InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
From the first bug to financial independence: How bug bounty hunting shaped Isira's path
by Jennifer Chaney on 12/01/2026
At Intigriti, we’re proud of our mission: helping companies safeguard their digital assets and protect their customers in a world where cyber threats are constantly evolving. But beyond security, we’re equally passionate about empowering ethical hackers, providing them with opportunities to learn, grow, and make a meaningful impact with their skills.
We recently spoke with Isira, an ethical hacke [...]
See full content
From the first bug to financial independence: How bug bounty hunting shaped Isira's path
by Jennifer Chaney on 12/01/2026
At Intigriti, we’re proud of our mission: helping companies safeguard their digital assets and protect their customers in a world where cyber threats are constantly evolving. But beyond security, we’re equally passionate about empowering ethical hackers, providing them with opportunities to learn, grow, and make a meaningful impact with their skills.
We recently spoke with Isira, an ethical hacke [...]
See full content
Heap Out-of-Bounds Read in lib/http2.c via Malformed PUSH_PROMISE Headers
on 10/01/2026
curl disclosed a bug submitted by darksql: https://hackerone.com/reports/3506159 [...]
See full content
CRLF Injection in HTTP header values allows arbitrary header injection
on 10/01/2026
curl disclosed a bug submitted by unknowperson0212: https://hackerone.com/reports/3505557 [...]
See full content
JHT Course Launch! Constructing Defense 2026 - AI Assisted
on 10/01/2026
See full content
Friday Squid Blogging: The Chinese Squid-Fishing Fleet off the Argentine Coast
on 09/01/2026
The latest article on this topic.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Blog moderation policy.
[...]
See full content
IDOR EVERYWHERE - Medium reading
on 09/01/2026
See full content
My brain said no
on 09/01/2026
See full content
Palo Alto Crosswalk Signals Had Default Passwords
on 09/01/2026
Palo Alto’s crosswalk signals were hacked last year. Turns out the city never changed the default passwords.
[...]
See full content
Who Benefited from the Aisuru and Kimwolf Botnets?
by BrianKrebs on 08/01/2026
Our first story of 2026 revealed how a destructive new botnet called Kimwolf has infected more than two million devices by mass-compromising a vast number of unofficial Android TV streaming boxes. Today, we’ll dig through digital clues left behind by the hackers, network operators and services that appear to have benefitted from Kimwolf’s spread.
On Dec. 17, 2025, the Chinese security [...]
See full content
With Network Forensics, Sometimes You Just Get Lucky...
on 08/01/2026
See full content
Part 1: HackerOne CEO on the need for Rapid Response
on 08/01/2026
See full content
If security’s been on your mind lately…
on 08/01/2026
See full content
State Isolation Failure in Multiplexed Connections (Shared Auth Context)
on 08/01/2026
curl disclosed a bug submitted by raulvdv: https://hackerone.com/reports/3487952 [...]
See full content
AI & Humans: Making the Relationship Work
on 08/01/2026
Leaders of many organizations are urging their teams to adopt agentic AI to improve efficiency, but are finding it hard to achieve any benefit. Managers attempting to add AI agents to existing human teams may find that bots fail to faithfully follow their instructions, return pointless or obvious results or burn precious time and resources spinning on tasks that older, simpler systems could have a [...]
See full content
Stack Buffer Overflow in mprintf.c formatting function (fallback path)
on 08/01/2026
curl disclosed a bug submitted by han_ank: https://hackerone.com/reports/3493602 [...]
See full content
inconsistently Rejection Logic in file:// URLs with Authority
on 08/01/2026
curl disclosed a bug submitted by unknowperson0212: https://hackerone.com/reports/3494098 [...]
See full content
LIVE: 🕵️ New Year New Me | Sherlocks | Cybersecurity
on 08/01/2026
See full content
The Wegman’s Supermarket Chain Is Probably Using Facial Recognition
on 07/01/2026
The New York City Wegman’s is collecting biometric information about customers.
