1-Click Account Takeover via Open Redirect through Regex Bypass in Domain Validation on 20/06/2026
Khan Academy disclosed a bug submitted by farr: https://hackerone.com/reports/3723458 [...]
InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
ContinuumCon 2026 Redux! on 20/06/2026
Friday Squid Blogging: Victims of Unregulated Squid Fishing on 19/06/2026
Dolphins, sharks, turtles, and human workers are all victims of unregulated squid fishing fleets. Another news article. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Soft Skills for the Job Market: Resume Writing on 19/06/2026
AI didn’t make every attacker a genius on 19/06/2026
Burp Extensibility 2026: Awards, Talks, and Highlights on 19/06/2026
The 2026 Burp Suite Extension Awards Best Recon & Discovery Best Auth & Access Control Best Workflow & Manipulation Best API & Specialist Testing Hidden Gem Most Nominated The talks In [...]
Anthropic’s Fable and the State of AI on 19/06/2026
On June 9th, Anthropic released its Fable generative AI model. Three days later, the US government classified it as a dangerous munition, and used its export-control authority to prohibit any foreign nationals from accessing it. Unable to differentiate between Americans and foreigners, the company shut off access for everyone. The government’s actions won’t help. The problem isn’ [...]
Metrics Cut Through AI Noise on 19/06/2026
‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm by BrianKrebs on 18/06/2026
For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a “residential proxy” provider operated by the publicly-traded Isra [...]
HTTP/2 sessions never clean up after GOAWAY on invalid protocol errors on 18/06/2026
Node.js disclosed a bug submitted by pimterry: https://hackerone.com/reports/3658225 [...]
Permission Model Bypass via `process.report.writeReport()` Path Misvalidation on 18/06/2026
Node.js disclosed a bug submitted by suul: https://hackerone.com/reports/3692858 [...]
For a global platform like Just Eat Takeaway.com, security visibility has to scale with the business on 18/06/2026
Reflected XSS in AI Chat Bot Greetings at help.shopify.com via Markdown Image Rendering on 18/06/2026
Shopify disclosed a bug submitted by saltymermaid: https://hackerone.com/reports/2509022 - Bounty: $1600 [...]
Embedding Forbidden Text in Spyware to Discourage AI Analysis on 18/06/2026
At least one malware developer is adding text about nuclear and biological weapons to their spyware, in an effort to stop automatic AI analysis. Details: The _index.js payload begins with a large JavaScript block comment containing fake system instructions and policy-triggering content. Because it is inside a comment, it does not affect JavaScript execution. The runtime skips it. The real malware [...]
False Positives Are Still the Bill on 18/06/2026
Entra Agent ID: Inside a cross-tenant agent compromise on 18/06/2026
Continuing our Agent ID series, this post demonstrates how a privileged agent could be compromised through its third-party blueprint. This leads to a cross-tenant incident similar to Midnight Blizzard, since an attacker with control over an agent blueprint can authenticate as any agent associated with that blueprint. [...]
This hacker made $500,000+ hacking google in just a few months. #hacking #bugbounty #cybersecurity on 17/06/2026
Authenticated Elasticsearch Painless script execution via Query.search.sort_query on hackerone.com/graphql on 17/06/2026
HackerOne disclosed a bug submitted by brumbelow: https://hackerone.com/reports/3694007 - Bounty: $7000 [...]
If you’ve ever said, “Sorry, my hands are full,” this is for you 🫵🫵 on 17/06/2026
AI Use by the US Government on 17/06/2026
On 14 April, the Trump administration quietly acknowledged the widespread use of AI to automate government processes. The office of management and budget (OMB) disclosed a staggering 3,611 active or planned use cases for AI across the federal government. The list has ballooned by 70% from the one published in the final year of the Biden administration, and includes many disturbing-seeming plans to [...]
