SVG filter primitives bypass remote image blocking, enabling email tracking without consent. on 20/04/2026
Nextcloud disclosed a bug submitted by nullcathedral: https://hackerone.com/reports/3486747 [...]
InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays. on 20/04/2026
Nextcloud disclosed a bug submitted by nullcathedral: https://hackerone.com/reports/3590586 [...]
Unquoted body background attribute enables CSS injection that bypasses remote image blocking on 20/04/2026
Nextcloud disclosed a bug submitted by nullcathedral: https://hackerone.com/reports/3590583 [...]
SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent on 20/04/2026
Nextcloud disclosed a bug submitted by nullcathedral: https://hackerone.com/reports/3590576 [...]
Is “Satoshi Nakamoto” Really Adam Back? on 20/04/2026
The New York Times has a long article where the author lays out an impressive array of circumstantial evidence that the inventor of Bitcoin is the cypherpunk Adam Back. I don’t know. The article is convincing, but it’s written to be convincing. I can’t remember if I ever met Adam. I was a member of the Cypherpunks mailing list for a while, but I was never really an active partici [...]
libcurl omits IPv6 zoneid from host identity and leaks credentials/cookies across scoped link-local realms on 19/04/2026
curl disclosed a bug submitted by valvelvel: https://hackerone.com/reports/3680680 [...]
Digest Auth State Leak on Cross-Origin Redirect via Netrc - Username and Password Hash Sent to Wrong Host on 19/04/2026
curl disclosed a bug submitted by fg0x0: https://hackerone.com/reports/3680038 [...]
Stored XSS in attachment-display exploitable through SameSite on 19/04/2026
Nextcloud disclosed a bug submitted by aikido_security: https://hackerone.com/reports/3594137 [...]
libcurl reuses a learned RTSP Session header across different hosts on the same easy handle, enabling cross-host session leak and replay on 18/04/2026
curl disclosed a bug submitted by skksndk: https://hackerone.com/reports/3680234 [...]
Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs on 18/04/2026
Ruby on Rails disclosed a bug submitted by smlee: https://hackerone.com/reports/3601655 [...]
Friday Squid Blogging: New Giant Squid Video on 17/04/2026
Pretty fantastic video from Japan of a giant squid eating another squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
libcurl stale CURLOPT_AUTOREFERER leaks a previous request URL to a different origin on a reused easy handle on 17/04/2026
curl disclosed a bug submitted by asdwe: https://hackerone.com/reports/3673277 [...]
Mythos and Cybersecurity on 17/04/2026
Last week, Anthropic pulled back the curtain on Claude Mythos Preview, an AI model so capable at finding and exploiting software vulnerabilities that the company decided it was too dangerous to release to the public. Instead, access has been restricted to roughly 50 organizations—Microsoft, Apple, Amazon Web Services, CrowdStrike and other vendors of critical infrastructure—under an in [...]
We beat Google’s zero-knowledge proof of quantum cryptanalysis on 17/04/2026
Two weeks ago, Google’s Quantum AI group published a zero-knowledge proof of a quantum circuit so optimized, they concluded that first-generation quantum computers will break elliptic curve cryptography keys in as little as 9 minutes. Today, Trail of Bits is publishing our own zero-knowledge proof that significantly improves Google’s on all metrics. Our result is not due to some quantum breakthrou [...]
Common misconceptions debugged! by Greg Jenkins on 17/04/2026
AI and the growing ecosystem of tools built around it have now moved beyond early experimentation and into everyday use across the bug bounty community. What initially showed up as AI-written reports has evolved into something broader: changes in how researchers work, how submissions scale, and how programs experience that volume. In the first part of this series, we explored how AI is shifting th [...]
Introducing the official Burp Ambassador Program on 16/04/2026
Why we’re launching the program What it means to be a Burp Ambassador What we’re aiming for Our Burp Ambassadors Alan Levy Corey Ball Federico Dotta Rana Khalil Tib3rius Looking ahead Get Involved - B [...]
Residual Malicious Payloads on HackerOne after Vulnerability Fixes on 16/04/2026
HackerOne disclosed a bug submitted by joejoe5: https://hackerone.com/reports/3168691 [...]