[...]
See full content
CVE-2025-14524: bearer token leak on cross-protocol redirect
on 07/01/2026
curl disclosed a bug submitted by anonymous_237: https://hackerone.com/reports/3459417 [...]
See full content
CVE-2025-15079: libssh global knownhost override
on 07/01/2026
curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/3477116 [...]
See full content
CVE-2025-15224: libssh key passphrase bypass without agent set
on 07/01/2026
curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/3480925 [...]
See full content
Decoding the GitHub recommendations for npm maintainers
on 07/01/2026
This blog post explores the rationale and implementation behind GitHub's security recommendations for npm maintainers following numerous high-profile supply-chain incidents. It details how hardening publishing infrastructure through trusted publishing, enforced two-factor authentication, and WebAuthn-based protocols can meaningfully increase the resilience of the ecosystem. [...]
See full content
Postgres Admin Username and Password in Plain text
on 06/01/2026
UPchieve disclosed a bug submitted by guusverbeek: https://hackerone.com/reports/1561448 [...]
See full content
A Cybersecurity Interview Gone Wrong
on 06/01/2026
See full content
Non-Production API Endpoints for the AI Ops Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration
on 06/01/2026
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3418966 [...]
See full content
A Cyberattack Was Part of the US Assault on Venezuela
on 06/01/2026
We don’t have many details:
President Donald Trump suggested Saturday that the U.S. used cyberattacks or other technical capabilities to cut power off in Caracas during strikes on the Venezuelan capital that led to the capture of Venezuelan President Nicolás Maduro.
If true, it would mark one of the most public uses of U.S. cyber power against another nation in recent memory. These operation [...]
See full content
MQTT: Missing upper bound on incoming Remaining Length allows server-controlled long wait
on 06/01/2026
curl disclosed a bug submitted by gaurav_7777: https://hackerone.com/reports/3488278 [...]
See full content
AWS Auto Scaling Service Reporting "AWS Internal" for CloudTrail Events Generated from Specific Endpoints
on 05/01/2026
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3419587 [...]
See full content
Telegram Hosting World’s Largest Darknet Market
on 05/01/2026
Wired is reporting on Chinese darknet markets on Telegram.
The ecosystem of marketplaces for Chinese-speaking crypto scammers hosted on the messaging service Telegram have now grown to be bigger than ever before, according to a new analysis from the crypto tracing firm Elliptic. Despite a brief drop after Telegram banned two of the biggest such markets in early 2025, the two current top markets, k [...]
See full content
Stored XSS via SVG Upload in chat.line.biz
on 05/01/2026
LY Corporation disclosed a bug submitted by imnotr3al: https://hackerone.com/reports/3008878 - Bounty: $100 [...]
See full content
Path Traversal in curl file:// Protocol Handler Allows Unauthorized File Access
on 04/01/2026
curl disclosed a bug submitted by 7hackerstar: https://hackerone.com/reports/3485930 [...]
See full content
Alt-Svc bypasses credential leak protection (CVE-2018-1000007)
on 04/01/2026
curl disclosed a bug submitted by amik_f: https://hackerone.com/reports/3485826 [...]
See full content
Predictable proposal participant tokens enable unauthorized access and vote submission
on 04/01/2026
Nextcloud disclosed a bug submitted by loremipsumi: https://hackerone.com/reports/3385434 - Bounty: $100 [...]
See full content
Users can modify tags on files that do not belong to them
on 04/01/2026
Nextcloud disclosed a bug submitted by rolandsch: https://hackerone.com/reports/3040887 - Bounty: $150 [...]
See full content
Deck app allows to spoof file extensions by using RTLO characters
on 04/01/2026
Nextcloud disclosed a bug submitted by jayateerthag: https://hackerone.com/reports/2326618 - Bounty: $100 [...]
See full content
Information disclosure via Desktop client when attempting to lock a file inside a end-to-end encrypted directory
on 04/01/2026
Nextcloud disclosed a bug submitted by nilsding: https://hackerone.com/reports/3159877 [...]