H1 Platform Demo | CTEM at AI Scale on 17/06/2026
Don't Buy AI Security Blind on 17/06/2026
verify-release rebuilds from the tarball under verification, enabling pre-check command execution and false OK for a malicious curl release tarball on 17/06/2026
curl disclosed a bug submitted by argareksapatii: https://hackerone.com/reports/3802645 [...]
Using AI the smart way. Interview with Cristian Zot (CristiVlad25) by Eleanor Barlow on 17/06/2026
Cristian Zot, known by most in the industry as CristiVlad25, is an active security researcher, experienced pentester, and an Intigriti Hacker Ambassador. He is a prominent figure in the ethical hacking community and frequently collaborates with Intigriti through platform meetups, podcast appearances, and educational content. Cristian has featured as a guest expert on Intigriti's live Office Hour [...]
Using AI the smart way. Interview with Cristian Zot (CristiVlad25) by Eleanor Barlow on 17/06/2026
Cristian Zot, known by most in the industry as CristiVlad25, is an active security researcher, experienced pentester, and an Intigriti Hacker Ambassador. He is a prominent figure in the ethical hacking community and frequently collaborates with Intigriti through platform meetups, podcast appearances, and educational content. Cristian has featured as a guest expert on Intigriti's live Office Hour [...]
TCM Security Summer Sale is Here! on 16/06/2026
Vulnerability Report: Buffer Overflow in Path Sanitization on 16/06/2026
curl disclosed a bug submitted by newstuff321: https://hackerone.com/reports/3804525 [...]
Flock Cameras Are Being Used for Stalking on 16/06/2026
There are over a dozen cases around the country where police officers are using the Flock surveillance camera system to obsessively and illegally stalk people. Alternate link. [...]
AI Changed Vulnerability Discovery Fast on 16/06/2026
AI Security's Last Mile Problem with Michael Mckinley on 16/06/2026
Unauthenticated file deletion via deleteFileMessage DDP method allows permanent destruction of any uploaded file on 16/06/2026
Rocket.Chat disclosed a bug submitted by eldudareeno: https://hackerone.com/reports/3611837 [...]
Global expertise, built with EU data needs in mind on 16/06/2026
Malicious Conflux Endpoint Can Leave Stale Global OOO Queue Accounting After Teardown on 16/06/2026
Tor disclosed a bug submitted by aptupdate: https://hackerone.com/reports/3701692 - Bounty: $100 [...]
Mapping out your unknown: A threat hunter’s guide to Salesforce on 16/06/2026
In this post, we walk through different threats to Salesforce and how to detect them. [...]
Unauthenticated reading of every file via livechat auth and predicting MongoDB ObjectId() on 15/06/2026
Rocket.Chat disclosed a bug submitted by aikido_security: https://hackerone.com/reports/3687142 [...]
Reflected Cross-Site Scripting (XSS) found on IBM.com domain on 15/06/2026
IBM disclosed a bug submitted by entrovyx: https://hackerone.com/reports/3664261 [...]
Incomplete Suppression of Transfer-Encoding: chunked Header in HTTP/2 After Redirect From HTTP/1.1 on 15/06/2026
curl disclosed a bug submitted by unknowperson0212: https://hackerone.com/reports/3793495 [...]
Secure cookies leaked to HTTP origins through HTTPS forwarding proxy on 15/06/2026
curl disclosed a bug submitted by daviey: https://hackerone.com/reports/3803415 [...]
How I Made $30,000 Hacking Broken Access Control on 15/06/2026
$30K from one bug class: broken access control. Here's how 3 "lows" chain into account takeover on 15/06/2026
The FCC Wants to Eliminate Burner Phones on 15/06/2026
A proposed FCC rule would kill burner phones: phones whose accounts are not attached to a particular person. The FCC plans to do this by legally forcing the country’s telecoms to store a wealth of personal information about essentially all phone customers, including a government issued identification number and their physical address, alarming privacy advocates and civil rights activists who [...]
