InfoSec Planet

A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.

FBI Seizes NetNut Proxy Platform, Popa Botnet

by BrianKrebs on 02/07/2026

The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botn [...]

See full content

Non-Production API Endpoints for the Amazon S3 Tables Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration

on 02/07/2026

AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3780277 [...]

See full content

We get this question a lot

on 02/07/2026

See full content

jitsi-meet: Prosody/Jigasi missing header whitelist in mod_filter_iq_rayo allows arbitrary SIP header injection and Caller ID spoofing

on 02/07/2026

8x8 disclosed a bug submitted by pmgjoe: https://hackerone.com/reports/3789570 - Bounty: $100 [...]

See full content

jitsi-call-analytics: Unauthenticated arbitrary file write via path traversal in `/api/v1/uploads/analyze`

on 02/07/2026

8x8 disclosed a bug submitted by r1skr1der: https://hackerone.com/reports/3485343 - Bounty: $100 [...]

See full content

Yelp for Business: locked Email field silently editable via API

on 02/07/2026

Yelp disclosed a bug submitted by 0xmanticore: https://hackerone.com/reports/3766455 [...]

See full content

Celebrating 1 Million Subscribers on July 8th!

on 02/07/2026

See full content

Cybersecurity Mission Creep in the US

on 02/07/2026

Interesting paper: “Cybersecurity Mission Creep.” Abstract: Cybersecurity is experiencing mission creep. Policymakers are casting more and more problems as issues of cybersecurity. So reframed, wildly different policy issues, from misinformation, to child social media safety laws, to antitrust regulations, to alleged journalist misconduct, to anti-sex trafficking statutes become what t [...]

See full content

GPT-5.5-Cyber built a zlib fuzzing lab in a day

on 02/07/2026

We’re running Patch the Planet, an ongoing collaboration with OpenAI that pairs Trail of Bits engineers directly with more than 30 open-source projects. Its goal is to front-run a serious problem facing open-source maintainers: highly capable models like GPT-5.5-Cyber will soon create a firehose of bug reports, and OSS maintainers are already spread thin. Our plan is to point OpenAI’s latest model [...]

See full content

Splatoon 3 In-Match Integrity Bypass via Consensus Reflection Attack on Unordered Peer Submission

on 02/07/2026

Nintendo disclosed a bug submitted by hana2736: https://hackerone.com/reports/3559522 [...]

See full content

[Splatoon 3] Kick other players with NplnLogin message

on 02/07/2026

Nintendo disclosed a bug submitted by alzxk11: https://hackerone.com/reports/3813932 [...]

See full content

Exceeding the maximum number of spaces allowed by exploiting a Race Condition in the Workspace creation process

on 01/07/2026

SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3295500 [...]

See full content

Insecure Direct Object Reference (IDOR) allows creating folders.

on 01/07/2026

SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353057 [...]

See full content

Delete any folder for any user within the organization

on 01/07/2026

SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353035 [...]

See full content

Privilege Escalation Access to the Alert Subscribers page for users with low privileges

on 01/07/2026

SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353000 [...]

See full content

Improper Input Validation HTTP Response Parser Unconditionally Accepts Bare CR in Status Line

on 01/07/2026

Node.js disclosed a bug submitted by saif-01: https://hackerone.com/reports/3648681 [...]

See full content

Beyond Usernames

on 01/07/2026

See full content

Papa Johns Surveillance-Based Advertising

on 01/07/2026

Papa Johns is spying on people’s buying activities to predict when they are low on food: The pizza chain recently tapped NBCUniversal, Instacart and the dentsu-owned media agency Carat for help reaching consumers when they’re low on groceries—and thus more likely to be swayed by a mouth-watering ad. The idea is to reach hungry consumers by “knowing what is in their fridge w [...]

See full content

Backdoors & Breaches: New scenarios and adaptations

on 01/07/2026

Sharing new scenarios and adaptations to play the Datadog expansion pack of Backdoors & Breaches. [...]

