InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
The Chinese Control the Majority of Argentina’s Squid Fleet on 26/06/2026
Chinese companies control nearly two-thirds of Argentina’s own squid fleet. [...]
Meta Is Testing Facial Recognition for Police and Military on 26/06/2026
We know that ICE wants to deploy eyeglasses with facial recognition that can identify people in real time. Turns out Meta is prototyping the feature with a Pentagon supplier. (Alternate news story.) [...]
Facebook Phishing Fails on 26/06/2026
Real Folks of Cyber | Pearce Barry | Day in the Life on 26/06/2026
mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0 on 26/06/2026
curl disclosed a bug submitted by b1gtang: https://hackerone.com/reports/3826199 [...]
CURLOPT_HAPROXY_CLIENT_IP lacks input validation, enabling HAProxy PROXY protocol injection on 26/06/2026
curl disclosed a bug submitted by tneelc: https://hackerone.com/reports/3823932 [...]
One Million Passports Leaked Online on 26/06/2026
A database of almost a million passports from around the world was leaked online. Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk. [...]
Intigriti Bug Bytes #237 - June 2026 🚀 by Ayoub on 26/06/2026
Hi hackers, Welcome to the latest edition of Bug Bytes! In this month's issue, we are featuring: A 10-year-old pre-auth RCE in phpBB Earning $500K hacking Google with AI Reading any Salesforce Marketing Cloud account's emails New DOMPurify sanitizer bypass Mapping abandoned S3 buckets to redo SolarWinds at scale And so much more! Let's dive in! Using AI the smart way: interview with Cristian [...]
Introducing GuardDog 3.0: A new rules engine, transparent sandboxing, and more on 26/06/2026
Release of GuardDog 3.0, an open-source tool to identify malicious packages, featuring a new YARA-based rules engine, a risk scoring engine, and built-in sandboxing. [...]
Getting Started with the TCM Security Academy on 25/06/2026
AI and Liability on 25/06/2026
Earlier this month, a German court ruled that Google is liable for its AI search summaries. Rejecting defenses like “users can check for themselves,” and that they generally know “that information generated with AI should not be blindly trusted,” the court held that the AI’s summaries are reflections of the company and “above all an expression of Google’s [...]
Disable SmartScreen Fast on 25/06/2026
PHP code injection in delivery-limitation `logical` validation bypass - XML-RPC setChannelTargeting on 25/06/2026
Revive Adserver disclosed a bug submitted by doomtech: https://hackerone.com/reports/3781492 [...]
XMLRPC login leak exposes valid session ID enabling unauthorized API access on 25/06/2026
Revive Adserver disclosed a bug submitted by garuthacktvist: https://hackerone.com/reports/3783738 [...]
Reflected XSS via unsanitised refresh parameter in zone invocation tag on 25/06/2026
Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3780806 [...]
PHP code injection in delivery-limitation `logical` validation bypass on 25/06/2026
Revive Adserver disclosed a bug submitted by riodrwn: https://hackerone.com/reports/3780854 [...]
Stored XSS in maintenance tools via unescaped entity names on 25/06/2026
Revive Adserver disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/3781311 [...]
CSRF in zoneinclude.php allows unauthorized banner and campaign linking on 25/06/2026
Revive Adserver disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/3781691 [...]
Missing ownership validation allows crossmanager trackercampaign linking on 25/06/2026
Revive Adserver disclosed a bug submitted by hakuopi: https://hackerone.com/reports/3780709 [...]
Reflected XSS in statsvideo.php via improperly encoded URL parameters on 25/06/2026
Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3793243 [...]
Interesting Paper Exploring Prompt Injection on 25/06/2026
This is a fascinating explotation of how LLMs fall for prompt injection attacks. It turns out that they learn to recognize the style of text in different role/instruction blocks, and not just the tags. Their conclusion: Role tags were a formatting trick that became the security architecture and the cognitive scaffolding of modern LLMs. We’ve shown that this architecture doesn’t survive [...]
HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent` on 25/06/2026
Node.js disclosed a bug submitted by yushengchen: https://hackerone.com/reports/3582376 [...]
Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix) on 25/06/2026
Node.js disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3618831 [...]
Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat on 25/06/2026
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3688064 [...]
Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching on 25/06/2026
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3656869 [...]
TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections on 25/06/2026
Node.js disclosed a bug submitted by 3d7omb: https://hackerone.com/reports/3649802 [...]
Permission Model bypass via FileHandle.utimes() in the promises API on 25/06/2026
Node.js disclosed a bug submitted by muhammaddaffa: https://hackerone.com/reports/3625987 [...]
Proxy credentials leaked in ERR_PROXY_TUNNEL error message on 25/06/2026
Node.js disclosed a bug submitted by nssys: https://hackerone.com/reports/3720313 [...]
Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames on 25/06/2026
Node.js disclosed a bug submitted by kingsd: https://hackerone.com/reports/3676863 [...]
Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings on 25/06/2026
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3656716 [...]
Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS) on 25/06/2026
Node.js disclosed a bug submitted by erichen: https://hackerone.com/reports/3760016 [...]
The bugs that ruin your weekend aren't on your automated reports. 💀 on 24/06/2026
Where have I gone? on 24/06/2026
Github got Hacked by CATS on 24/06/2026
Embedding Forbidden Text in Spyware to Discourage AI Analysis on 24/06/2026
At least one malware developer is adding text about nuclear and biological weapons to their spyware, in an effort to stop automatic AI analysis. Details: The _index.js payload begins with a large JavaScript block comment containing fake system instructions and policy-triggering content. Because it is inside a comment, it does not affect JavaScript execution. The runtime skips it. The real malware [...]
HTTPS proxy connection reuse lets one easy handle inherit another handle's mTLS-authenticated proxy session on 24/06/2026
curl disclosed a bug submitted by zhenyan: https://hackerone.com/reports/3735180 [...]
CVE-2026-11564: Native CA trust persist on 24/06/2026
curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3788984 [...]
CVE-2026-12064: proto-default skips SSH verification on 24/06/2026
curl disclosed a bug submitted by alienowo: https://hackerone.com/reports/3797526 [...]
CVE-2026-11586: WS Auto-PONG memory exhaustion on 24/06/2026
curl disclosed a bug submitted by evergarden1123: https://hackerone.com/reports/3788931 [...]
CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop on 24/06/2026
curl disclosed a bug submitted by vectorqueue: https://hackerone.com/reports/3783438 [...]
CVE-2026-10536: HTTP/2 stream-dependency tree UAF on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3751697 [...]
CVE-2026-8924: trailing dot domain super cookie on 24/06/2026
curl disclosed a bug submitted by vegagent: https://hackerone.com/reports/3733905 [...]
CVE-2026-9547: SSH improper host validation on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3751712 [...]
CVE-2026-9546: sending old referer on 24/06/2026
curl disclosed a bug submitted by fafawf: https://hackerone.com/reports/3754343 [...]
CVE-2026-9079: stale proxy password leak on 24/06/2026
curl disclosed a bug submitted by keen4n: https://hackerone.com/reports/3750295 [...]
CVE-2026-9080: UAF after pause in socket callback on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3749204 [...]
CVE-2026-8286: wrong STARTTLS connection reuse on 24/06/2026
curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3718195 [...]
CVE-2026-8932: incomplete mTLS config matching in conn reuse on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3733910 [...]
CVE-2026-8927: env-set cross-proxy Digest auth state leak on 24/06/2026
curl disclosed a bug submitted by adyej: https://hackerone.com/reports/3744543 [...]
CVE-2026-8925: SASL double-free on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735193 [...]
CVE-2026-8926: password leak with netrc and user in URL on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735184 [...]
CVE-2026-8458: wrong reuse for different services on 24/06/2026
curl disclosed a bug submitted by areksaxyz: https://hackerone.com/reports/3721183 [...]
Insufficient checks in the file path parameter allow writing to unauthorized directories on 24/06/2026
SingleStore disclosed a bug submitted by axolot23: https://hackerone.com/reports/3384615 [...]
CVE-2026-9545: exposing HTTP/3 early data on 24/06/2026
curl disclosed a bug submitted by hahahkim: https://hackerone.com/reports/3752888 [...]
CVE-2026-11856: cross-origin Digest auth state leak on 24/06/2026
curl disclosed a bug submitted by jjchuck: https://hackerone.com/reports/3793260 [...]