UI Consent Bypass via Comma Injection in `addAutoApproveTarget` User-Approval Dialog and Persistence Layer Disagree on Target Scope, Yielding Authen on 15/06/2026
PortSwigger Web Security disclosed a bug submitted by hacker-kartel: https://hackerone.com/reports/3717354 [...]
Holding blobs for ransom: Four methods for Azure Storage ransomware on 15/06/2026
This post explores four vectors for threat actors to abuse Azure Storage to maliciously encrypt victim blobs, including step-by-step explanations and event codes for detection. [...]
ContinuumCon 2026 - Day 3 on 14/06/2026
Upcoming Speaking Engagements on 14/06/2026
This is a current list of where and when I am scheduled to speak: I’m giving a keynote at Cybernation 2026 in Berlin, Germany, on June 24, 2026. I’m speaking at the Potsdam Conference on National Cybersecurity at the Hasso Plattner Institut in Potsdam, Germany. The event runs June 24–25, 2026, and my talk will be the evening of June 24. I’m participating in a panel discussion at the Austrian Inst [...]
Burp Suite Professional: browser-powered crawl can write attacker-controlled files through file input handling on 14/06/2026
PortSwigger Web Security disclosed a bug submitted by kawakatz: https://hackerone.com/reports/3712279 - Bounty: $5000 [...]
ContinuumCon 2026 - Day 2 on 13/06/2026
Duplicate chunked Transfer-Encoding lets a malicious origin smuggle a response across reused HTTP proxy connections on 13/06/2026
curl disclosed a bug submitted by violet12331: https://hackerone.com/reports/3795615 [...]
ContinuumCon 2026 - Day 1 on 12/06/2026
Friday Squid Blogging: Squid-Inspired Fluid Pump on 12/06/2026
This fluid pump was inspired by the way squids propel themselves through the water. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Bernie Sanders’ AI Sovereign Wealth Fund Plan on 12/06/2026
Let no one accuse Bernie Sanders of ducking the big questions. Writing in the New York Times last week, the senator asked: “Will the future of humanity be determined by a handful of billionaires who have promoted and developed AI, with virtually no democratic input, who stand to become even richer and more powerful than they are today?” We agree entirely that this is one of the most po [...]
Factoring "short-sleeve" RSA keys with polynomials on 12/06/2026
What happens when the bits of an RSA private key are heavily biased toward 0 instead of being randomly generated? The public key’s bits could be biased enough for us to detect these incorrectly generated keys in the wild. Together with Hanno Böck of the badkeys project, we found hundreds of unique keys that not only have this property, but can be quickly factored. We also found the bug that led to [...]
Incomplete Fix for CVE-2026-21637: OCSPRequest and resumeSession Events Crash Node.js TLS Server via Unhandled Synchronous Exceptions on 12/06/2026
Node.js disclosed a bug submitted by shinchan_69: https://hackerone.com/reports/3781015 [...]
Payload Podcast 008 - Ryan Hausknecht on 12/06/2026
Command Injection via Unsanitized Bundling Options in `aws-cdk-lib/aws-lambda-nodejs` on 11/06/2026
AWS VDP disclosed a bug submitted by inkerton: https://hackerone.com/reports/3558713 [...]
Firecracker Out-of-bounds Read/Write Local Privilege Escalation Vulnerability on 11/06/2026
AWS VDP disclosed a bug submitted by terrynini38514: https://hackerone.com/reports/3738654 [...]
CRLF Injection via Custom HTTP Headers on 11/06/2026
curl disclosed a bug submitted by bugthiru: https://hackerone.com/reports/3741744 [...]
heap-use-after-free in state.referer when CURLOPT_REFERER replaced or cleared after perform on 11/06/2026
curl disclosed a bug submitted by fg0x0: https://hackerone.com/reports/3774279 [...]