See full content

Beyond CTF Labs

on 30/06/2026

See full content

heap-use-after-free in curl_easy_cleanup() called from callback

on 30/06/2026

curl disclosed a bug submitted by carehi1324: https://hackerone.com/reports/3833577 [...]

See full content

The Realities of AI Video Surveillance

on 30/06/2026

The Financial Times has a good article on how AI is changing the capabilities of video surveillance, with information from both Israel/Iran and Russia. I wrote about this sort of thing a few years ago, how AI enables mass spying in the way that computers and networks enabled mass surveillance. The interesting development in the article is that AI allows people to ask natural language questions abo [...]

See full content

setopt(VERIFYPEER) from callback bypasses TLS verify on connection reuse

on 30/06/2026

curl disclosed a bug submitted by a6b30108: https://hackerone.com/reports/3831432 [...]

See full content

Shipping post-quantum cryptography to Python

on 30/06/2026

Post-quantum cryptography is now one pip-install away for the entire Python ecosystem. With funding from the Sovereign Tech Agency, we implemented support for ML-KEM, the NIST-standard key-establishment primitive, and ML-DSA, the NIST-standard digital-signature primitive, in pyca/cryptography. On June 22, 2026, the White House ordered the U.S. government to accelerate its transition to post-quantu [...]

See full content

ssh_config_matches is dead code: unauthorized SSH key reuse

on 30/06/2026

curl disclosed a bug submitted by bigtang: https://hackerone.com/reports/3826843 [...]

See full content

CURLSHOPT_UNSHARE race can cause UAF in shared SSL session cache during HTTPS transfer

on 30/06/2026

curl disclosed a bug submitted by smaeljaish771: https://hackerone.com/reports/3831345 [...]

See full content

libcurl upload read callbacks miss recursive API guard, allowing prohibited multi API reentry and ASAN-confirmed UAF

on 30/06/2026

curl disclosed a bug submitted by th3hound: https://hackerone.com/reports/3832393 [...]

See full content

Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint

on 30/06/2026

Discourse disclosed a bug submitted by dpaysm: https://hackerone.com/reports/3400140 - Bounty: $1024 [...]

See full content

Annual testing starts to look a little dusty when...

on 29/06/2026

See full content

Inverted ternary in peerlist_manager::filter() allows unlimited whitelist entries per host via different ports

on 29/06/2026

Monero disclosed a bug submitted by kklam32: https://hackerone.com/reports/3547349 [...]

See full content

Remote node DOS

on 29/06/2026

Monero disclosed a bug submitted by xnbya: https://hackerone.com/reports/876530 [...]

See full content

Factoring RSA Keys with Many Zeros

on 29/06/2026

Interesting research on a new class of weak RSA keys: keys with lots of zeros. It turns out that these keys are out in the wild. The badkeys project is an open-source service that checks public keys for known vulnerabilities. While developing this tool, Hanno collected a massive number of real-world keys from public sources, including Certificate Transparency logs, internet-wide TLS and SSH scans, [...]

See full content

ConsentFix Exposed

on 29/06/2026

See full content

Inside H1-813 Live Hacking Event with Salesforce in Tokyo

on 29/06/2026

See full content

Robot Police Officers

on 29/06/2026

We’ve taken one small step towards robot police officers: a drone capable of disarming a suspect: In a June 22 video posted on the Sacramento County Sheriff’s Office’s Instagram page, an officer wearing goggles can be seen operating a drone to retrieve a knife from an armed suspect hiding inside a cluttered house. “After not responding to negotiators, a drone was deployed inside the re [...]

See full content

Reconnaissance for exposure management: why context matters in the AI era

by Radu Voloaga on 29/06/2026

Over the last few weeks, we’ve explored what AI is changing in security: discovery is faster (Vulnpocalypse now?), volume is higher (Common AI misconceptions debugged!), and the human layer triage (The AI Impact), judgment, and prioritization has become more important, not less (CEO Insights). But there’s a deeper implication hiding underneath all of that: most security teams still only learn from [...]

See full content

UAF read in mev_pollset_diff() trace path after curl_easy_pause() in socket callback

on 28/06/2026

curl disclosed a bug submitted by homanp: https://hackerone.com/reports/3824303 [...]

