skill development pathways like the AI Ethical Hacker™ certification. |
| 2026-06-19 | API Security | Node.js Releases Security Updates for 12 Vulnerabilities Two Rated High Severity | Node.js has released security updates addressing 12 vulnerabilities, with two classified as high severity. These updates are crucial for maintaining the security and integrity of applications built with Node.js. Users are strongly advised to apply these patches promptly to mitigate potential risks associated with the identified vulnerabilities. No specific payout amounts were mentioned in the provided content. |
| 2026-06-19 | Supply Chain | VS Code 1.123 Adds Two-Hour Extension Update Delay to Limit Supply Chain Attacks | Library introducing a two-hour delay for VS Code extension auto-updates to mitigate supply chain attacks, following similar cooldown mechanisms in package managers like Pip and npm. While this new protection aims to provide a window for detecting malicious updates, it notably exempts "trusted publishers." Critics suggest the delay is too short, with alternative proposals including sandboxing extensions and staged rollouts. The change offers teams disabling auto-updates more control via policy-based allowlists or internal marketplaces. |
| 2026-06-19 | RCE | AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution | Writeup detailing the AutoJack attack, an exploit chain targeting AutoGen Studio's pre-release versions (0.4.3.dev1 and 0.4.3.dev2). This vulnerability allows a malicious webpage, loaded by an AI browsing agent, to execute arbitrary commands on the host machine. The attack exploits three weaknesses in the Model Context Protocol (MCP) WebSocket: localhost trust, skipped authentication middleware, and unauthenticated command execution. While a plain `pip install autogenstudio` is unaffected, users of pre-releases must pull fixes from GitHub main (commit b047730) as a patched PyPI release is not yet available. This research highlights broader risks in agent frameworks, echoing similar localhost vulnerabilities found in Semantic Kernel (CVE-2026-26030, CVE-2026-25592) and ChatGPhish. |
| 2026-06-19 | RCE | Microsoft warns AI agents are being 'AutoJack'-ed to deliver RCE payloads by browsing untrusted websites | Vulnerability chain called "AutoJack" in AutoGen Studio allows remote code execution (RCE) through malicious websites. Exploiting flaws like localhost channel misuse and skipped login checks, an attacker can trick an AI agent into running arbitrary code supplied by the untrusted website. This attack chain highlights the risks of AI agents browsing external content without strict authentication and isolation of local control planes. |
| 2026-06-19 | GraphQL | CVE-2021-4191: GitLab GraphQL API User Enumeration (FIXED) | Writeup of CVE-2021-4191, a GitLab GraphQL API vulnerability, details how remote, unauthenticated attackers could enumerate usernames, names, and email addresses. This information leak, classified as CWE-359, enables attackers to build user lists for brute-force attacks and sophisticated phishing campaigns. The article discusses the vulnerability's introduction in GitLab versions 13.0, outlines exploitation methods via the `/api/graphql` endpoint, and provides a Python script for user enumeration. Mitigation advice includes patching GitLab instances and disabling public profiles. |
| 2026-06-19 | SSRF | Microsoft AntiSSRF Library Blocks Server-Side Request Forgery | Library that validates URLs and network connections for .NET and Node.js applications, mitigating server-side request forgery (SSRF) risks. AntiSSRF acts as a drop-in component, checking untrusted input against policies that can define allowed/denied addresses, block plain-text HTTP, and enforce header requirements, preventing data leakage, service disruption, and remote code execution. |
| 2026-06-19 | API Security | Hackers Breach Klue Integration to Steal Salesforce CRM Data | Hackers exploited a vulnerability in Klue's integration with Salesforce CRM, leading to the theft of customer data. The breach targeted the connection between the two platforms, compromising sensitive information stored within Salesforce. Further details on the exact nature of the exploited vulnerability and the extent of the data stolen are still emerging. This incident highlights the security risks associated with third-party integrations and the critical need for robust security measures in cloud-based CRM systems. |