RCE + PAT Exfiltration via pull_request_target in privacy-configuration/auto-respond-pr.yml Direct Supply Chain to All DDG Browsers on 11/06/2026
DuckDuckGo disclosed a bug submitted by 6r1ff1n: https://hackerone.com/reports/3619288 [...]
RCE + Supply Chain Attack via pull_request_target in content-scope-scripts/semver-label.yml Affects All DuckDuckGo Browsers on 11/06/2026
DuckDuckGo disclosed a bug submitted by 6r1ff1n: https://hackerone.com/reports/3619287 [...]
SSRF via Improper Redirect Validation in Rocket.Chat oEmbed Function on 11/06/2026
Rocket.Chat disclosed a bug submitted by button142857: https://hackerone.com/reports/3383079 [...]
SSRF via improper validation after DNS name resolution in the link-preview feature on 11/06/2026
Rocket.Chat disclosed a bug submitted by button142857: https://hackerone.com/reports/3393664 [...]
Enhanced License Plate Tracking on 11/06/2026
The surveillance company Leonardo wants more data: A surveillance company plans to add sensors to automatic license plate readers (ALPRs) that would mean the devices, as well as capture the license plate of passing vehicles, would also sweep up unique identifiers of mobile phones, wearables, and other Bluetooth-enabled devices in those cars, potentially letting law enforcement identify specific dr [...]
LIVE: 🕵️ CTF Prize Draw | Cybersecurity on 11/06/2026
Securing the uncharted territories of AI systems. A discussion with Leo Racanelli by Eleanor Barlow on 11/06/2026
The intersection of AI and cybersecurity is reshaping how we find, fix, and think about vulnerabilities. Yet for all the headlines, few conversations cut through the noise to ask what AI means for those on the ground: the hunters, the security engineers, and the organizations trying to secure their data. In this blog, we open up that discussion, with insights from Leo Racanelli for an unflinching [...]
Entra Agent ID: The blueprint blast radius on 11/06/2026
Entra Agent ID is an extension of Entra's application model that provides identities for AI agents. Unlike applications, the agent identity model allows linking a single app registration (blueprint) to multiple identities and their associated privileges, increasing the potential blast radius of a compromised agent. [...]
curl-ipv4-percent-normalization-SSRF on 10/06/2026
curl disclosed a bug submitted by monk17: https://hackerone.com/reports/3791168 [...]
Trailing-Dot Hostname in Redirect Silently Strips Client Certificate and Auth Credentials on 10/06/2026
curl disclosed a bug submitted by azraelxuemo: https://hackerone.com/reports/3791191 [...]
curl/libcurl vulnerable to TLS truncation attacks on 10/06/2026
curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/1826392 [...]
Who Runs the Ransomware Group ‘The Gentlemen?’ by BrianKrebs on 10/06/2026
A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims. This post examines clues pointing to a real life identity for the administrator of The Gentlemen ransomware group. A graphic create [...]
A Record-Breaking Patch Tuesday for June 2026 by BrianKrebs on 09/06/2026
Microsoft today released software updates to plug nearly 200 security holes across its Windows operating systems and supported software, a record number of fixes for the company’s monthly Patch Tuesday cycle. Nearly three dozen of those bugs earned Microsoft’s most dire “critical” rating, and exploit code for at least three of the weaknesses is now publicly available. The s [...]
Secrets to PNPT Debrief Success on 09/06/2026
SSH/SFTP connection reuse can bypass SSH key identity after ssh_config_matches removal on 09/06/2026
curl disclosed a bug submitted by byteray_ltd: https://hackerone.com/reports/3788506 [...]
SOCKS5 no-auth accepted despite username/password-only authentication on 09/06/2026
curl disclosed a bug submitted by kalfkinen: https://hackerone.com/reports/3786077 [...]
Action Text ReDoS (Ruby 3.1 or lower) on 09/06/2026
Ruby on Rails disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/2389431 [...]