See full content

Use-after-free in `mev_forget_socket` when `curl_easy_pause()` is called from a `CURL_POLL_REMOVE` socket callback (incomplete fix of CVE-2026-9080)

on 28/06/2026

curl disclosed a bug submitted by stze: https://hackerone.com/reports/3823985 [...]

See full content

How to pentest - 101 [CNWPP] deliverables + basic network hacking

on 27/06/2026

See full content

Exploiting insecure cookie policies

by Aurélien on 27/06/2026

Cookies are one of the most fundamental building blocks of the modern web, and yet they are often overlooked from a security perspective. When misconfigured, they can potentially lead to exposure of sensitive session data, enable several client-side attacks, and in severe cases, even allow attackers to impersonate users completely. In this article, we'll explore what cookies are, how they work and [...]

See full content

Security debt has a nasty interest rate.

on 26/06/2026

See full content

The Chinese Control the Majority of Argentina’s Squid Fleet

on 26/06/2026

Chinese companies control nearly two-thirds of Argentina’s own squid fleet. [...]

See full content

Meta Is Testing Facial Recognition for Police and Military

on 26/06/2026

We know that ICE wants to deploy eyeglasses with facial recognition that can identify people in real time. Turns out Meta is prototyping the feature with a Pentagon supplier. (Alternate news story.) [...]

See full content

Facebook Phishing Fails

on 26/06/2026

See full content

Real Folks of Cyber | Pearce Barry | Day in the Life

on 26/06/2026

See full content

mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0

on 26/06/2026

curl disclosed a bug submitted by b1gtang: https://hackerone.com/reports/3826199 [...]

See full content

CURLOPT_HAPROXY_CLIENT_IP lacks input validation, enabling HAProxy PROXY protocol injection

on 26/06/2026

curl disclosed a bug submitted by tneelc: https://hackerone.com/reports/3823932 [...]

See full content

One Million Passports Leaked Online

on 26/06/2026

A database of almost a million passports from around the world was leaked online. Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk. [...]

See full content

Intigriti Bug Bytes #237 - June 2026 🚀

by Ayoub on 26/06/2026

Hi hackers, Welcome to the latest edition of Bug Bytes! In this month's issue, we are featuring: A 10-year-old pre-auth RCE in phpBB Earning $500K hacking Google with AI Reading any Salesforce Marketing Cloud account's emails New DOMPurify sanitizer bypass Mapping abandoned S3 buckets to redo SolarWinds at scale And so much more! Let's dive in! Using AI the smart way: interview with Cristian [...]

See full content

Introducing GuardDog 3.0: A new rules engine, transparent sandboxing, and more

on 26/06/2026

Release of GuardDog 3.0, an open-source tool to identify malicious packages, featuring a new YARA-based rules engine, a risk scoring engine, and built-in sandboxing. [...]

See full content

Getting Started with the TCM Security Academy

on 25/06/2026

See full content

AI and Liability

on 25/06/2026

Earlier this month, a German court ruled that Google is liable for its AI search summaries. Rejecting defenses like “users can check for themselves,” and that they generally know “that information generated with AI should not be blindly trusted,” the court held that the AI’s summaries are reflections of the company and “above all an expression of Google’s [...]

See full content

Disable SmartScreen Fast

on 25/06/2026

See full content

PHP code injection in delivery-limitation `logical` validation bypass - XML-RPC setChannelTargeting

on 25/06/2026

Revive Adserver disclosed a bug submitted by doomtech: https://hackerone.com/reports/3781492 [...]

See full content

XMLRPC login leak exposes valid session ID enabling unauthorized API access

on 25/06/2026

Revive Adserver disclosed a bug submitted by garuthacktvist: https://hackerone.com/reports/3783738 [...]

See full content

Reflected XSS via unsanitised refresh parameter in zone invocation tag

on 25/06/2026

Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3780806 [...]

See full content

PHP code injection in delivery-limitation `logical` validation bypass

on 25/06/2026

Revive Adserver disclosed a bug submitted by riodrwn: https://hackerone.com/reports/3780854 [...]

