InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
FBI Seizes NetNut Proxy Platform, Popa Botnet
by BrianKrebs on 02/07/2026
The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botn [...]
See full content
Non-Production API Endpoints for the Amazon S3 Tables Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration
on 02/07/2026
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3780277 [...]
See full content
We get this question a lot
on 02/07/2026
See full content
jitsi-meet: Prosody/Jigasi missing header whitelist in mod_filter_iq_rayo allows arbitrary SIP header injection and Caller ID spoofing
on 02/07/2026
8x8 disclosed a bug submitted by pmgjoe: https://hackerone.com/reports/3789570 - Bounty: $100 [...]
See full content
jitsi-call-analytics: Unauthenticated arbitrary file write via path traversal in `/api/v1/uploads/analyze`
on 02/07/2026
8x8 disclosed a bug submitted by r1skr1der: https://hackerone.com/reports/3485343 - Bounty: $100 [...]
See full content
Yelp for Business: locked Email field silently editable via API
on 02/07/2026
Yelp disclosed a bug submitted by 0xmanticore: https://hackerone.com/reports/3766455 [...]
See full content
Celebrating 1 Million Subscribers on July 8th!
on 02/07/2026
See full content
Cybersecurity Mission Creep in the US
on 02/07/2026
Interesting paper: “Cybersecurity Mission Creep.”
Abstract: Cybersecurity is experiencing mission creep. Policymakers are casting more and more problems as issues of cybersecurity. So reframed, wildly different policy issues, from misinformation, to child social media safety laws, to antitrust regulations, to alleged journalist misconduct, to anti-sex trafficking statutes become what t [...]
See full content
GPT-5.5-Cyber built a zlib fuzzing lab in a day
on 02/07/2026
We’re running Patch the Planet, an ongoing collaboration with OpenAI that pairs Trail of Bits engineers directly with more than 30 open-source projects. Its goal is to front-run a serious problem facing open-source maintainers: highly capable models like GPT-5.5-Cyber will soon create a firehose of bug reports, and OSS maintainers are already spread thin. Our plan is to point OpenAI’s latest model [...]
See full content
Splatoon 3 In-Match Integrity Bypass via Consensus Reflection Attack on Unordered Peer Submission
on 02/07/2026
Nintendo disclosed a bug submitted by hana2736: https://hackerone.com/reports/3559522 [...]
See full content
[Splatoon 3] Kick other players with NplnLogin message
on 02/07/2026
Nintendo disclosed a bug submitted by alzxk11: https://hackerone.com/reports/3813932 [...]
See full content
Exceeding the maximum number of spaces allowed by exploiting a Race Condition in the Workspace creation process
on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3295500 [...]
See full content
Insecure Direct Object Reference (IDOR) allows creating folders.
on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353057 [...]
See full content
Delete any folder for any user within the organization
on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353035 [...]
See full content
Privilege Escalation Access to the Alert Subscribers page for users with low privileges
on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353000 [...]
See full content
Improper Input Validation HTTP Response Parser Unconditionally Accepts Bare CR in Status Line
on 01/07/2026
Node.js disclosed a bug submitted by saif-01: https://hackerone.com/reports/3648681 [...]
See full content
Beyond Usernames
on 01/07/2026
See full content
Papa Johns Surveillance-Based Advertising
on 01/07/2026
Papa Johns is spying on people’s buying activities to predict when they are low on food:
The pizza chain recently tapped NBCUniversal, Instacart and the dentsu-owned media agency Carat for help reaching consumers when they’re low on groceries—and thus more likely to be swayed by a mouth-watering ad. The idea is to reach hungry consumers by “knowing what is in their fridge w [...]
See full content
Backdoors & Breaches: New scenarios and adaptations
on 01/07/2026
Sharing new scenarios and adaptations to play the Datadog expansion pack of Backdoors & Breaches. [...]
See full content
Beyond CTF Labs
on 30/06/2026
See full content
heap-use-after-free in curl_easy_cleanup() called from callback
on 30/06/2026
curl disclosed a bug submitted by carehi1324: https://hackerone.com/reports/3833577 [...]
See full content
The Realities of AI Video Surveillance
on 30/06/2026
The Financial Times has a good article on how AI is changing the capabilities of video surveillance, with information from both Israel/Iran and Russia.
I wrote about this sort of thing a few years ago, how AI enables mass spying in the way that computers and networks enabled mass surveillance. The interesting development in the article is that AI allows people to ask natural language questions abo [...]
See full content
setopt(VERIFYPEER) from callback bypasses TLS verify on connection reuse
on 30/06/2026
curl disclosed a bug submitted by a6b30108: https://hackerone.com/reports/3831432 [...]