Intigriti named Best Security Company of 2026 at the SC Awards by Eleanor Barlow on 09/06/2026
We are delighted to share that Intigriti has won Best Security Company (under 250 employees), at this year’s SC Awards Europe. What it means to be an SC Award winner For over 25 years, the SC Awards Europe have defined what excellence looks like in cybersecurity, recognizing the organizations, technologies, and leaders shaping the future of the industry. On the 3rd of June 2026, Intigriti met wi [...]
your future awaits hackers on 08/06/2026
Content creations was both a blessing and a curse. #bugbounty on 08/06/2026
This Hacker Made $7,000 Hacking AI With One Email on 08/06/2026
libcurl: HTTP/1.x bare LF byte in response header value enables cookie jar pollution and POST body/credential exfiltration via redirect RC=0, curl 8 on 08/06/2026
curl disclosed a bug submitted by torkd1: https://hackerone.com/reports/3785919 [...]
DNS domain search list followed for extant domain missing A or AAAA records on 08/06/2026
curl disclosed a bug submitted by maxhearnden: https://hackerone.com/reports/3780733 [...]
OpenSSL TLS 1.2 session resumption accepts expired server certificates in libcurl on 07/06/2026
curl disclosed a bug submitted by awofjawofjfawf: https://hackerone.com/reports/3781305 [...]
curl cross-origin HTTPS redirect reuses TLS client certificate for unintended second-origin mTLS authentication on 07/06/2026
curl disclosed a bug submitted by fanhua: https://hackerone.com/reports/3749428 [...]
curl External-Controlled Filename in `--url @file` Leads to Arbitrary File Overwrite on 07/06/2026
curl disclosed a bug submitted by alphalaab: https://hackerone.com/reports/3766392 [...]
Valid share tokens allow to access tempory upload files of share owner on 07/06/2026
Nextcloud disclosed a bug submitted by pirikara: https://hackerone.com/reports/3483708 [...]
Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC on 07/06/2026
Nextcloud disclosed a bug submitted by priyanka010: https://hackerone.com/reports/3489490 - Bounty: $2500 [...]
PIN bypass in PassCodeActivity via back button on 07/06/2026
Nextcloud disclosed a bug submitted by alper_ozturk: https://hackerone.com/reports/3625210 [...]
Superbacked helps the right people recover what matters on 06/06/2026
JHT Course Launch! Windows Maldev 6 on 06/06/2026
Why CAPIE[M] is the best API hacking certificate in the API Hacking industry on 06/06/2026
TCM Security CTF Walkthrough on 05/06/2026
GnuTLS OCSP stapling accepts unrelated SingleResponse (no cert-ID binding) on 05/06/2026
curl disclosed a bug submitted by argus-systems: https://hackerone.com/reports/3784125 [...]
CURLOPT_PROXY_CRLFILE / CURLOPT_PROXY_ISSUERCERT / CURLOPT_PROXY_ISSUERCERT_BLOB silently ignored on backends that don't support them on 05/06/2026
curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3717552 [...]
Shared HSTS cache accessed without lock on 05/06/2026
curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3718265 [...]
RTSP Digest auth state leaks across origins on reused libcurl easy handle on 05/06/2026
curl disclosed a bug submitted by hamaowo: https://hackerone.com/reports/3776535 [...]
TFTP upload ignores --continue-at / CURLOPT_RESUME_FROM and leaks skipped local file prefix on 05/06/2026
curl disclosed a bug submitted by bowen111: https://hackerone.com/reports/3776433 [...]
libcurl 8.20.0 ignores HTTP Digest domain protection space and preemptively leaks Digest auth outside the declared scope on 05/06/2026
curl disclosed a bug submitted by skksndk: https://hackerone.com/reports/3774977 [...]
CURLOPT_COOKIE leaked to cross-origin redirect target CURLOPT_UNRESTRICTED_AUTH bypass for the STRING_COOKIE path on 05/06/2026
curl disclosed a bug submitted by azraelxuemo: https://hackerone.com/reports/3766065 [...]