Exploiting web cache poisoning vulnerabilities by Ayoub and Rachid Allam on 24/06/2026
Web (or HTTP) caching is a highly adopted practice to effectively optimize web page loading times for clients. However, as with most technologies, when incorrectly implemented, it may open up a new exploitable attack surface for us to look into. In this article, we'll cover what web cache poisoning vulnerabilities are, how they arise, a few effective ways to enumerate such vulnerabilities, and eve [...]
Behind the console: An AiTM phishing kit harvesting AWS console credentials and beyond on 24/06/2026
Datadog Security Research investigates a June 2026 adversary-in-the-middle phishing campaign that cloned the AWS console login page to harvest victim credentials and multi-factor authentication codes. [...]
Closing the Discovery-Remediation Gap | CTEM in Practice on 23/06/2026
This Dark Web Linux Backdoor Erases Its Own Footprints on 23/06/2026
Scattered Spider Hackers Plead Guilty on Day 1 of Trial by BrianKrebs on 23/06/2026
Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area. The duo were key members of a prolific cybercrime group known as Scattered Spider, and their guilty pleas came on the first day of what was expected to be a six-wee [...]
Taskcluster web-server OAuth2 authorization codes are reusable and the exchange handler checks the wrong expiry column on 23/06/2026
Mozilla disclosed a bug submitted by anshuman_bh: https://hackerone.com/reports/3734676 - Bounty: $2000 [...]
Anthropic’s Fable 5 Model Jailbroken Within Days on 23/06/2026
Fable 5 is the supposed safe version of Anthropic’s Mythos Preview, with guardrails to ensure that it can’t be used to create cyberattacks. Well, that restriction was bypassed within days. [...]
Node --run POSIX positional argument escaping allows shell command injection on 23/06/2026
Node.js disclosed a bug submitted by yottt: https://hackerone.com/reports/3817602 [...]
Introducing Patch the Planet on 22/06/2026
What happens when you clear dozens of Trail of Bits engineers’ schedules, pair them with every open-source maintainer they can contact, and unleash the latest frontier models like GPT-5.5-Cyber on critical open-source targets? Thanks to our partnership with OpenAI and its Daybreak initiative, we can report that the impact is hundreds of discovered bugs, 64 pull requests, and 51 issues filed across [...]
This Hacker Got Paid $50,000+ to Break Frontier AI Models on 22/06/2026
Professional Athletes and Wearables on 22/06/2026
I haven’t thought about the privacy issues surrounding professional athletes and wearables. Wearables present serious privacy issues for “Average Joe” consumers, who are entrusting tech companies to safely store and protect their biometric data. Imagine the stakes for a professional athlete, whose entire livelihood could be affected by a single biometric data point. To give one o [...]
Humans Still Solve What AI Can't on 22/06/2026
Detecting the Klue supply chain attack in Salesforce instances on 22/06/2026
We summarize the Klue supply chain attack and provide detection guidance for Salesforce environments monitored by Datadog Cloud SIEM. [...]
1-Click Account Takeover via Open Redirect through Regex Bypass in Domain Validation on 20/06/2026
Khan Academy disclosed a bug submitted by farr: https://hackerone.com/reports/3723458 [...]
ContinuumCon 2026 Redux! on 20/06/2026
Friday Squid Blogging: Victims of Unregulated Squid Fishing on 19/06/2026
Dolphins, sharks, turtles, and human workers are all victims of unregulated squid fishing fleets. Another news article. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Soft Skills for the Job Market: Resume Writing on 19/06/2026
AI didn’t make every attacker a genius on 19/06/2026
Burp Extensibility 2026: Awards, Talks, and Highlights on 19/06/2026
The 2026 Burp Suite Extension Awards Best Recon & Discovery Best Auth & Access Control Best Workflow & Manipulation Best API & Specialist Testing Hidden Gem Most Nominated The talks In [...]
Anthropic’s Fable and the State of AI on 19/06/2026
On June 9th, Anthropic released its Fable generative AI model. Three days later, the US government classified it as a dangerous munition, and used its export-control authority to prohibit any foreign nationals from accessing it. Unable to differentiate between Americans and foreigners, the company shut off access for everyone. The government’s actions won’t help. The problem isn’ [...]