See full content
Shipping post-quantum cryptography to Python
on 30/06/2026
Post-quantum cryptography is now one pip-install away for the entire Python ecosystem. With funding from the Sovereign Tech Agency, we implemented support for ML-KEM, the NIST-standard key-establishment primitive, and ML-DSA, the NIST-standard digital-signature primitive, in pyca/cryptography.
On June 22, 2026, the White House ordered the U.S. government to accelerate its transition to post-quantu [...]
See full content
ssh_config_matches is dead code: unauthorized SSH key reuse
on 30/06/2026
curl disclosed a bug submitted by bigtang: https://hackerone.com/reports/3826843 [...]
See full content
CURLSHOPT_UNSHARE race can cause UAF in shared SSL session cache during HTTPS transfer
on 30/06/2026
curl disclosed a bug submitted by smaeljaish771: https://hackerone.com/reports/3831345 [...]
See full content
libcurl upload read callbacks miss recursive API guard, allowing prohibited multi API reentry and ASAN-confirmed UAF
on 30/06/2026
curl disclosed a bug submitted by th3hound: https://hackerone.com/reports/3832393 [...]
See full content
Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint
on 30/06/2026
Discourse disclosed a bug submitted by dpaysm: https://hackerone.com/reports/3400140 - Bounty: $1024 [...]
See full content
Annual testing starts to look a little dusty when...
on 29/06/2026
See full content
Inverted ternary in peerlist_manager::filter() allows unlimited whitelist entries per host via different ports
on 29/06/2026
Monero disclosed a bug submitted by kklam32: https://hackerone.com/reports/3547349 [...]
See full content
Remote node DOS
on 29/06/2026
Monero disclosed a bug submitted by xnbya: https://hackerone.com/reports/876530 [...]
See full content
Factoring RSA Keys with Many Zeros
on 29/06/2026
Interesting research on a new class of weak RSA keys: keys with lots of zeros. It turns out that these keys are out in the wild.
The badkeys project is an open-source service that checks public keys for known vulnerabilities. While developing this tool, Hanno collected a massive number of real-world keys from public sources, including Certificate Transparency logs, internet-wide TLS and SSH scans, [...]
See full content
ConsentFix Exposed
on 29/06/2026
See full content
Inside H1-813 Live Hacking Event with Salesforce in Tokyo
on 29/06/2026
See full content
Robot Police Officers
on 29/06/2026
We’ve taken one small step towards robot police officers: a drone capable of disarming a suspect:
In a June 22 video posted on the Sacramento County Sheriff’s Office’s Instagram page, an officer wearing goggles can be seen operating a drone to retrieve a knife from an armed suspect hiding inside a cluttered house. “After not responding to negotiators, a drone was deployed inside the re [...]
See full content
Reconnaissance for exposure management: why context matters in the AI era
by Radu Voloaga on 29/06/2026
Over the last few weeks, we’ve explored what AI is changing in security: discovery is faster (Vulnpocalypse now?), volume is higher (Common AI misconceptions debugged!), and the human layer triage (The AI Impact), judgment, and prioritization has become more important, not less (CEO Insights). But there’s a deeper implication hiding underneath all of that: most security teams still only learn from [...]
See full content
UAF read in mev_pollset_diff() trace path after curl_easy_pause() in socket callback
on 28/06/2026
curl disclosed a bug submitted by homanp: https://hackerone.com/reports/3824303 [...]
See full content
Use-after-free in `mev_forget_socket` when `curl_easy_pause()` is called from a `CURL_POLL_REMOVE` socket callback (incomplete fix of CVE-2026-9080)
on 28/06/2026
curl disclosed a bug submitted by stze: https://hackerone.com/reports/3823985 [...]
See full content
How to pentest - 101 [CNWPP] deliverables + basic network hacking
on 27/06/2026
See full content
Exploiting insecure cookie policies
by Aurélien on 27/06/2026
Cookies are one of the most fundamental building blocks of the modern web, and yet they are often overlooked from a security perspective. When misconfigured, they can potentially lead to exposure of sensitive session data, enable several client-side attacks, and in severe cases, even allow attackers to impersonate users completely.
In this article, we'll explore what cookies are, how they work and [...]
See full content
Security debt has a nasty interest rate.
on 26/06/2026
See full content
The Chinese Control the Majority of Argentina’s Squid Fleet
on 26/06/2026
Chinese companies control nearly two-thirds of Argentina’s own squid fleet.
[...]
See full content
Meta Is Testing Facial Recognition for Police and Military
on 26/06/2026
We know that ICE wants to deploy eyeglasses with facial recognition that can identify people in real time.
Turns out Meta is prototyping the feature with a Pentagon supplier. (Alternate news story.)
[...]