See full content

Stored XSS in maintenance tools via unescaped entity names

on 25/06/2026

Revive Adserver disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/3781311 [...]

See full content

CSRF in zoneinclude.php allows unauthorized banner and campaign linking

on 25/06/2026

Revive Adserver disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/3781691 [...]

See full content

Missing ownership validation allows crossmanager trackercampaign linking

on 25/06/2026

Revive Adserver disclosed a bug submitted by hakuopi: https://hackerone.com/reports/3780709 [...]

See full content

Reflected XSS in statsvideo.php via improperly encoded URL parameters

on 25/06/2026

Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3793243 [...]

See full content

Interesting Paper Exploring Prompt Injection

on 25/06/2026

This is a fascinating explotation of how LLMs fall for prompt injection attacks. It turns out that they learn to recognize the style of text in different role/instruction blocks, and not just the tags. Their conclusion: Role tags were a formatting trick that became the security architecture and the cognitive scaffolding of modern LLMs. We’ve shown that this architecture doesn’t survive [...]

See full content

HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent`

on 25/06/2026

Node.js disclosed a bug submitted by yushengchen: https://hackerone.com/reports/3582376 [...]

See full content

Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix)

on 25/06/2026

Node.js disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3618831 [...]

See full content

Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat

on 25/06/2026

Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3688064 [...]

See full content

Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching

on 25/06/2026

Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3656869 [...]

See full content

TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections

on 25/06/2026

Node.js disclosed a bug submitted by 3d7omb: https://hackerone.com/reports/3649802 [...]

See full content

Permission Model bypass via FileHandle.utimes() in the promises API

on 25/06/2026

Node.js disclosed a bug submitted by muhammaddaffa: https://hackerone.com/reports/3625987 [...]

See full content

Proxy credentials leaked in ERR_PROXY_TUNNEL error message

on 25/06/2026

Node.js disclosed a bug submitted by nssys: https://hackerone.com/reports/3720313 [...]

See full content

Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames

on 25/06/2026

Node.js disclosed a bug submitted by kingsd: https://hackerone.com/reports/3676863 [...]

See full content

Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings

on 25/06/2026

Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3656716 [...]

See full content

Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS)

on 25/06/2026

Node.js disclosed a bug submitted by erichen: https://hackerone.com/reports/3760016 [...]

See full content

The bugs that ruin your weekend aren't on your automated reports. 💀

on 24/06/2026

See full content

Where have I gone?

on 24/06/2026

See full content

Github got Hacked by CATS

on 24/06/2026

See full content

HTTPS proxy connection reuse lets one easy handle inherit another handle's mTLS-authenticated proxy session

on 24/06/2026

curl disclosed a bug submitted by zhenyan: https://hackerone.com/reports/3735180 [...]

See full content

CVE-2026-11564: Native CA trust persist

on 24/06/2026

curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3788984 [...]

See full content

CVE-2026-12064: proto-default skips SSH verification

on 24/06/2026

curl disclosed a bug submitted by alienowo: https://hackerone.com/reports/3797526 [...]

See full content

CVE-2026-11586: WS Auto-PONG memory exhaustion

on 24/06/2026

curl disclosed a bug submitted by evergarden1123: https://hackerone.com/reports/3788931 [...]

See full content

CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop

on 24/06/2026

curl disclosed a bug submitted by vectorqueue: https://hackerone.com/reports/3783438 [...]

See full content

CVE-2026-10536: HTTP/2 stream-dependency tree UAF

on 24/06/2026

curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3751697 [...]

See full content

CVE-2026-8924: trailing dot domain super cookie

on 24/06/2026

curl disclosed a bug submitted by vegagent: https://hackerone.com/reports/3733905 [...]

See full content

CVE-2026-9547: SSH improper host validation

on 24/06/2026

curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3751712 [...]

See full content

CVE-2026-9546: sending old referer

on 24/06/2026

curl disclosed a bug submitted by fafawf: https://hackerone.com/reports/3754343 [...]