DOS via Mutation Aliasing in GraphQL Account Recovery Phone Number Verification API on 16/04/2026
HackerOne disclosed a bug submitted by hellokbit: https://hackerone.com/reports/3287208 - Bounty: $12500 [...]
Human Trust of AI Agents on 16/04/2026
Interesting research: “Humans expect rationality and cooperation from LLM opponents in strategic games.” Abstract: As Large Language Models (LLMs) integrate into our social and economic interactions, we need to deepen our understanding of how humans respond to LLMs opponents in strategic settings. We present the results of the first controlled monetarily-incentivised laboratory experim [...]
lib/http2.c: SSL connections accept non-HTTP push schemes (incomplete fix for 2e8c922a) on 16/04/2026
curl disclosed a bug submitted by hybirdss: https://hackerone.com/reports/3674275 [...]
The case for dependency cooldowns in a post-axios world on 16/04/2026
Understanding npm and the importance of dependency cooldowns. [...]
Authorization header leak in ssrf_filter via cross-host redirect leads to credential theft and unauthorized access on 15/04/2026
arkadiyt-projects disclosed a bug submitted by argareksapatii: https://hackerone.com/reports/3642600 [...]
SQL Injection Detection Bypass in AWS WAF Managed Rules (AWSManagedRulesSQLiRuleSet) on 15/04/2026
AWS VDP disclosed a bug submitted by killnet-edc: https://hackerone.com/reports/3591725 [...]
Defense in Depth, Medieval Style on 15/04/2026
This article on the walls of Constantinople is fascinating. The system comprised four defensive lines arranged in formidable layers: The brick-lined ditch, divided by bulkheads and often flooded, 15-20 meters wide and up to 7 meters deep. A low breastwork, about 2 meters high, enabling defenders to fire freely from behind. The outer wall, 8 meters tall and 2.8 meters thick, with 82 projecting to [...]
Patch Tuesday, April 2026 Edition by BrianKrebs on 14/04/2026
Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed “BlueHammer.” Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited [...]
DOM XSS in `fizzy.do` import filename preview enables one-click victim account takeover on 14/04/2026
Basecamp disclosed a bug submitted by xavlimsg: https://hackerone.com/reports/3608199 - Bounty: $500 [...]
Improper Access Control in `fizzy.do` import flow allows cross-tenant ActionText reference resolution and data disclosure on 14/04/2026
Basecamp disclosed a bug submitted by xavlimsg: https://hackerone.com/reports/3543475 - Bounty: $218 [...]
BOLA/IDOR in Out-of-Office API allows any authenticated user to read other users' absence data on 14/04/2026
Nextcloud disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3382343 [...]
Upcoming Speaking Engagements on 14/04/2026
This is a current list of where and when I am scheduled to speak: I’m speaking at DemocracyXChange 2026 in Toronto, Ontario, Canada, on April 18, 2026. I’m speaking at the SANS AI Cybersecurity Summit 2026 in Arlington, Virginia, USA, at 9:40 AM ET on April 20, 2026. I’m speaking at the Greater Good Gathering in New York City, USA, on Tuesday, April 21, 2026. I’m speaking at the Nemertes [N [...]
How Hackers Are Thinking About AI on 14/04/2026
Interesting paper: “What hackers talk about when they talk about AI: Early-stage diffusion of a cybercrime innovation.” Abstract: The rapid expansion of artificial intelligence (AI) is raising concerns about its potential to transform cybercrime. Beyond empowering novice offenders, AI stands to intensify the scale and sophistication of attacks by seasoned cybercriminals. This paper exa [...]
[Variation of #3321406] YetAnother 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in AccessTempAuth on 14/04/2026
Cloudflare Public Bug Bounty disclosed a bug submitted by matured_kazama: https://hackerone.com/reports/3423950 [...]
[Variation of #1554049] 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in Access Temp Auth on 14/04/2026
Cloudflare Public Bug Bounty disclosed a bug submitted by matured_kazama: https://hackerone.com/reports/3321406 [...]