| 2026-06-19 | RCE | NGINX Vulnerability Patch: F5 Fixes Critical HTTP/3 and HTTP/2 Remote Code Execution Flaws | Patch addressing critical NGINX vulnerabilities CVE-2026-42530 (HTTP/3 use-after-free) and CVE-2026-42055 (HTTP/2 heap buffer overflow). These flaws, with CVSS v4.0 scores of 9.2, allow unauthenticated remote attackers to crash NGINX worker processes and potentially achieve arbitrary code execution, particularly on systems with weakened ASLR. F5 has released fixes for NGINX Open Source, NGINX Plus, and NGINX Gateway Fabric, with temporary mitigations available for those unable to patch immediately. |
| 2026-06-19 | RCE | Cisco Identity Services Engine Remote Code Execution and Information Disclosure Vulnerabilities | Writeup on CVE-2026-20181 and CVE-2026-20190 affecting Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). CVE-2026-20181, a critical RCE vulnerability with a CVSS score of 9.1, requires administrative credentials and exploits insufficient input validation, allowing command execution and privilege escalation. CVE-2026-20190, a high-severity information disclosure vulnerability (CVSS 7.5), exploits improper authorization checks, potentially revealing hashed credentials. Both vulnerabilities are addressed by Cisco software updates. |
| 2026-06-19 | Supply Chain | Cybersecurity Firms Impacted by Klue Supply Chain Attack | Writeup of the Klue supply chain attack, detailing how threat actors compromised Klue's backend servers to steal OAuth tokens for customer integrations, impacting cybersecurity firms Huntress and Recorded Future. The attack primarily targeted Salesforce data, exfiltrating CRM information, business contacts, and price quotes. The incident bears similarities to previous attacks on Salesloft, Drift, and Gainsight, and is attributed to the Icarus extortion group. |
| 2026-06-19 | RCE | F5 Patches NGINX Vulnerability Enabling Code Execution and DoS Attacks | F5 has released patches for a critical vulnerability in NGINX that could allow attackers to execute arbitrary code and launch Denial of Service (DoS) attacks. The vulnerability, identified as CVE-2023-40574, affects NGINX versions 1.25.1 and earlier, as well as NGINX Plus R28 and earlier. F5 strongly advises users to update to patched versions immediately to mitigate the risks. No specific bounty payout amount was mentioned in the provided content. |
| 2026-06-19 | RCE | Critical Cisco ISE Vulnerability Allows Attacker to Execute Malicious Code Remotely | Critical Cisco ISE Vulnerability Allows Attacker to Execute Malicious Code Remotely https://ift.tt/2ilx8Qz |
| 2026-06-19 | Recon | CVE-2026-5667: Unauthenticated Remote Control of Mitsubishi MAC-577IF-2E WiFi Adapters via Probe Request Reconnaissance | Library for unauthenticated remote control of Mitsubishi MAC-577IF-2E WiFi Adapters, detailing how probe request reconnaissance leads to unauthorized access. The vulnerability, identified as CVE-2026-5667, allows attackers to discover devices broadcasting specific SSIDs, capture half-handshakes, crack passwords, and then exploit HTTP Basic Auth to control air conditioners and other connected Mitsubishi devices, including changing temperature and power states. |
| 2026-06-19 | AI | Wiz Research Finds Critical NVIDIA AI Vulnerability Affecting Containers Using NVIDIA GPUs, Including Over 35% of Cloud Environments | Library detailing CVE-2024-0132, a critical container-escape vulnerability in the NVIDIA Container Toolkit that allows attackers to gain full host system access. This affects AI applications using GPUs within containers and is particularly concerning for shared compute environments like Kubernetes. Organizations are advised to update the NVIDIA Container Toolkit to version 1.16.2 and the NVIDIA GPU Operator to version 24.6.2 to mitigate this risk. |
| 2026-06-19 | Supply Chain | Supply chain attack on lottie-player: everything you need to know | Library compromise impacting lottie-player versions 2.0.5 through 2.0.7. Malicious code injected via a compromised npm token allowed attackers to serve Web3 wallet connection prompts, aiming to steal cryptocurrency. Organizations like 1inch were affected, with at least one reported loss of 10 Bitcoin. Developers should audit dependencies and update to version 2.0.8 or revert to 2.0.4. |
| 2026-06-19 | AI | Tricks and Treats: Top 3 GenAI Security Best Practices for a Safer Halloween | Analysis of GenAI security risks including data poisoning, model theft, and adversarial attacks. Best practices focus on eliminating shadow AI through an AI Bill of Materials (AI-BOM), safeguarding sensitive data with encryption and DLP policies, and establishing a swift incident response plan. This addresses supply chain attacks in libraries like lottie-player and enhances cloud-native security for serverless containers. |
