InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Friday Squid Blogging: Bigfin Squid on 16/05/2026
Article about the bigfin squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
The AI Tried to Escape Our Own Infrastructure. on 15/05/2026
SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution on 15/05/2026
Nextcloud disclosed a bug submitted by suul: https://hackerone.com/reports/3462991 [...]
[DUTCH] RatCTF - Wat is het en hoe gebruik je het? + Machine hacken on 15/05/2026
Bypassing On-Camera Age-Verification Checks on 15/05/2026
Some AI-based video age-verification checks can be fooled with a fake mustache. [...]
The Payload Podcast 006 on 15/05/2026
Mythos Didn’t Change What Gets Found It Changed How Reliably It Gets Found on 14/05/2026
Keep up the great work, hackers 👏 on 14/05/2026
Upcoming Speaking Engagements on 14/05/2026
This is a current list of where and when I am scheduled to speak: I’m giving a virtual talk on “The Security of Trust in the Age of AI,” hosted by the Financial Women’s Association of New York, at 6:00 PM ET on May 21, 2026. I’m speaking at the Potsdam Conference on National Cybersecurity at the Hasso Plattner Institut in Potsdam, Germany. The event runs June 24–25, 2026, and my talk will be the [...]
Origin IP Exposed waf bypass on 14/05/2026
Yuga Labs disclosed a bug submitted by r00tsid: https://hackerone.com/reports/1821085 - Bounty: $250 [...]
How Dangerous Is Anthropic’s Mythos AI? on 14/05/2026
Last month, Anthropic made a remarkable announcement about its new model, Claude Mythos Preview: it was so good at finding security vulnerabilities in software that the company would not release it to the general public. Instead, it would only be available to a select group of companies to scan and fix their own software. The announcement requires context—but it contained an essential truth. [...]
Mythos, Glasswing, and the New Velocity of Cyber Risk on 14/05/2026
Kerberos/SPNEGO Connection Reuse Vulnerability on 14/05/2026
curl disclosed a bug submitted by rootofpi_ramesh: https://hackerone.com/reports/3725659 [...]
LIVE: 🕵️ HTB Sherlocks! | Cybersecurity | Blue Team on 14/05/2026
Backdoored Cemu release linked to TanStack and Mistral supply chain campaign on 14/05/2026
We investigate how a coordinated supply chain campaign that compromised npm and PyPI packages also backdoored the official Cemu Nintendo Wii U emulator GitHub release, reaching nearly 20,000 Linux users. [...]
Backdoored node-ipc npm releases steal developer credentials through DNS queries on 14/05/2026
An analysis of backdoored node-ipc npm releases that add an obfuscated credential collection and DNS exfiltration payload to the CommonJS entrypoint. [...]
OpenAI’s GPT-5.5 is as Good as Mythos at Finding Security Vulnerabilities on 13/05/2026
The UK’s AI Security Institute evaluated GPT-5.5’s ability to find security vulnerabilities, and found that it is comparable to Claude Mythos. Note that the OpenAI model is generally available. Here is the Institute’s evaluation of Mythos. And here is an analysis of a smaller, cheaper model. It requires more scaffolding from the prompter, but it is also just as good. [...]
Shai-Hulud Goes Open Source on 13/05/2026
A static analysis of the open-sourced Shai-Hulud offensive framework attributed to TeamPCP, covering its credential harvesting, supply chain poisoning, and exfiltration capabilities. [...]
Patch Tuesday, May 2026 Edition by BrianKrebs on 12/05/2026
Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code. That reality is on full display this month with some of the more widely-used software makers — including Apple, Google, Microsoft, Mozilla and Oracle — fixing near record volumes of secu [...]
Hackers are Using AI (much scary, very wow) on 12/05/2026
A Quick Way to Prove Your Cybersecurity Skillset! on 12/05/2026
Extending Security to MCP Servers: Closing a Critical Gap by Tim Erlin on 12/05/2026
The Model Context Protocol (MCP) is a de facto standard for providing structured access to privileged systems for AI agents and external integrations. It acts as a USB-C port for AI, enabling faster innovation by allowing organizations to expose tools, resources, and workflows without the time-consuming work of building APIs. Adoption has surged in recent months, and categories like payments, [...]
QuickSight Authorization Bypass: Chat Agents Accessible Despite Custom Permissions Denial on 12/05/2026
AWS VDP disclosed a bug submitted by jcow: https://hackerone.com/reports/3577145 [...]
The beast needs a cage: What's next for AppSec post-Mythos on 12/05/2026
Now that the dust has settled on Mythos dropping, there is space for more considered reflection on the direction of travel. Mythos wasn't a surprise; it's another data point on a trajectory that's bee [...]
