InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Inverted ternary in peerlist_manager::filter() allows unlimited whitelist entries per host via different ports on 29/06/2026
Monero disclosed a bug submitted by kklam32: https://hackerone.com/reports/3547349 [...]
Remote node DOS on 29/06/2026
Monero disclosed a bug submitted by xnbya: https://hackerone.com/reports/876530 [...]
Factoring RSA Keys with Many Zeros on 29/06/2026
Interesting research on a new class of weak RSA keys: keys with lots of zeros. It turns out that these keys are out in the wild. The badkeys project is an open-source service that checks public keys for known vulnerabilities. While developing this tool, Hanno collected a massive number of real-world keys from public sources, including Certificate Transparency logs, internet-wide TLS and SSH scans, [...]
ConsentFix Exposed on 29/06/2026
Robot Police Officers on 29/06/2026
We’ve taken one small step towards robot police officers: a drone capable of disarming a suspect: In a June 22 video posted on the Sacramento County Sheriff’s Office’s Instagram page, an officer wearing goggles can be seen operating a drone to retrieve a knife from an armed suspect hiding inside a cluttered house. “After not responding to negotiators, a drone was deployed inside the re [...]
Reconnaissance for exposure management: why context matters in the AI era by Radu Voloaga on 29/06/2026
Over the last few weeks, we’ve explored what AI is changing in security: discovery is faster (Vulnpocalypse now?), volume is higher (Common AI misconceptions debugged!), and the human layer triage (The AI Impact), judgment, and prioritization has become more important, not less (CEO Insights). But there’s a deeper implication hiding underneath all of that: most security teams still only learn from [...]
UAF read in mev_pollset_diff() trace path after curl_easy_pause() in socket callback on 28/06/2026
curl disclosed a bug submitted by homanp: https://hackerone.com/reports/3824303 [...]
Use-after-free in `mev_forget_socket` when `curl_easy_pause()` is called from a `CURL_POLL_REMOVE` socket callback (incomplete fix of CVE-2026-9080) on 28/06/2026
curl disclosed a bug submitted by stze: https://hackerone.com/reports/3823985 [...]
How to pentest - 101 [CNWPP] deliverables + basic network hacking on 27/06/2026
Exploiting insecure cookie policies by Aurélien on 27/06/2026
Cookies are one of the most fundamental building blocks of the modern web, and yet they are often overlooked from a security perspective. When misconfigured, they can potentially lead to exposure of sensitive session data, enable several client-side attacks, and in severe cases, even allow attackers to impersonate users completely. In this article, we'll explore what cookies are, how they work and [...]
Security debt has a nasty interest rate. on 26/06/2026
The Chinese Control the Majority of Argentina’s Squid Fleet on 26/06/2026
Chinese companies control nearly two-thirds of Argentina’s own squid fleet. [...]
Meta Is Testing Facial Recognition for Police and Military on 26/06/2026
We know that ICE wants to deploy eyeglasses with facial recognition that can identify people in real time. Turns out Meta is prototyping the feature with a Pentagon supplier. (Alternate news story.) [...]
Facebook Phishing Fails on 26/06/2026
Real Folks of Cyber | Pearce Barry | Day in the Life on 26/06/2026
mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0 on 26/06/2026
curl disclosed a bug submitted by b1gtang: https://hackerone.com/reports/3826199 [...]
CURLOPT_HAPROXY_CLIENT_IP lacks input validation, enabling HAProxy PROXY protocol injection on 26/06/2026
curl disclosed a bug submitted by tneelc: https://hackerone.com/reports/3823932 [...]
One Million Passports Leaked Online on 26/06/2026
A database of almost a million passports from around the world was leaked online. Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk. [...]
Intigriti Bug Bytes #237 - June 2026 🚀 by Ayoub on 26/06/2026
Hi hackers, Welcome to the latest edition of Bug Bytes! In this month's issue, we are featuring: A 10-year-old pre-auth RCE in phpBB Earning $500K hacking Google with AI Reading any Salesforce Marketing Cloud account's emails New DOMPurify sanitizer bypass Mapping abandoned S3 buckets to redo SolarWinds at scale And so much more! Let's dive in! Using AI the smart way: interview with Cristian [...]
Introducing GuardDog 3.0: A new rules engine, transparent sandboxing, and more on 26/06/2026
Release of GuardDog 3.0, an open-source tool to identify malicious packages, featuring a new YARA-based rules engine, a risk scoring engine, and built-in sandboxing. [...]