| 2026-06-19 | AI | Introducing the next generation of AI-powered remediation: Choose your own remediation strategy | Library that uses GenAI and Wiz Research's expertise to generate granular, contextual remediation guidance for cloud security issues, including "toxic combinations." It allows users to select remediation strategies based on risk, cloud context, and business needs, breaking down complex issues into actionable steps. The system accounts for various risk factors like misconfigurations, vulnerabilities, and external exposure, offering tailored advice for patching vulnerabilities, scoping access, removing exposure, and reducing permissions. |
| 2026-06-19 | AuthZ | Data access governance: Who's got the keys to your data kingdom? | Capabilities for data access governance leverage Wiz DSPM and CIEM to discover sensitive data, analyze effective permissions of human and non-human identities, and govern access to critical data across multi-cloud environments, including Snowflake and OpenAI, while identifying and remediating risky identities with access to sensitive information. |
| 2026-06-19 | OSINT | Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond | Reference detailing strategies for identifying phishing domains, with a focus on the 0ktapus threat actor. It categorizes and analyzes various Document Object Model (DOM) templates used by 0ktapus, providing unique characteristics, example domains, and activity periods for each. This resource aids in detecting known and unknown phishing campaigns by offering a framework for analyzing phishing infrastructure, including techniques for pivoting between landing pages and identifying specific phishing kits like EIGHTBAIT. |
| 2026-06-19 | Recon | Making Sense of Kubernetes Initial Access Vectors Part 1 – Control Plane | Library introducing a taxonomy of Kubernetes initial access vectors, focusing on control plane threats like unauthenticated API access, exposed Kubeconfig files, `kubectl proxy`, and misconfigured Kubelet APIs. It details associated risks, including those tied to AKS, EKS, and GKE, and outlines protection and detection strategies. The library also touches on risks from exposed management interfaces like Kubernetes Dashboard and Kubeflow. |
| 2026-06-19 | Recon | Making Sense of Kubernetes Initial Access Vectors Part 2 - Data Plane | Library on Kubernetes data plane initial access vectors, detailing risks from applications, container images, and execution-as-a-service. It covers attack paths through vulnerable pods, abuse of RBAC, and system privilege escalation, referencing vulnerabilities like Leaky Vessels and cross-tenant issues found in services like HuggingFace and Replicate. Recommendations include namespace separation, Pod Security Standards, image signature verification, and user namespaces to mitigate lateral movement and privilege escalation. |
| 2026-06-19 | AI | Introducing new Amazon Q Developer plugin for Wiz | Library extends Amazon Q Developer with a Wiz plugin, bringing Wiz's Cloud-Native Application Protection Platform (CNAPP) capabilities directly into the AWS console. This integration allows AWS developers to query their cloud security posture using natural language, gaining immediate insights into risks such as critical attack paths and the riskiest assets. By democratizing security and reducing operational overhead, the plugin empowers developers to uphold security best practices and prioritize remediation efforts effectively without leaving their familiar AWS environment. |
| 2026-06-19 | AI | The President’s Executive Actions on AI Have a Lot to Say on Cybersecurity | Analysis of the President's Executive Order on AI and NSPM-11, highlighting shifts from static compliance to risk-based vulnerability prioritization. CISA's BOD 26-04 mandates rapid remediation of actively exploited vulnerabilities, replacing older directives like BOD 22-01 and BOD 19–02. This framework emphasizes context-driven assessment and AI-enabled defensive tools for faster detection, investigation, and remediation, influencing federal contracts and private sector partnerships. |
| 2026-06-19 | AI | DevOpsDays Singapore 2024: Unmasking the security pitfalls in AI-generated code | Talk from DevOpsDays Singapore 2024 highlights security challenges in AI-generated code. Tools like Copilot, AWS Code Whisperer, and Gemini can increase development speed but may introduce vulnerabilities such as SQL injection and XSS, or use outdated libraries. An analysis showed 40% of Copilot-generated code had flaws. Live demonstrations illustrated how AI can both introduce and help fix these security issues with proper prompting. Security tools like Snyk, integrating into development environments, are crucial for scanning and remediating these vulnerabilities early in the SDLC. |