Very Simple Real Bug Bounty Exploit - API Scope Bypass on 12/05/2026
Copy.Fail Linux Vulnerability on 12/05/2026
This is the worst Linux vulnerability in years. TL;DR copy.fail is a Linux kernel local privilege escalation, not a browser or clipboard attack. Disclosed by Theori on 29 April 2026 with a working PoC. It abuses the kernel crypto API (AF_ALG sockets) plus splice() to write four bytes at a time straight into the page cache of a file the attacker does not own. The exploit works unmodified across Ub [...]
Go fuzzing was missing half the toolkit. We forked the toolchain to fix it. on 12/05/2026
Go’s native fuzzing is useful, but it stands far behind state-of-the-art tooling that the Rust, C, and C++ ecosystems offer with LibAFL and AFL++. Path constraints are hard to solve. Structured inputs usually need handmade parsing. It doesn’t even detect several common bug classes, such as integer overflows, goroutine leaks, data races, and execution timeouts. So to make it better, we built [...]
NIS2 compliance beyond the April 2026 deadline by Eleanor Barlow on 12/05/2026
With the deadline passing for NIS2 compliance, many companies have shifted focus from becoming prepared to proving compliance. This post outlines the top 10 tasks for doing so and provides insights on how crowdsourced security platforms can assist in designing programs relevant to their circumstances and compliance requirements. The April NIS2 compliance deadline has come and gone, but where does [...]
Bugcrowd goes platinum on 11/05/2026
The Bug Bounty Roadmap I'd Follow If I Started Over (With AI) on 11/05/2026
Is the AI hype helping or killing your bug bounty dreams? #hacking #bugbounty on 11/05/2026
LLMs and Text-in-Text Steganography on 11/05/2026
Turns out that LLMs are really good at hiding text messages in other text messages. [...]
CEO insights: holding the human layer sacred in the AI era by Stijn Jans on 11/05/2026
As founder and CEO of Intigriti, I've spent a long time around hackers, and one thing is clear. The best ones don't fear AI. They use it. What they do fear, however, and what I take seriously as a founder, is a world where platforms quietly replace them under the banner of efficiency. Where their work trains models they don't benefit from, and where the economics of the craft erode while everyon [...]
Malicious Coding Agent Skills and the Risk of Dynamic Context on 11/05/2026
Learn how malicious Claude Code skills can abuse dynamic context commands to execute before model-level prompt injection defenses can intervene. [...]
another liberapay member team twitter account broken Link Hijacking via Expired Twitter Account Link on 09/05/2026
Liberapay disclosed a bug submitted by rox-11: https://hackerone.com/reports/3723002 [...]
Liberapay member team twitter account broken Link Hijacking via Expired Twitter Account Link on 09/05/2026
Liberapay disclosed a bug submitted by rox-11: https://hackerone.com/reports/3721519 [...]
Friday Squid Blogging: Giant Squid Live in the Waters of Western Australia on 08/05/2026
Evidence of them has been found by analyzing DNA in the seawater. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
AI tools are already part of everyday work, approved or not. 🤷 on 08/05/2026
Insider Betting on Polymarket on 08/05/2026
Insider trading is rife on Polymarket: Analysis by the Anti-Corruption Data Collective, a non-profit research and advocacy group, found that long-shot bets—defined as wagers of $2,500 or more at odds of 35 percent or less—on the platform had an average win rate of around 52 percent in markets on military and defense actions. That compares with a win rate of 25 percent across all poli [...]
Private circle can be added to another circle via API despite visibility restriction on 08/05/2026
Nextcloud disclosed a bug submitted by vidang04: https://hackerone.com/reports/3511998 - Bounty: $150 [...]
Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner on 08/05/2026
Nextcloud disclosed a bug submitted by 0x0doteth: https://hackerone.com/reports/3304830 [...]
View-only guests could see deleted Collectives pages in the trashbin on 08/05/2026
Nextcloud disclosed a bug submitted by yoyomiski: https://hackerone.com/reports/3521434 [...]
Canvas Breach Disrupts Schools & Colleges Nationwide by BrianKrebs on 08/05/2026
An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions. A sc [...]
Kubernetes security fundamentals: Secrets on 08/05/2026
A look at how to secure Kubernetes secrets [...]
mbedTLS private-key blob null-termination asymmetry in lib/vtls/mbedtls.c (mbed_load_privkey) on 07/05/2026
curl disclosed a bug submitted by shecantcode2: https://hackerone.com/reports/3717365 [...]
ActiveStorage Disk Service Path Traversal via Custom Blob Key Injection on 07/05/2026
Ruby on Rails disclosed a bug submitted by ksw9722: https://hackerone.com/reports/3580511 [...]
hello, nostalgia on 07/05/2026
Smart Glasses for the Authorities on 07/05/2026
ICE is developing its own version of smart glasses, with facial recognition tied to various databases. [...]