See full content
Facebook Phishing Fails
on 26/06/2026
See full content
Real Folks of Cyber | Pearce Barry | Day in the Life
on 26/06/2026
See full content
mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0
on 26/06/2026
curl disclosed a bug submitted by b1gtang: https://hackerone.com/reports/3826199 [...]
See full content
CURLOPT_HAPROXY_CLIENT_IP lacks input validation, enabling HAProxy PROXY protocol injection
on 26/06/2026
curl disclosed a bug submitted by tneelc: https://hackerone.com/reports/3823932 [...]
See full content
One Million Passports Leaked Online
on 26/06/2026
A database of almost a million passports from around the world was leaked online.
Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk.
[...]
See full content
Intigriti Bug Bytes #237 - June 2026 🚀
by Ayoub on 26/06/2026
Hi hackers,
Welcome to the latest edition of Bug Bytes! In this month's issue, we are featuring:
A 10-year-old pre-auth RCE in phpBB
Earning $500K hacking Google with AI
Reading any Salesforce Marketing Cloud account's emails
New DOMPurify sanitizer bypass
Mapping abandoned S3 buckets to redo SolarWinds at scale
And so much more! Let's dive in!
Using AI the smart way: interview with Cristian [...]
See full content
Introducing GuardDog 3.0: A new rules engine, transparent sandboxing, and more
on 26/06/2026
Release of GuardDog 3.0, an open-source tool to identify malicious packages, featuring a new YARA-based rules engine, a risk scoring engine, and built-in sandboxing. [...]
See full content
Getting Started with the TCM Security Academy
on 25/06/2026
See full content
AI and Liability
on 25/06/2026
Earlier this month, a German court ruled that Google is liable for its AI search summaries. Rejecting defenses like “users can check for themselves,” and that they generally know “that information generated with AI should not be blindly trusted,” the court held that the AI’s summaries are reflections of the company and “above all an expression of Google’s [...]
See full content
Disable SmartScreen Fast
on 25/06/2026
See full content
PHP code injection in delivery-limitation `logical` validation bypass - XML-RPC setChannelTargeting
on 25/06/2026
Revive Adserver disclosed a bug submitted by doomtech: https://hackerone.com/reports/3781492 [...]
See full content
XMLRPC login leak exposes valid session ID enabling unauthorized API access
on 25/06/2026
Revive Adserver disclosed a bug submitted by garuthacktvist: https://hackerone.com/reports/3783738 [...]
See full content
Reflected XSS via unsanitised refresh parameter in zone invocation tag
on 25/06/2026
Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3780806 [...]
See full content
PHP code injection in delivery-limitation `logical` validation bypass
on 25/06/2026
Revive Adserver disclosed a bug submitted by riodrwn: https://hackerone.com/reports/3780854 [...]
See full content
Stored XSS in maintenance tools via unescaped entity names
on 25/06/2026
Revive Adserver disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/3781311 [...]
See full content
CSRF in zoneinclude.php allows unauthorized banner and campaign linking
on 25/06/2026
Revive Adserver disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/3781691 [...]
See full content
Missing ownership validation allows crossmanager trackercampaign linking
on 25/06/2026
Revive Adserver disclosed a bug submitted by hakuopi: https://hackerone.com/reports/3780709 [...]
See full content
Reflected XSS in statsvideo.php via improperly encoded URL parameters
on 25/06/2026
Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3793243 [...]
See full content
Interesting Paper Exploring Prompt Injection
on 25/06/2026
This is a fascinating explotation of how LLMs fall for prompt injection attacks. It turns out that they learn to recognize the style of text in different role/instruction blocks, and not just the tags.
Their conclusion:
Role tags were a formatting trick that became the security architecture and the cognitive scaffolding of modern LLMs. We’ve shown that this architecture doesn’t survive [...]
See full content
HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent`
on 25/06/2026
Node.js disclosed a bug submitted by yushengchen: https://hackerone.com/reports/3582376 [...]
See full content
Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix)
on 25/06/2026
Node.js disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3618831 [...]
See full content
Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat
on 25/06/2026
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3688064 [...]
See full content
Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching
on 25/06/2026
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3656869 [...]
See full content
TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections
on 25/06/2026
Node.js disclosed a bug submitted by 3d7omb: https://hackerone.com/reports/3649802 [...]
See full content
Permission Model bypass via FileHandle.utimes() in the promises API
on 25/06/2026
Node.js disclosed a bug submitted by muhammaddaffa: https://hackerone.com/reports/3625987 [...]
See full content
Proxy credentials leaked in ERR_PROXY_TUNNEL error message
on 25/06/2026
Node.js disclosed a bug submitted by nssys: https://hackerone.com/reports/3720313 [...]
See full content
Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames
on 25/06/2026
Node.js disclosed a bug submitted by kingsd: https://hackerone.com/reports/3676863 [...]