| 2026-06-19 | AI | More accurate than GPT-4: How Snyk’s CodeReduce improved the performance of other LLMs | Library that enhances LLM performance for security vulnerability autofixing. It employs proprietary CodeReduce technology, which utilizes program analysis to narrow the LLM's attention to critical code snippets, significantly improving fix generation accuracy and speed. This approach addresses LLM limitations by focusing on curated security fix datasets and contextual code, outperforming existing models like GPT-4 on various vulnerability types including AST, Local, FileWide, SecurityLocal, and SecurityFlow issues. |
| 2026-06-19 | Python | The ultimate guide to creating a secure Python package | Guide to creating secure Python packages, this tutorial details package structure, naming conventions, and configuration using `pyproject.toml`. It covers importing, installing from PyPI and private indexes with TLS recommendations, and specifying dependencies like NumPy. Modern packaging practices using `setuptools` as a build backend are emphasized over older `setup.py` methods. |
| 2026-06-19 | Python | Symmetric vs. asymmetric encryption: Practical Python examples | Library implementing symmetric and asymmetric encryption in Python, demonstrating practical use cases with examples for TLS/SSL, end-to-end messaging, and secure data storage. It covers algorithms like DES, 3DES, and AES, with a focus on envelope encryption for secure key management, using AWS KMS and the AWS Encryption SDK for practical implementation. |
| 2026-06-19 | Python | How to secure Python Flask applications | Library for securing Python Flask applications, addressing common vulnerabilities like XSS, CSRF, and SQL injection. It details insecure configurations such as secret key exposure, enabled debug mode in production, and unprotected sensitive data in configuration files. The guide recommends best practices including using environment variables for credentials, securely generating secret keys with the `uuid` module, and utilizing the Snyk platform for vulnerability detection and mitigation within IDEs and CI pipelines. |
| 2026-06-19 | AuthZ | Preventing broken access control in express Node.js applications | Library detailing broken access control vulnerabilities in Express Node.js applications, covering scenarios like unprotected admin panels, predictable user IDs leading to IDOR, and insecure direct object references. It illustrates how to prevent issues such as vertical privilege escalation and horizontal data exposure, emphasizing the risks of clear text logging and insufficient CSRF protection within Express middleware. |
| 2026-06-19 | AI | 5 tips for adopting AI code assistance securely | Library of security tips for adopting AI code assistants like GitHub Copilot and Amazon CodeWhisperer. It emphasizes integrating human oversight, using separate security tools for scanning AI code, validating third-party dependencies with Software Composition Analysis (SCA), automating security testing within development workflows, and protecting intellectual property by carefully managing AI prompts to prevent data leakage. |
| 2026-06-19 | AI | Secure AI tool adoption: Perceptions and realities | Survey of 459 IT professionals globally, including AppSec, developers, and C-suite, reveals that while organizations feel ready for generative AI coding tools, less than 20% conduct formal POCs. Security fears are the biggest adoption barrier, yet AppSec teams express greater concern about AI code security and insufficient policies compared to management. The report highlights a discrepancy in AI readiness perceptions across roles, with leadership being more optimistic than those directly involved with code. |
| 2026-06-19 | Talks | Securing next-gen development: Lessons from Trust Bank and TASConnect | Talk from Black Hat Asia featuring experts from Trust Bank and TASConnect, discussing strategies for securing next-generation applications. It highlights the challenges posed by complex architectures, AI-generated code (like that from GitHub Copilot and Google Gemini), and multi-cloud deployments. The session emphasizes a proactive, developer-first approach, leveraging tools such as Snyk for immediate feedback and risk prioritization, and tracking key metrics like security training implementation and time to remediate to align security with business goals. |