Getting Started with the TCM Security Academy on 25/06/2026
AI and Liability on 25/06/2026
Earlier this month, a German court ruled that Google is liable for its AI search summaries. Rejecting defenses like “users can check for themselves,” and that they generally know “that information generated with AI should not be blindly trusted,” the court held that the AI’s summaries are reflections of the company and “above all an expression of Google’s [...]
Disable SmartScreen Fast on 25/06/2026
PHP code injection in delivery-limitation `logical` validation bypass - XML-RPC setChannelTargeting on 25/06/2026
Revive Adserver disclosed a bug submitted by doomtech: https://hackerone.com/reports/3781492 [...]
XMLRPC login leak exposes valid session ID enabling unauthorized API access on 25/06/2026
Revive Adserver disclosed a bug submitted by garuthacktvist: https://hackerone.com/reports/3783738 [...]
Reflected XSS via unsanitised refresh parameter in zone invocation tag on 25/06/2026
Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3780806 [...]
PHP code injection in delivery-limitation `logical` validation bypass on 25/06/2026
Revive Adserver disclosed a bug submitted by riodrwn: https://hackerone.com/reports/3780854 [...]
Stored XSS in maintenance tools via unescaped entity names on 25/06/2026
Revive Adserver disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/3781311 [...]
CSRF in zoneinclude.php allows unauthorized banner and campaign linking on 25/06/2026
Revive Adserver disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/3781691 [...]
Missing ownership validation allows crossmanager trackercampaign linking on 25/06/2026
Revive Adserver disclosed a bug submitted by hakuopi: https://hackerone.com/reports/3780709 [...]
Reflected XSS in statsvideo.php via improperly encoded URL parameters on 25/06/2026
Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3793243 [...]
Interesting Paper Exploring Prompt Injection on 25/06/2026
This is a fascinating explotation of how LLMs fall for prompt injection attacks. It turns out that they learn to recognize the style of text in different role/instruction blocks, and not just the tags. Their conclusion: Role tags were a formatting trick that became the security architecture and the cognitive scaffolding of modern LLMs. We’ve shown that this architecture doesn’t survive [...]
HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent` on 25/06/2026
Node.js disclosed a bug submitted by yushengchen: https://hackerone.com/reports/3582376 [...]
Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix) on 25/06/2026
Node.js disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3618831 [...]
Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat on 25/06/2026
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3688064 [...]
Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching on 25/06/2026
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3656869 [...]
TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections on 25/06/2026
Node.js disclosed a bug submitted by 3d7omb: https://hackerone.com/reports/3649802 [...]
Permission Model bypass via FileHandle.utimes() in the promises API on 25/06/2026
Node.js disclosed a bug submitted by muhammaddaffa: https://hackerone.com/reports/3625987 [...]
Proxy credentials leaked in ERR_PROXY_TUNNEL error message on 25/06/2026
Node.js disclosed a bug submitted by nssys: https://hackerone.com/reports/3720313 [...]
Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames on 25/06/2026
Node.js disclosed a bug submitted by kingsd: https://hackerone.com/reports/3676863 [...]
Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings on 25/06/2026
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3656716 [...]
Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS) on 25/06/2026
Node.js disclosed a bug submitted by erichen: https://hackerone.com/reports/3760016 [...]
The bugs that ruin your weekend aren't on your automated reports. 💀 on 24/06/2026
Where have I gone? on 24/06/2026
Github got Hacked by CATS on 24/06/2026
Embedding Forbidden Text in Spyware to Discourage AI Analysis on 24/06/2026
At least one malware developer is adding text about nuclear and biological weapons to their spyware, in an effort to stop automatic AI analysis. Details: The _index.js payload begins with a large JavaScript block comment containing fake system instructions and policy-triggering content. Because it is inside a comment, it does not affect JavaScript execution. The runtime skips it. The real malware [...]
HTTPS proxy connection reuse lets one easy handle inherit another handle's mTLS-authenticated proxy session on 24/06/2026
curl disclosed a bug submitted by zhenyan: https://hackerone.com/reports/3735180 [...]
CVE-2026-11564: Native CA trust persist on 24/06/2026
curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3788984 [...]
CVE-2026-12064: proto-default skips SSH verification on 24/06/2026
curl disclosed a bug submitted by alienowo: https://hackerone.com/reports/3797526 [...]
CVE-2026-11586: WS Auto-PONG memory exhaustion on 24/06/2026
curl disclosed a bug submitted by evergarden1123: https://hackerone.com/reports/3788931 [...]
CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop on 24/06/2026
curl disclosed a bug submitted by vectorqueue: https://hackerone.com/reports/3783438 [...]
CVE-2026-10536: HTTP/2 stream-dependency tree UAF on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3751697 [...]