Netwrix achieved a perfect 100% detection rate on 06/05/2026
Critical Deadlock Vulnerability in Monero RPC Leading to Complete Node Paralysis on 06/05/2026
Monero disclosed a bug submitted by rorkh: https://hackerone.com/reports/3307874 [...]
Connection Count Bug in Monero Node Enables Outbound Peer Reset Attack on 06/05/2026
Monero disclosed a bug submitted by yulge: https://hackerone.com/reports/3185083 [...]
wcurl treats some URL operands after -- as curl options on 06/05/2026
curl disclosed a bug submitted by p4p3r_hak: https://hackerone.com/reports/3708482 [...]
Inside H1-21 Lisbon: What We Validated Together on 06/05/2026
honorable mention: on 05/05/2026
Out of scope: Improper Input Validation Order on /api-internal/login via password field leads to unnecessary resource consumption on 05/05/2026
PortSwigger Web Security disclosed a bug submitted by bereza4321: https://hackerone.com/reports/3625600 - Bounty: $200 [...]
C/C++ checklist challenges, solved on 05/05/2026
We recently added a C/C++ security checklist to the Testing Handbook and challenged readers to spot the bugs in two code samples: a deceptively simple Linux ping program and a Windows driver registry handler. If you found the inet_ntoa global buffer gotcha or the missing RTL_QUERY_REGISTRY_TYPECHECK flag, nice work. If not, here’s a full walkthrough of both challenges, plus a deep dive into [...]
Potential Resource Leak in tool_parsecfg.c at line 279 during fileerror on 05/05/2026
curl disclosed a bug submitted by ravindrasl2026: https://hackerone.com/reports/3710209 [...]
libcurl 8.20.0 incomplete fix for CVE-2026-7168: changing only CURLOPT_PROXYPORT leaks stale Proxy Digest auth to a different proxy on 05/05/2026
curl disclosed a bug submitted by codexxxx: https://hackerone.com/reports/3707747 [...]
MQTT CONNACK Packet Type Bypass leads to RCE via Malicious Broker on 05/05/2026
curl disclosed a bug submitted by orelbn7: https://hackerone.com/reports/3712343 [...]
The AI impact: a triager’s perspective by Eleanor Barlow on 05/05/2026
As part of our recent AI blog series, and in addition to content on ‘How AI is leveraged to enhance the Intigriti platform’, we have provided multiple insights from the Intigriti team on the development and future of AI, how it impacts programs, and the Bug Bounty community. So far, we have explored: ‘How AI is changing vulnerability discovery’, with COO, Ed Parsons. ‘Common AI misconceptions [...]
May the 4th be with you on 04/05/2026
Stop Using AI Connectors Until You Watch This on 04/05/2026
One ChatGPT connector. One email. Full AI agent hijack. #BugBounty #PromptInjection #ai #hacking on 04/05/2026
RatLabs - RootBase CTF - Hack My Machine! on 04/05/2026
Cyber Risk Is Now a Velocity Problem on 04/05/2026
Introducing Wallarm Middle East Cloud: Built for Data Residency Compliance by Tim Erlin on 04/05/2026
As API and AI adoption grows across the Middle East, so do the expectations around how data is handled. For many organizations operating in this region, it’s not just about securing applications. It’s about doing it in a way that keeps data in-country and aligned with local requirements. Today, we’re introducing the Wallarm Middle East Cloud Point of Presence (POP), giving organizations a n [...]
JHT Course Launch: Web App Junior Analyst! on 02/05/2026
weekend mode on 01/05/2026
A Guide to LNK File Forensics on 01/05/2026
Improper input validation On Exported deep-link handler crashes `FileDisplayActivity` on crafted external URL Denial-of-Service on 01/05/2026
Nextcloud disclosed a bug submitted by khoof: https://hackerone.com/reports/3399016 [...]
76% More Valid Vulnerabilities. This Is Not Hype. on 01/05/2026
3 ways custom scan checks turn practitioner knowledge into scalable automation on 01/05/2026
Senior pentesters have a deeply refined intuition about what is vulnerable in an environment. The problem? That expertise is often siloed with an individual and trapped in their notes or Python scripts. [...]
Double fdrop on a socket through sys_netcontrol on 01/05/2026
PlayStation disclosed a bug submitted by slidybat: https://hackerone.com/reports/3320669 - Bounty: $10000 [...]
If you want hackers to hunt on your program on 30/04/2026
Anti-DDoS Firm Heaped Attacks on Brazilian ISPs by BrianKrebs on 30/04/2026
A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm’s chief executive says the malicious activity resulted from a security breach and was likely the work of a compet [...]