| 2026-06-19 | AI | The full Snyk AI Security Platform, free for open source maintainers | Platform offering open source maintainers free access to the Snyk AI Security Platform. It focuses on issue prioritization using exploitability, reachability, and asset criticality, alongside automated fix pull requests for vulnerable dependencies via the Snyk Remediation Agent, which uses frontier-model reasoning for validated, merge-ready fixes in Snyk Open Source and Snyk Code. |
| 2026-06-19 | Bug Bounty | I Pentested a Real CRM System and Found 4 Critical Vulnerabilities — Here’s the Full Attack Chain | The author, Shikhali Jamalzade, conducted a pentest on a real CRM system with explicit authorization. They discovered and successfully chained four critical vulnerabilities, demonstrating a complete attack path. Sensitive details were redacted to protect the organization. No specific bounty payout amount is mentioned in this excerpt. |
| 2026-06-19 | Bug Bounty | VulnHub — Shenron: 1 | Full Walkthrough | This VulnHub machine, "Shenron: 1" by Shubham Mandloi, is an easy to medium difficulty Ubuntu 20.04.1 LTS target. The walkthrough details a penetration test starting with credentials found in an HTML comment. This leads to a Remote Code Execution vulnerability via a malicious extension upload within a misconfigured Joomla CMS. The ultimate goal is achieving full root access on the system. |
| 2026-06-19 | RCE | TryHackMe — Blog CTF | Full Write-Up | This TryHackMe room, "Blog," is a medium-difficulty CTF focused on a WordPress blog run by "Billy Joel." The challenge features CVE-2019–8942, a WordPress image crop Remote Code Execution vulnerability, alongside a custom binary for privilege escalation. The write-up details the steps to exploit these vulnerabilities to gain access and complete the room. No bounty payout amount is mentioned. |
| 2026-06-19 | Authentication | “Bug Bounty Bootcamp #46: Not Allowed From Your IP?” | This article from InfoSec Write-ups, "Bug Bounty Bootcamp #46: Not Allowed From Your IP?", details advanced techniques for bypassing authentication barriers in bug bounty hunting. The methods discussed include IP spoofing, brute-force attacks, and mass assignment, all aimed at gaining unauthorized access. The focus is on exploiting authentication vulnerabilities to overcome access restrictions. No specific bug bounty payout amount is mentioned in the provided text. |
| 2026-06-19 | Bug Bounty | Building a Hackbot for Bug Bounties — Auth Testing Subagent Setup | If you have been keeping up with the current state of Bug Bounties on X, you probably heard that some hunters are making small fortunes using their own custom-made hackbots to aid them in Bug Bounty H... |
| 2026-06-19 | AuthZ | I almost ordered a product for free. (Business Logic Vulnerability) | Security engineer Sumeet Mahadik discovered a business logic vulnerability that nearly allowed him to order a product for free. While the exact method isn't detailed, the vulnerability presented an opportunity for significant savings. The content is the beginning of a blog post where Mahadik intends to explain his findings. No bounty payout amount is mentioned. |
| 2026-06-19 | OSINT | BEARCAT CTF 2026 WRITEUPS | Flag Format: BCCTF{} #1.RIVER RAIDER (OSINT) For this challenge, we were given a picture of a rogue pirate ship sailing through a river, and we needed to find the name of the bridge right behind it. I... |
| 2026-06-19 | IDOR | Build an IDOR Vulnerability Lab: Why WHERE Clauses Don’t Protect Your API. | Last time we covered SQL injection . I promised IDOR was next. Today you are going to see why a WHERE clause alone will not save you. When you learn about backend APIs feeding your frontend, you are r... |
| 2026-06-19 | IDOR | “Bug Bounty Bootcamp #47: Account Takeover 101 — How to Steal Everyone’s Account (Legally)” | This article, "Bug Bounty Bootcamp #47: Account Takeover 101," explains that hackers don't need advanced skills to achieve account takeovers. Common vulnerabilities like Insecure Direct Object References (IDOR), insecure invite links, or misconfigured "role" fields can be exploited. The piece encourages readers to learn these techniques legally through bug bounty programs. No specific payout amount is mentioned. |
| 2026-06-19 | AI | [tl;dr sec] #333 - Perplexity's Bumblebee, Evading Cloud Logging, AI Vuln Hunting Spec | Library for detecting malware in packages, agent configurations, and browser extensions, alongside techniques for evading cloud logging, and a specification for building custom AI security scanning systems. It details how formal methods are becoming more practical for AI-generated code, and how Microsoft's Agentic Secret Finder reduced false positives in GitHub's AI secret scanning by 75% through context extraction. The entry also covers the discovery of HTTP/2 Bomb, a DoS vulnerability affecting multiple web servers, and methods for disrupting AWS CloudTrail logging and abusing cloud logging services for defense evasion and visibility. |