See full content

CVE-2026-9079: stale proxy password leak

on 24/06/2026

curl disclosed a bug submitted by keen4n: https://hackerone.com/reports/3750295 [...]

See full content

CVE-2026-9080: UAF after pause in socket callback

on 24/06/2026

curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3749204 [...]

See full content

CVE-2026-8286: wrong STARTTLS connection reuse

on 24/06/2026

curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3718195 [...]

See full content

CVE-2026-8932: incomplete mTLS config matching in conn reuse

on 24/06/2026

curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3733910 [...]

See full content

CVE-2026-8927: env-set cross-proxy Digest auth state leak

on 24/06/2026

curl disclosed a bug submitted by adyej: https://hackerone.com/reports/3744543 [...]

See full content

CVE-2026-8925: SASL double-free

on 24/06/2026

curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735193 [...]

See full content

CVE-2026-8926: password leak with netrc and user in URL

on 24/06/2026

curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735184 [...]

See full content

CVE-2026-8458: wrong reuse for different services

on 24/06/2026

curl disclosed a bug submitted by areksaxyz: https://hackerone.com/reports/3721183 [...]

See full content

Insufficient checks in the file path parameter allow writing to unauthorized directories

on 24/06/2026

SingleStore disclosed a bug submitted by axolot23: https://hackerone.com/reports/3384615 [...]

See full content

CVE-2026-9545: exposing HTTP/3 early data

on 24/06/2026

curl disclosed a bug submitted by hahahkim: https://hackerone.com/reports/3752888 [...]

See full content

CVE-2026-11856: cross-origin Digest auth state leak

on 24/06/2026

curl disclosed a bug submitted by jjchuck: https://hackerone.com/reports/3793260 [...]

See full content

Exploiting web cache poisoning vulnerabilities

by Ayoub and Rachid Allam on 24/06/2026

Web (or HTTP) caching is a highly adopted practice to effectively optimize web page loading times for clients. However, as with most technologies, when incorrectly implemented, it may open up a new exploitable attack surface for us to look into. In this article, we'll cover what web cache poisoning vulnerabilities are, how they arise, a few effective ways to enumerate such vulnerabilities, and eve [...]

See full content

Behind the console: An AiTM phishing kit harvesting AWS console credentials and beyond

on 24/06/2026

Datadog Security Research investigates a June 2026 adversary-in-the-middle phishing campaign that cloned the AWS console login page to harvest victim credentials and multi-factor authentication codes. [...]

See full content

Closing the Discovery-Remediation Gap | CTEM in Practice

on 23/06/2026

See full content

This Dark Web Linux Backdoor Erases Its Own Footprints

on 23/06/2026

See full content

Scattered Spider Hackers Plead Guilty on Day 1 of Trial

by BrianKrebs on 23/06/2026

Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area. The duo were key members of a prolific cybercrime group known as Scattered Spider, and their guilty pleas came on the first day of what was expected to be a six-wee [...]

See full content

Sources

The content of this page is fetched from the following sources:

  1. Datadog Security Labs
  2. The Trail of Bits Blog
  3. Schneier on Security
  4. Krebs on Security
  5. Google Online Security Blog
  6. $BLOG_TITLE
  7. Agarri : Sécurité informatique offensive
  8. Alex Chapman's Blog
  9. www.alphabot.com
  10. ziot
  11. Bug Bounty Reports Explained
  12. Bugcrowd
  13. cat ~/footstep.ninja/blog.txt
  14. Ezequiel Pereira
  15. HackerOne
  16. surajdisoja.me
  17. InsiderPhD
  18. Intigriti
  19. John Hammond
  20. LiveOverflow
  21. NahamSec
  22. PortSwigger Blog
  23. Rana Khalil
  24. Richard’s Infosec blog
  25. Ron Chan
  26. ropnop blog
  27. STÖK
  28. Sun Knudsen
  29. The Cyber Mentor
  30. The unofficial HackerOne disclosure timeline
  31. The XSS Rat
  32. TomNomNom
  33. Wallarm