Metrics Cut Through AI Noise on 19/06/2026
‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm by BrianKrebs on 18/06/2026
For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a “residential proxy” provider operated by the publicly-traded Isra [...]
HTTP/2 sessions never clean up after GOAWAY on invalid protocol errors on 18/06/2026
Node.js disclosed a bug submitted by pimterry: https://hackerone.com/reports/3658225 [...]
Permission Model Bypass via `process.report.writeReport()` Path Misvalidation on 18/06/2026
Node.js disclosed a bug submitted by suul: https://hackerone.com/reports/3692858 [...]
For a global platform like Just Eat Takeaway.com, security visibility has to scale with the business on 18/06/2026
Reflected XSS in AI Chat Bot Greetings at help.shopify.com via Markdown Image Rendering on 18/06/2026
Shopify disclosed a bug submitted by saltymermaid: https://hackerone.com/reports/2509022 - Bounty: $1600 [...]
False Positives Are Still the Bill on 18/06/2026
Entra Agent ID: Inside a cross-tenant agent compromise on 18/06/2026
Continuing our Agent ID series, this post demonstrates how a privileged agent could be compromised through its third-party blueprint. This leads to a cross-tenant incident similar to Midnight Blizzard, since an attacker with control over an agent blueprint can authenticate as any agent associated with that blueprint. [...]
This hacker made $500,000+ hacking google in just a few months. #hacking #bugbounty #cybersecurity on 17/06/2026
Authenticated Elasticsearch Painless script execution via Query.search.sort_query on hackerone.com/graphql on 17/06/2026
HackerOne disclosed a bug submitted by brumbelow: https://hackerone.com/reports/3694007 - Bounty: $7000 [...]
If you’ve ever said, “Sorry, my hands are full,” this is for you 🫵🫵 on 17/06/2026
H1 Platform Demo | CTEM at AI Scale on 17/06/2026
Don't Buy AI Security Blind on 17/06/2026
verify-release rebuilds from the tarball under verification, enabling pre-check command execution and false OK for a malicious curl release tarball on 17/06/2026
curl disclosed a bug submitted by argareksapatii: https://hackerone.com/reports/3802645 [...]
Using AI the smart way. Interview with Cristian Zot (CristiVlad25) by Eleanor Barlow on 17/06/2026
Cristian Zot, known by most in the industry as CristiVlad25, is an active security researcher, experienced pentester, and an Intigriti Hacker Ambassador. He is a prominent figure in the ethical hacking community and frequently collaborates with Intigriti through platform meetups, podcast appearances, and educational content. Cristian has featured as a guest expert on Intigriti's live Office Hour [...]
Using AI the smart way. Interview with Cristian Zot (CristiVlad25) by Eleanor Barlow on 17/06/2026
Cristian Zot, known by most in the industry as CristiVlad25, is an active security researcher, experienced pentester, and an Intigriti Hacker Ambassador. He is a prominent figure in the ethical hacking community and frequently collaborates with Intigriti through platform meetups, podcast appearances, and educational content. Cristian has featured as a guest expert on Intigriti's live Office Hour [...]
TCM Security Summer Sale is Here! on 16/06/2026
Vulnerability Report: Buffer Overflow in Path Sanitization on 16/06/2026
curl disclosed a bug submitted by newstuff321: https://hackerone.com/reports/3804525 [...]
AI Changed Vulnerability Discovery Fast on 16/06/2026
AI Security's Last Mile Problem with Michael Mckinley on 16/06/2026
Unauthenticated file deletion via deleteFileMessage DDP method allows permanent destruction of any uploaded file on 16/06/2026
Rocket.Chat disclosed a bug submitted by eldudareeno: https://hackerone.com/reports/3611837 [...]
Global expertise, built with EU data needs in mind on 16/06/2026
Malicious Conflux Endpoint Can Leave Stale Global OOO Queue Accounting After Teardown on 16/06/2026
Tor disclosed a bug submitted by aptupdate: https://hackerone.com/reports/3701692 - Bounty: $100 [...]
Mapping out your unknown: A threat hunter’s guide to Salesforce on 16/06/2026
In this post, we walk through different threats to Salesforce and how to detect them. [...]