CVE-2026-8924: trailing dot domain super cookie on 24/06/2026
curl disclosed a bug submitted by vegagent: https://hackerone.com/reports/3733905 [...]
CVE-2026-9547: SSH improper host validation on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3751712 [...]
CVE-2026-9546: sending old referer on 24/06/2026
curl disclosed a bug submitted by fafawf: https://hackerone.com/reports/3754343 [...]
CVE-2026-9079: stale proxy password leak on 24/06/2026
curl disclosed a bug submitted by keen4n: https://hackerone.com/reports/3750295 [...]
CVE-2026-9080: UAF after pause in socket callback on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3749204 [...]
CVE-2026-8286: wrong STARTTLS connection reuse on 24/06/2026
curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3718195 [...]
CVE-2026-8932: incomplete mTLS config matching in conn reuse on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3733910 [...]
CVE-2026-8927: env-set cross-proxy Digest auth state leak on 24/06/2026
curl disclosed a bug submitted by adyej: https://hackerone.com/reports/3744543 [...]
CVE-2026-8925: SASL double-free on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735193 [...]
CVE-2026-8926: password leak with netrc and user in URL on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735184 [...]
CVE-2026-8458: wrong reuse for different services on 24/06/2026
curl disclosed a bug submitted by areksaxyz: https://hackerone.com/reports/3721183 [...]
Insufficient checks in the file path parameter allow writing to unauthorized directories on 24/06/2026
SingleStore disclosed a bug submitted by axolot23: https://hackerone.com/reports/3384615 [...]
CVE-2026-9545: exposing HTTP/3 early data on 24/06/2026
curl disclosed a bug submitted by hahahkim: https://hackerone.com/reports/3752888 [...]
CVE-2026-11856: cross-origin Digest auth state leak on 24/06/2026
curl disclosed a bug submitted by jjchuck: https://hackerone.com/reports/3793260 [...]
Exploiting web cache poisoning vulnerabilities by Ayoub and Rachid Allam on 24/06/2026
Web (or HTTP) caching is a highly adopted practice to effectively optimize web page loading times for clients. However, as with most technologies, when incorrectly implemented, it may open up a new exploitable attack surface for us to look into. In this article, we'll cover what web cache poisoning vulnerabilities are, how they arise, a few effective ways to enumerate such vulnerabilities, and eve [...]
Behind the console: An AiTM phishing kit harvesting AWS console credentials and beyond on 24/06/2026
Datadog Security Research investigates a June 2026 adversary-in-the-middle phishing campaign that cloned the AWS console login page to harvest victim credentials and multi-factor authentication codes. [...]
This Dark Web Linux Backdoor Erases Its Own Footprints on 23/06/2026
Scattered Spider Hackers Plead Guilty on Day 1 of Trial by BrianKrebs on 23/06/2026
Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area. The duo were key members of a prolific cybercrime group known as Scattered Spider, and their guilty pleas came on the first day of what was expected to be a six-wee [...]
Taskcluster web-server OAuth2 authorization codes are reusable and the exchange handler checks the wrong expiry column on 23/06/2026
Mozilla disclosed a bug submitted by anshuman_bh: https://hackerone.com/reports/3734676 - Bounty: $2000 [...]
Anthropic’s Fable 5 Model Jailbroken Within Days on 23/06/2026
Fable 5 is the supposed safe version of Anthropic’s Mythos Preview, with guardrails to ensure that it can’t be used to create cyberattacks. Well, that restriction was bypassed within days. [...]
Node --run POSIX positional argument escaping allows shell command injection on 23/06/2026
Node.js disclosed a bug submitted by yottt: https://hackerone.com/reports/3817602 [...]
Introducing Patch the Planet on 22/06/2026
What happens when you clear dozens of Trail of Bits engineers’ schedules, pair them with every open-source maintainer they can contact, and unleash the latest frontier models like GPT-5.5-Cyber on critical open-source targets? Thanks to our partnership with OpenAI and its Daybreak initiative, we can report that the impact is hundreds of discovered bugs, 64 pull requests, and 51 issues filed across [...]
Professional Athletes and Wearables on 22/06/2026
I haven’t thought about the privacy issues surrounding professional athletes and wearables. Wearables present serious privacy issues for “Average Joe” consumers, who are entrusting tech companies to safely store and protect their biometric data. Imagine the stakes for a professional athlete, whose entire livelihood could be affected by a single biometric data point. To give one o [...]
Detecting the Klue supply chain attack in Salesforce instances on 22/06/2026
We summarize the Klue supply chain attack and provide detection guidance for Salesforce environments monitored by Datadog Cloud SIEM. [...]