| 2026-06-19 | AI | Aikido and OWASP bring agentic Code Audit to the global AppSec community | Library offering agentic Code Audit powered by AI reasoning, allowing OWASP individual members 200 free credits for pentester-grade analysis. This new class of static analysis reasons about code intent to find complex vulnerabilities like insecure direct object references (IDORs), broken access controls, multi-step exploit chains, business logic flaws, authentication bypasses, and privilege escalation, going beyond traditional SAST pattern matching. It supports various languages, configurations, infrastructure-as-code, and diverse repository structures like monorepos and mobile apps. |
| 2026-06-19 | Supply Chain | npm v12’s Biggest Security Change: From Implicit to Explicit Trust | Library introducing explicit trust for npm package installations in v12, blocking script execution, Git repositories, and remote URLs by default, requiring explicit approval. This change directly addresses common malware delivery mechanisms exploited in campaigns like Shai-Hulud variants and easy-day-js, which leveraged lifecycle scripts, Git dependencies, and remote URLs to steal credentials and compromise developer environments. |
| 2026-06-19 | Bug Bounty | Shynet | VERSION 0.13.1 | Library identifying vulnerabilities in Shynet version 0.13.1. Two issues were found: an unauthenticated stored cross-site scripting (XSS) vulnerability (CVE-2026-35508) allowing malicious JavaScript injection into analytics scripts, and an insecure input validation flaw in the password reset feature enabling account takeover via Host header spoofing. |
| 2026-06-18 | Secrets | CISA Credentials Sensitive Data Exposed in GitHub Repository | CISA has announced that sensitive data, including credentials, was exposed in a GitHub repository. The agency is investigating the incident, which was discovered on October 26th. CISA states that this data exposure did not impact their operational systems or compromise their mission-critical functions. Further details regarding the scope and specific nature of the exposed data have not yet been released. |
| 2026-06-18 | Supply Chain | Supply-chain malware is evolving into self-propagating worms | Library catalog entries for Shai-Hulud demonstrate how supply-chain malware has evolved into self-propagating worms that exploit developer workflows. This new class of malware, unlike traditional single-point compromises, automates credential theft, package infection, and republishing across ecosystems like npm, PyPI, and GitHub. This worm-like behavior turns dependency chains into active propagation mechanisms, posing significant risks by extending compromises into CI/CD pipelines and cloud services, necessitating robust security measures such as securing developer environments, tightening credential management, strengthening dependency controls, and improving pipeline visibility. |
| 2026-06-18 | RCE | Multiple Vulnerabilities in Firefox 152 Enables Remote Code Execution Attacks | Multiple vulnerabilities have been discovered in Firefox 152, enabling remote code execution attacks. These security flaws could allow attackers to compromise user systems by tricking them into visiting a malicious website or opening a specially crafted file. Users are strongly advised to update their Firefox browsers to the latest version to patch these critical security holes and protect themselves from potential exploitation. No specific bounty payout amount was mentioned in the provided content. |
| 2026-06-18 | RCE | F5 Releases Emergency Security Update For Critical NGINX Vulnerabilities | F5 has issued an emergency security update to address critical vulnerabilities found in NGINX, a widely used web server. These flaws could potentially allow attackers to gain unauthorized access or disrupt services. The update is crucial for organizations utilizing NGINX to patch their systems and mitigate these risks. Further details on the specific vulnerabilities and the recommended update procedures are available through the provided link. No specific payout amounts were mentioned. |