Brave Shields Domain Reordering Leads to Origin Confusion on 13/04/2026
Brave Software disclosed a bug submitted by mousepadkalilinux12: https://hackerone.com/reports/3665151 - Bounty: $100 [...]
On Anthropic’s Mythos Preview and Project Glasswing on 13/04/2026
The cybersecurity industry is obsessing over Anthropic’s new model, Claude Mythos Preview, and its effects on cybersecurity. Anthropic said that it is not releasing it to the general public because of its cyberattack capabilities, and has launched Project Glasswing to run the model against a whole slew of public domain and proprietary software, with the aim of finding and patching all the vu [...]
Credential Disclosure via Unvalidated directDownloadUrl (Missing DontAddCredentialsAttribute) on 13/04/2026
Nextcloud disclosed a bug submitted by py0zz1: https://hackerone.com/reports/3400143 - Bounty: $250 [...]
AI Chatbots and Trust on 13/04/2026
All the leading AI chatbots are sycophantic, and that’s a problem: Participants rated sycophantic AI responses as more trustworthy than balanced ones. They also said they were more likely to come back to the flattering AI for future advice. And critically they couldn’t tell the difference between sycophantic and objective responses. Both felt equally “neutral” to them. On [...]
Argument Injection via curl Short-Flag Grouping on 13/04/2026
curl disclosed a bug submitted by midoussa7: https://hackerone.com/reports/3669305 [...]
Integer Overflow/Signedness Mismatch in Printf Precision for HTTP/2 Trailer Headers on 11/04/2026
curl disclosed a bug submitted by pwnpwn: https://hackerone.com/reports/3665363 [...]
Friday Squid Blogging: Squid Overfishing in the South Pacific on 10/04/2026
Regulation is hard: The South Pacific Regional Fisheries Management Organization (SPRFMO) oversees fishing across roughly 59 million square kilometers (22 million square miles) of the South Pacific high seas, trying to impose order on a region double the size of Africa, where distant-water fleets pursue species ranging from jack mackerel to jumbo flying squid. The latter dominated this year’ [...]
Encryption context keys and values logged at INFO level on 10/04/2026
AWS VDP disclosed a bug submitted by misop00p: https://hackerone.com/reports/3620760 [...]
Bringing Rust to the Pixel Baseband on 10/04/2026
Posted by Jiacheng Lu, Software Engineer, Google Pixel Team Google is continuously advancing the security of Pixel devices. We have been focusing on hardening the cellular baseband modem against exploitation. Recognizing the risks associated within the complex modem firmware, Pixel 9 shipped with mitigations against a range of memory-safety vulnerabilities. For Pixel 10, Google is advancing its p [...]
Open Redirect in Rocket.Chat on 10/04/2026
Rocket.Chat disclosed a bug submitted by soohyun: https://hackerone.com/reports/3418031 [...]
[Vertical Privilege Escalation] User can Unapproved any Approved Translation at [/translations/unapprove/] on 10/04/2026
Mozilla disclosed a bug submitted by adilnbabras: https://hackerone.com/reports/3020021 [...]
User Can Delete Other Users' Personal Access Tokens at /delete-token/{token_id}/ on Mozilla Pontoon on 10/04/2026
Mozilla disclosed a bug submitted by adilnbabras: https://hackerone.com/reports/3325582 [...]
A(I) future of Bug Bounty by Chris Holt on 10/04/2026
AI and all the tools built around related technologies have been working their way into the Bug Bounty community for a little over a year now and by around March 2025 we started seeing notably AI-written reports. It is time to take stock of what impact they have wrought already so we can look to the future and begin to address the reality and some of the fears surrounding this new technology. This [...]
Protecting Cookies with Device Bound Session Credentials on 09/04/2026
Posted by Ben Ackerman, Chrome team, Daniel Rubery, Chrome team and Guillaume Ehinger, Google Account Security team Following our April 2024 announcement, Device Bound Session Credentials (DBSC) is now entering public availability for Windows users on Chrome 146, and expanding to macOS in an upcoming Chrome release. This project represents a significant step forward in our ongoing efforts to co [...]
Memory leak in gem decode logic can allow attacker to take down Rubygems.org application on 09/04/2026
RubyGems disclosed a bug submitted by mclaren650sspider: https://hackerone.com/reports/3079931 [...]