NEW! FREE! From 0 - OSCP! [RatCTF] on 30/04/2026
Discovery Is Not the Problem. Remediation Is. on 30/04/2026
Josh Mason | Real Folks of Cyber | DITL on 30/04/2026
Exploiting SQL injection vulnerabilities by Ayoub on 30/04/2026
Most assume that SQL injection is a solved problem in today's application landscape, especially with increased awareness of secure coding practices (such as resorting to prepared statements or parameterized queries) and the widespread adoption of NoSQL databases. However, in practice, SQLi vulnerabilities continue to surface in modern applications, often hiding in legacy code components, custom qu [...]
MQTT state machine confusion: PINGRESP/DISCONNECT with non-zero remaining_length dispatches to stale nextstate on 29/04/2026
curl disclosed a bug submitted by fxv_ray_st: https://hackerone.com/reports/3702718 [...]
Extending Ruzzy with LibAFL on 29/04/2026
LibAFL is all the rage in the fuzzing community these days, especially with LLVM’s libFuzzer being placed in maintenance mode. Written in Rust, LibAFL claims improved performance, modularity, state-of-the-art fuzzing techniques, and libFuzzer compatibility. For these reasons, I set out to add LibAFL support to Ruzzy, our coverage-guided fuzzer for pure Ruby code and Ruby C extensions. This gives R [...]
Agentic Speed. Zero Human Delay. on 29/04/2026
Use-After-Free in SMB connection reuse (req->path dangling pointer after needle destruction) on 29/04/2026
curl disclosed a bug submitted by nadsec42: https://hackerone.com/reports/3591956 [...]
Negotiate connection reuse with wrong credentials when using CURLAUTH_ANY on 29/04/2026
curl disclosed a bug submitted by anonymous_237: https://hackerone.com/reports/3646072 [...]
Negotiate Authentication Premature on Connection Reuse on 29/04/2026
curl disclosed a bug submitted by sdainard: https://hackerone.com/reports/3666576 [...]
CVE-2026-7168: cross-proxy Digest auth state leak on 29/04/2026
curl disclosed a bug submitted by xkilua: https://hackerone.com/reports/3697719 [...]
CVE-2026-7009: OCSP stapling bypass with Apple SecTrust on 29/04/2026
curl disclosed a bug submitted by 3lcarry: https://hackerone.com/reports/3694390 [...]
CVE-2026-6253: proxy credentials leak over redirect-to proxy on 29/04/2026
curl disclosed a bug submitted by joesephdiver: https://hackerone.com/reports/3669637 [...]
CVE-2026-5545: wrong reuse of HTTP Negotiate connection on 29/04/2026
curl disclosed a bug submitted by quaccws: https://hackerone.com/reports/3642555 [...]
CVE-2026-6276: stale custom cookie host causes cookie leak on 29/04/2026
curl disclosed a bug submitted by arkss: https://hackerone.com/reports/3671818 [...]
CVE-2026-6429: netrc credential leak with reused proxy connection on 29/04/2026
curl disclosed a bug submitted by nobcoderr: https://hackerone.com/reports/3677759 [...]
CVE-2026-4873: connection reuse ignores TLS requirement on 29/04/2026
curl disclosed a bug submitted by bonaire: https://hackerone.com/reports/3621851 [...]
CVE-2026-5773: wrong reuse of SMB connection on 29/04/2026
curl disclosed a bug submitted by osama-hamad: https://hackerone.com/reports/3650689 [...]
Use-after-free in `curl_easy_ssls_export()` during callback re-entrancy on 29/04/2026
curl disclosed a bug submitted by m1llie: https://hackerone.com/reports/3682666 [...]
Heap-buffer-overflow in `Curl_ssl_push_certinfo_len()` sole bounds check is `DEBUGASSERT` on 29/04/2026
curl disclosed a bug submitted by h3zh3z: https://hackerone.com/reports/3684614 [...]
Stack exhaustion in MIME multipart reading with deeply nested subparts on 29/04/2026
curl disclosed a bug submitted by wi110w: https://hackerone.com/reports/3684603 [...]
PS4 BD-J privilege escalation using nested JAR on 29/04/2026
PlayStation disclosed a bug submitted by gezine: https://hackerone.com/reports/3452696 - Bounty: $2500 [...]
6 Lessons Security Leaders Must Learn About AI and APIs by Tim Erlin on 28/04/2026
Most organizations treating AI security as a model problem are defending the wrong layer. Security teams filter prompts, patch jailbreaks, and tune model behavior, which is all necessary work, while the actual attack surface sits largely unexamined underneath. That surface is the API layer: the endpoints AI systems use to retrieve data, call tools, and take action on behalf of users. This isn' [...]
PortSwigger recognized at the Northern Tech Awards 2026. on 28/04/2026
We’re proud to announce that PortSwigger recently won the Overall Judges’ Award at the Northern Tech Awards 2026. The Northern Tech Awards are run by GP Bullhound, the tech advisory and investment fir [...]