| 2026-06-18 | RCE | F5 issues out-of-band patches for critical NGINX vulnerabilities | Patches address critical NGINX vulnerabilities, including CVE-2026-42530 (ngx_http_v3_module) and CVE-2026-42055 (ngx_http_proxy_v2_module, ngx_http_grpc_module), allowing unauthenticated attackers remote code execution via use-after-free or heap-based buffer overflow. Mitigation for CVE-2026-42530 involves disabling HTTP/3, and for CVE-2026-42055, removing `ignore_invalid_headers off` and reducing `large_client_header_buffers`. High-severity NGINX Gateway Fabric flaws, CVE-2026-11311 and CVE-2026-50107, enable authenticated attackers to inject NGINX configuration directives. |
| 2026-06-18 | API Security | Hackers Exploit WordPress SMTP Plugin With 100000 Installs to Steal Sensitive Data | Hackers Exploit WordPress SMTP Plugin With 100,000+ Installs to Steal Sensitive Data https://ift.tt/7jPmD58 |
| 2026-06-18 | RCE | F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution | Writeup of CVE-2026-42530 and CVE-2026-42055, two critical NGINX Open Source vulnerabilities patched by F5. CVE-2026-42530, a use-after-free flaw in the HTTP/3 QUIC module, allows remote code execution. CVE-2026-42055, a heap-based buffer overflow in proxy modules, also enables code execution. Both flaws have high CVSS scores and affected various NGINX products, including NGINX Plus and Ingress Controller. Mitigations involve disabling HTTP/3 or adjusting proxy configurations. |
| 2026-06-18 | RCE | F5 Patches NGINX Vulnerability That Enables Code Execution and DoS Attacks | F5 has released a patch for a critical vulnerability in NGINX that could allow attackers to execute code and launch denial-of-service (DoS) attacks. The flaw, identified as CVE-2024-24924, impacts NGINX versions 1.25.0 through 1.25.2 and 1.24.0 through 1.24.3. While specific details on exploitation are limited, the vulnerability arises from improper handling of certain HTTP/2 frames. F5 urges users to update to the patched versions promptly to mitigate these risks. No bug bounty payout amount was specified. |
| 2026-06-18 | Supply Chain | How software developments speed obsession enabled TeamPCPs chaos crusade | Analysis of the TeamPCP threat actor's widespread supply chain attacks, compromising over 1,000 open-source packages, including Trivy. TeamPCP exploits the industry's reliance on trust and AI in development, targeting CI/CD pipelines and third-party dependencies for credential theft from cloud environments like AWS and Azure. Their campaigns highlight a broken trust model and aim for notoriety and chaos rather than solely financial gain. |
| 2026-06-18 | RCE | F5 Patches Critical NGINX Vulnerabilities Enabling Unauthenticated Code Execution | Patches address critical NGINX vulnerabilities CVE-2026-42530 and CVE-2026-42055, both with CVSS 9.2. CVE-2026-42530, a Use-After-Free in `ngx_http_v3_module`, enables remote unauthenticated attackers to cause restarts or arbitrary code execution via crafted HTTP/3 sessions. CVE-2026-42055, a heap-based buffer overflow in `ngx_http_proxy_v2_module` and `ngx_http_grpc_module`, requires specific configurations like disabled header validation for potential code execution. High-severity CVE-2026-11311 and CVE-2026-50107 in NGINX Gateway Fabric also allow authenticated configuration directive injection. |
| 2026-06-18 | RCE | Critical Chrome Vulnerabilities Allow Attackers to Execute Arbitrary Code | Critical Chrome Vulnerabilities Allow Attackers to Execute Arbitrary Code https://ift.tt/sUVMX1G |
| 2026-06-18 | Supply Chain | From package to postinstall payload: Inside the Mastra npm supply chain compromise | Library for analyzing the Mastra npm supply chain compromise, detailing the exploitation of the `ehindero` maintainer account to inject malicious `easy-day-js` package dependencies. This attack leveraged a postinstall hook to disable TLS certificate verification, download a second-stage payload, and execute it as a hidden process. The analysis covers the staged delivery, obfuscated dropper, C2 communication, and Windows-specific techniques like reflective .NET assembly injection and host fingerprinting for persistence and further exploitation. |
| 2026-06-18 | Supply Chain | 141 Mastra npm packages compromised in supply chain attack | 141 Mastra npm packages compromised in supply chain attack https://ift.tt/qH0bhIf |
| 2026-06-18 | Python | Ultralytics AI Library Hacked via GitHub for Cryptomining | Library exploiting GitHub Actions for supply chain attack. Versions 8.3.41 and 8.3.42 of the Ultralytics Python package were compromised, injecting XMRig cryptominer. The attack leveraged a vulnerability in the "Publish Docs" workflow, allowing arbitrary code execution via crafted branch names. This impacted not only Ultralytics but also dependent packages like ComfyUI Impact Pack, highlighting risks in CI/CD pipelines and popular AI libraries. |