Master C and C++ with our new Testing Handbook chapter on 09/04/2026
We added a new chapter to our Testing Handbook: a comprehensive security checklist for C and C++ code. We’ve identified a broad range of common bug classes, known footguns, and API gotchas across C and C++ codebases and organized them into sections covering Linux, Windows, and seccomp. Whereas other handbook chapters focus on static and dynamic analysis, this chapter offers a strong basis for manu [...]
libcurl: Integer truncation in curl_easy_ssls_import() causes TLS sessions to never expire on 09/04/2026
curl disclosed a bug submitted by adityasunny_06: https://hackerone.com/reports/3658049 [...]
Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8562 on 09/04/2026
A look at how Kubernetes CVE-2020-8562 allows attackers to bypass API server proxy protections using DNS rebinding [...]
wasResumeUsed on /api-internal/api.htm endpoint leaking other user's resume usage status on 08/04/2026
Glassdoor disclosed a bug submitted by auxilus: https://hackerone.com/reports/909084 [...]
Account Takeover on 08/04/2026
Glassdoor disclosed a bug submitted by amakki: https://hackerone.com/reports/970763 [...]
Open Redirect on 08/04/2026
Glassdoor disclosed a bug submitted by z3ron3: https://hackerone.com/reports/818094 [...]
Russia Hacked Routers to Steal Microsoft Office Tokens by BrianKrebs on 07/04/2026
Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code. Micros [...]
Health check errors silently dropped when channel buffer full on 07/04/2026
AWS VDP disclosed a bug submitted by misop00p: https://hackerone.com/reports/3620761 [...]
IDOR on via direct photo URL leads to unauthorized access to deleted and other users' photos on 07/04/2026
Nextcloud disclosed a bug submitted by shiva2550: https://hackerone.com/reports/3518758 [...]
PortSwigger partners with Meta Bug Bounty to empower bug hunters with training and Pro licenses on 07/04/2026
More power for bug hunters An education-first approach to bug bounty Rewards on Meta's Bug Bounty Platform Our shared vision Ready to get started? We’re excited to announce a new partnership with Meta [...]
What we learned about TEE security from auditing WhatsApp's Private Inference on 07/04/2026
WhatsApp’s new “Private Inference” feature represents one of the most ambitious attempts to combine end-to-end encryption with AI-powered capabilities, such as message summarization. To make this possible, Meta built a system that processes encrypted user messages inside trusted execution environments (TEEs), secure hardware enclaves designed so that not even Meta can access the plaintext. Our now [...]
no_proxy IDN mismatch: Unicode hostnames bypass proxy exclusion list on 07/04/2026
curl disclosed a bug submitted by mzfr: https://hackerone.com/reports/3650443 [...]
FTP entrypath accepts 0xFF (Telnet IAC) through incomplete ISCNTRL filter, sent on wire via CWD on connection reuse on 07/04/2026
curl disclosed a bug submitted by mzfr: https://hackerone.com/reports/3650473 [...]
Improper enforcement of CURLOPT_SOCKS5_AUTH due to missing reuse key validation in libcurl on 07/04/2026
curl disclosed a bug submitted by cutiapretaa: https://hackerone.com/reports/3650435 [...]
Five key takeaways from the UK’s new Cyber Security & Resilience Bill by Ed Parsons on 07/04/2026
The content of the Cyber Security & Resilience Bill (CSRB) recently introduced to Parliament contained few surprises. Having spent a significant amount of time working with European cyber-security frameworks, particularly NIS2, I see the Bill as both a continuation of the trend towards common approaches, and a signal of how seriously governments now take cyber risk. From my perspective, there are [...]
Cross-Site Leakage of Review Ownership via Navigation Detection on 06/04/2026
Glassdoor disclosed a bug submitted by downgrade: https://hackerone.com/reports/2516237 [...]
eflected Vulnerability in Glassdoor Blog earch on 06/04/2026
Glassdoor disclosed a bug submitted by zorixu: https://hackerone.com/reports/2682538 [...]
Full account takeover without user Interaction on 06/04/2026
Glassdoor disclosed a bug submitted by imtheking: https://hackerone.com/reports/1820146 [...]