1-Click Account Takeover via Open Redirect through Regex Bypass in Domain Validation on 20/06/2026
Khan Academy disclosed a bug submitted by farr: https://hackerone.com/reports/3723458 [...]
ContinuumCon 2026 Redux! on 20/06/2026
Soft Skills for the Job Market: Resume Writing on 19/06/2026
AI didn’t make every attacker a genius on 19/06/2026
Burp Extensibility 2026: Awards, Talks, and Highlights on 19/06/2026
The 2026 Burp Suite Extension Awards Best Recon & Discovery Best Auth & Access Control Best Workflow & Manipulation Best API & Specialist Testing Hidden Gem Most Nominated The talks In [...]
‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm by BrianKrebs on 18/06/2026
For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a “residential proxy” provider operated by the publicly-traded Isra [...]
HTTP/2 sessions never clean up after GOAWAY on invalid protocol errors on 18/06/2026
Node.js disclosed a bug submitted by pimterry: https://hackerone.com/reports/3658225 [...]
Permission Model Bypass via `process.report.writeReport()` Path Misvalidation on 18/06/2026
Node.js disclosed a bug submitted by suul: https://hackerone.com/reports/3692858 [...]
For a global platform like Just Eat Takeaway.com, security visibility has to scale with the business on 18/06/2026
Reflected XSS in AI Chat Bot Greetings at help.shopify.com via Markdown Image Rendering on 18/06/2026
Shopify disclosed a bug submitted by saltymermaid: https://hackerone.com/reports/2509022 - Bounty: $1600 [...]
Entra Agent ID: Inside a cross-tenant agent compromise on 18/06/2026
Continuing our Agent ID series, this post demonstrates how a privileged agent could be compromised through its third-party blueprint. This leads to a cross-tenant incident similar to Midnight Blizzard, since an attacker with control over an agent blueprint can authenticate as any agent associated with that blueprint. [...]
Authenticated Elasticsearch Painless script execution via Query.search.sort_query on hackerone.com/graphql on 17/06/2026
HackerOne disclosed a bug submitted by brumbelow: https://hackerone.com/reports/3694007 - Bounty: $7000 [...]
If you’ve ever said, “Sorry, my hands are full,” this is for you 🫵🫵 on 17/06/2026
verify-release rebuilds from the tarball under verification, enabling pre-check command execution and false OK for a malicious curl release tarball on 17/06/2026
curl disclosed a bug submitted by argareksapatii: https://hackerone.com/reports/3802645 [...]
Using AI the smart way. Interview with Cristian Zot (CristiVlad25) by Eleanor Barlow on 17/06/2026
Cristian Zot, known by most in the industry as CristiVlad25, is an active security researcher, experienced pentester, and an Intigriti Hacker Ambassador. He is a prominent figure in the ethical hacking community and frequently collaborates with Intigriti through platform meetups, podcast appearances, and educational content. Cristian has featured as a guest expert on Intigriti's live Office Hour [...]
Using AI the smart way. Interview with Cristian Zot (CristiVlad25) by Eleanor Barlow on 17/06/2026
Cristian Zot, known by most in the industry as CristiVlad25, is an active security researcher, experienced pentester, and an Intigriti Hacker Ambassador. He is a prominent figure in the ethical hacking community and frequently collaborates with Intigriti through platform meetups, podcast appearances, and educational content. Cristian has featured as a guest expert on Intigriti's live Office Hour [...]
TCM Security Summer Sale is Here! on 16/06/2026
Vulnerability Report: Buffer Overflow in Path Sanitization on 16/06/2026
curl disclosed a bug submitted by newstuff321: https://hackerone.com/reports/3804525 [...]
Unauthenticated file deletion via deleteFileMessage DDP method allows permanent destruction of any uploaded file on 16/06/2026
Rocket.Chat disclosed a bug submitted by eldudareeno: https://hackerone.com/reports/3611837 [...]
Global expertise, built with EU data needs in mind on 16/06/2026
Malicious Conflux Endpoint Can Leave Stale Global OOO Queue Accounting After Teardown on 16/06/2026
Tor disclosed a bug submitted by aptupdate: https://hackerone.com/reports/3701692 - Bounty: $100 [...]
Mapping out your unknown: A threat hunter’s guide to Salesforce on 16/06/2026
In this post, we walk through different threats to Salesforce and how to detect them. [...]
Unauthenticated reading of every file via livechat auth and predicting MongoDB ObjectId() on 15/06/2026
Rocket.Chat disclosed a bug submitted by aikido_security: https://hackerone.com/reports/3687142 [...]