See full content
Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings
on 25/06/2026
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3656716 [...]
See full content
Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS)
on 25/06/2026
Node.js disclosed a bug submitted by erichen: https://hackerone.com/reports/3760016 [...]
See full content
The bugs that ruin your weekend aren't on your automated reports. 💀
on 24/06/2026
See full content
Where have I gone?
on 24/06/2026
See full content
Github got Hacked by CATS
on 24/06/2026
See full content
HTTPS proxy connection reuse lets one easy handle inherit another handle's mTLS-authenticated proxy session
on 24/06/2026
curl disclosed a bug submitted by zhenyan: https://hackerone.com/reports/3735180 [...]
See full content
CVE-2026-11564: Native CA trust persist
on 24/06/2026
curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3788984 [...]
See full content
CVE-2026-12064: proto-default skips SSH verification
on 24/06/2026
curl disclosed a bug submitted by alienowo: https://hackerone.com/reports/3797526 [...]
See full content
CVE-2026-11586: WS Auto-PONG memory exhaustion
on 24/06/2026
curl disclosed a bug submitted by evergarden1123: https://hackerone.com/reports/3788931 [...]
See full content
CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop
on 24/06/2026
curl disclosed a bug submitted by vectorqueue: https://hackerone.com/reports/3783438 [...]
See full content
CVE-2026-10536: HTTP/2 stream-dependency tree UAF
on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3751697 [...]
See full content
CVE-2026-8924: trailing dot domain super cookie
on 24/06/2026
curl disclosed a bug submitted by vegagent: https://hackerone.com/reports/3733905 [...]
See full content
CVE-2026-9547: SSH improper host validation
on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3751712 [...]
See full content
CVE-2026-9546: sending old referer
on 24/06/2026
curl disclosed a bug submitted by fafawf: https://hackerone.com/reports/3754343 [...]
See full content
CVE-2026-9079: stale proxy password leak
on 24/06/2026
curl disclosed a bug submitted by keen4n: https://hackerone.com/reports/3750295 [...]
See full content
CVE-2026-9080: UAF after pause in socket callback
on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3749204 [...]
See full content
CVE-2026-8286: wrong STARTTLS connection reuse
on 24/06/2026
curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3718195 [...]
See full content
CVE-2026-8932: incomplete mTLS config matching in conn reuse
on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3733910 [...]
See full content
CVE-2026-8927: env-set cross-proxy Digest auth state leak
on 24/06/2026
curl disclosed a bug submitted by adyej: https://hackerone.com/reports/3744543 [...]
See full content
CVE-2026-8925: SASL double-free
on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735193 [...]
See full content
CVE-2026-8926: password leak with netrc and user in URL
on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735184 [...]
See full content
CVE-2026-8458: wrong reuse for different services
on 24/06/2026
curl disclosed a bug submitted by areksaxyz: https://hackerone.com/reports/3721183 [...]
See full content
Insufficient checks in the file path parameter allow writing to unauthorized directories
on 24/06/2026
SingleStore disclosed a bug submitted by axolot23: https://hackerone.com/reports/3384615 [...]
See full content
CVE-2026-9545: exposing HTTP/3 early data
on 24/06/2026
curl disclosed a bug submitted by hahahkim: https://hackerone.com/reports/3752888 [...]
See full content
CVE-2026-11856: cross-origin Digest auth state leak
on 24/06/2026
curl disclosed a bug submitted by jjchuck: https://hackerone.com/reports/3793260 [...]
See full content
Exploiting web cache poisoning vulnerabilities
by Ayoub and Rachid Allam on 24/06/2026
Web (or HTTP) caching is a highly adopted practice to effectively optimize web page loading times for clients. However, as with most technologies, when incorrectly implemented, it may open up a new exploitable attack surface for us to look into.
In this article, we'll cover what web cache poisoning vulnerabilities are, how they arise, a few effective ways to enumerate such vulnerabilities, and eve [...]
See full content
Behind the console: An AiTM phishing kit harvesting AWS console credentials and beyond
on 24/06/2026
Datadog Security Research investigates a June 2026 adversary-in-the-middle phishing campaign that cloned the AWS console login page to harvest victim credentials and multi-factor authentication codes. [...]
See full content
Closing the Discovery-Remediation Gap | CTEM in Practice
on 23/06/2026
See full content
This Dark Web Linux Backdoor Erases Its Own Footprints
on 23/06/2026
See full content
Scattered Spider Hackers Plead Guilty on Day 1 of Trial
by BrianKrebs on 23/06/2026
Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area. The duo were key members of a prolific cybercrime group known as Scattered Spider, and their guilty pleas came on the first day of what was expected to be a six-wee [...]
See full content