Reported Denial of Service on 06/04/2026
Monero disclosed a bug submitted by jehrenhofermagicgrants: https://hackerone.com/reports/3241102 [...]
Reported RPC Overflow on 06/04/2026
Monero disclosed a bug submitted by jehrenhofermagicgrants: https://hackerone.com/reports/3240792 [...]
Unauthorized usage of External API Key (Usage of Google Maps API Key ==> $$$ on 06/04/2026
Glassdoor disclosed a bug submitted by avielt: https://hackerone.com/reports/881118 [...]
# SCURLOPT_SSH_KNOWNHOSTS and host fingerprint pins are silently bypassed when an SSH connection is reused from the connection pool on 06/04/2026
curl disclosed a bug submitted by spiderchan26: https://hackerone.com/reports/3645415 [...]
SMTP Command Injection via CRLF in libcurl MAIL_FROM / MAIL_RCPT (lib/smtp.c) on 06/04/2026
curl disclosed a bug submitted by divsz: https://hackerone.com/reports/3651975 [...]
Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab by BrianKrebs on 06/04/2026
An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021. Shchukin was n [...]
ignoring 'options' when doing connection reuse on 05/04/2026
curl disclosed a bug submitted by spichanlio76: https://hackerone.com/reports/3646914 [...]
Data race in Curl_dnscache_add_negative() corrupts shared DNS cache heap corruption and double-free when using CURLOPT_SHARE with CURL_LOCK_DATA_DNS on 04/04/2026
curl disclosed a bug submitted by intrax: https://hackerone.com/reports/3645361 [...]
Internal application wrapper or script using curl on 03/04/2026
curl disclosed a bug submitted by rougerseven7: https://hackerone.com/reports/3648199 [...]
Missing server identity policy enforcement in SSH connection reuse allows host key verification bypass via pool poisoning on 03/04/2026
curl disclosed a bug submitted by intrax71: https://hackerone.com/reports/3640932 [...]
Cookie attribute TAB injection regression in Set-Cookie parsing on 03/04/2026
curl disclosed a bug submitted by calaba_zas: https://hackerone.com/reports/3641893 [...]
Simplifying MBA obfuscation with CoBRA on 03/04/2026
Mixed Boolean-Arithmetic (MBA) obfuscation disguises simple operations like x + y behind tangles of arithmetic and bitwise operators. Malware authors and software protectors rely on it because no standard simplification technique covers both domains simultaneously; algebraic simplifiers don’t understand bitwise logic, and Boolean minimizers can’t handle arithmetic. We’re releasing CoBRA, an [...]
Google Workspace’s continuous approach to mitigating indirect prompt injections on 02/04/2026
Posted by Adam Gavish, Google GenAI Security TeamIndirect prompt injection (IPI) is an evolving threat vector targeting users of complex AI applications with multiple data sources, such as Workspace with Gemini. This technique enables the attacker to influence the behavior of an LLM by injecting malicious instructions into the data or tools used by the LLM as it completes the user’s query. This ma [...]
Mutation testing for the agentic era on 01/04/2026
Code coverage is one of the most dangerous quality metrics in software testing. Many developers fail to realize that code coverage lies by omission: it measures execution, not verification. Test suites with high coverage can obfuscate the fact that critical functionality is untested as software develops over time. We saw this when mutation testing uncovered a high-severity Arkis protocol vulnerabi [...]
BugQuest 2026: 31 Days of Broken Access Control by Ayoub on 01/04/2026
In March 2026, we ran BugQuest, a 31-day campaign covering everything you need to know about finding and exploiting broken access control vulnerabilities. From understanding the basics of authentication and authorization to spotting subtle authorization bypasses in real code, we broke down one of the most critical vulnerability classes in modern web applications. Broken access controls have consis [...]
Bypassing Strict SSH Server Verification via Connection Pool Reuse in libcurl on 31/03/2026
curl disclosed a bug submitted by whitehat411: https://hackerone.com/reports/3639277 [...]
Use-After-Free race condition in url_move_hostname() via shared connection pool on 31/03/2026
curl disclosed a bug submitted by h3xb1tx: https://hackerone.com/reports/3638715 [...]
VRP 2025 Year in Review on 31/03/2026
Posted by Dirk Göhmann, Tony Mendez, and the Vulnerability Rewards Program Team2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google: our 15th anniversary 🎉🎉🎉! Originally started in 2010, our vulnerability reward program (VRP) has seen constant additions and expansions over the past decade and a half, clearly indicating the value the programs under [...]
DLL side-loading vulnerability in Sony Music Center for PC Ver. 2.7.2 (Latest version) on 31/03/2026
Sony disclosed a bug submitted by resurrect20: https://hackerone.com/reports/3355766 [...]
Unauthenticated SSRF via Public Reference API -Sharing Token Bypass on 31/03/2026
Nextcloud disclosed a bug submitted by eclipse07077: https://hackerone.com/reports/3479692 [...]
How we made Trail of Bits AI-native (so far) on 31/03/2026
This post is adapted from a talk I gave at [un]prompted, the AI security practitioner conference. Thanks to Gadi Evron for inviting me to speak. You can watch the recorded presentation below or download the slides. Most companies hand out ChatGPT licenses and wait for the productivity numbers to move. We built a system instead. A year ago, about 5% of Trail of Bits was on board with our AI initiat [...]
HackerOne Vulnerability Report: libcurl SSL/TLS Identity Leakage via Insecure Connection Reuse on 31/03/2026
curl disclosed a bug submitted by ankitsingh131225: https://hackerone.com/reports/3636244 [...]
HTTP/2 PUSH_PROMISE header loss on OOM bypasses scheme validation (regression of 2e8c922a89) on 31/03/2026
curl disclosed a bug submitted by m42kl33: https://hackerone.com/reports/3636044 [...]
Unbounded GZIP Decompression Leading to Event-Loop Starvation on 31/03/2026
curl disclosed a bug submitted by ok3y: https://hackerone.com/reports/3632427 [...]
SSRF Filter Bypass via Unblocked NAT64 Local-Use IPv6 Prefix (64:ff9b:1::/48) on 31/03/2026
arkadiyt-projects disclosed a bug submitted by tipsen: https://hackerone.com/reports/3634400 [...]
Path Traversal in writeFile via Unsafe Prefix Containment Check Allows Out-of-Directory Writes on 31/03/2026
arkadiyt-projects disclosed a bug submitted by tipsen: https://hackerone.com/reports/3634571 [...]
Compromised axios npm package delivers cross-platform RAT on 31/03/2026
An attacker hijacked an axios maintainer's npm account to publish malicious releases that deliver a cross-platform RAT. [...]
HashDoS in V8 on 30/03/2026
Node.js disclosed a bug submitted by sharp_edged: https://hackerone.com/reports/3511792 [...]
Permission Model Bypass in realpathSync.native Allows File Existence Disclosure on 30/03/2026
Node.js disclosed a bug submitted by stif: https://hackerone.com/reports/3480841 [...]
Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery on 30/03/2026
Node.js disclosed a bug submitted by x_probe: https://hackerone.com/reports/3533945 [...]
Node.js Permission Model bypass: UDS server bind/listen works without `--allow-net` on 30/03/2026
Node.js disclosed a bug submitted by xavlimsg: https://hackerone.com/reports/3559715 [...]
Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process) on 30/03/2026
Node.js disclosed a bug submitted by yushengchen: https://hackerone.com/reports/3560402 [...]
CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown on 30/03/2026
Node.js disclosed a bug submitted by wooseokdotkim: https://hackerone.com/reports/3449392 [...]
Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion on 30/03/2026
Node.js disclosed a bug submitted by galbarnahum: https://hackerone.com/reports/3531737 [...]
CISO Spotlight: Dimitris Georgiou on Building Security that Serves People First by Tim Erlin on 30/03/2026
Dimitris Georgiou has been a self-professed computer geek since the early 80s. At university, he studied the convergence of educational technology with computer science as part of his psychology MA – finding, to his disbelief, that systems were perilously insecure. Since then, he’s always worked in and around cybersecurity. He’s had roles as a computer science teacher, a technology manager, a [...]