See full content
Stored XSS in contacts app via organisation and title field
on 04/01/2026
Nextcloud disclosed a bug submitted by updatelap: https://hackerone.com/reports/3293290 - Bounty: $100 [...]
See full content
A message to my loving haters
on 03/01/2026
See full content
What to Expect From the 2026 Cybersecurity Job Market
on 03/01/2026
See full content
Friday Squid Blogging: Squid Found in Light Fixture
on 02/01/2026
Probably a college prank.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Blog moderation policy.
[...]
See full content
PROTOCOL-LEVEL: Persistent UDP Amplification and Cache Poisoning via Alt-Svc Logic Flaw
on 02/01/2026
curl disclosed a bug submitted by huntsd: https://hackerone.com/reports/3483902 [...]
See full content
The Kimwolf Botnet is Stalking Your Local Network
by BrianKrebs on 02/01/2026
The story you are reading is a series of scoops nestled inside a far more urgent Internet-wide security advisory. The vulnerability at issue has been exploited for months already, and it’s time for a broader awareness of the threat. The short version is that everything you thought you knew about the security of the internal network behind your Internet router probably is now dangerously out [...]
See full content
Flock Exposes Its AI-Enabled Surveillance Cameras
on 02/01/2026
404 Media has the story:
Unlike many of Flock’s cameras, which are designed to capture license plates as people drive by, Flock’s Condor cameras are pan-tilt-zoom (PTZ) cameras designed to record and track people, not vehicles. Condor cameras can be set to automatically zoom in on people’s faces as they walk through a parking lot, down a public street, or play on a playground, or [...]
See full content
HTTP Request Smuggling and SSRF via CRLF Injection in Curl_add_custom_headers
on 02/01/2026
curl disclosed a bug submitted by n12d11n: https://hackerone.com/reports/3484431 [...]
See full content
CRLF Injection in Gopher Protocol (`lib/gopher.c`)
on 02/01/2026
curl disclosed a bug submitted by gaurav0212: https://hackerone.com/reports/3484506 [...]
See full content
The role "CI-driven scan initiator" provides excessive read access
on 02/01/2026
PortSwigger Web Security disclosed a bug submitted by osama-hamad: https://hackerone.com/reports/2276148 [...]
See full content
MQTT Protocol Violation & Integer Overflow in libcurl
on 01/01/2026
curl disclosed a bug submitted by ssyyaa: https://hackerone.com/reports/3484319 [...]
See full content
A quiet New Year wish for security researchers
on 01/01/2026
curl disclosed a bug submitted by ltl_professor: https://hackerone.com/reports/3483225 [...]
See full content
Lol they don’t even have the guts to tag me
on 31/12/2025
See full content
Heath's Last Stream
on 31/12/2025
See full content
Remote Code Execution identified on IBM endpoint.
on 31/12/2025
IBM disclosed a bug submitted by dara_7979: https://hackerone.com/reports/3463045 [...]
See full content
LinkedIn Job Scams
on 31/12/2025
Interesting article on the variety of LinkedIn job scams around the world:
In India, tech jobs are used as bait because the industry employs millions of people and offers high-paying roles. In Kenya, the recruitment industry is largely unorganized, so scamsters leverage fake personal referrals. In Mexico, bad actors capitalize on the informal nature of the job economy by advertising fake formal ro [...]
See full content
Detect Go’s silent arithmetic bugs with go-panikint
on 31/12/2025
Go’s arithmetic operations on standard integer types are silent by default, meaning overflows “wrap around” without panicking. This behavior has hidden an entire class of security vulnerabilities from fuzzing campaigns. Today we’re changing that by releasing go-panikint, a modified Go compiler that turns silent integer overflows into explicit panics. We used it to find a live integer overflow in t [...]
See full content
Bugbounty is difficult 😞
on 31/12/2025
See full content
Going From Blue Team to Red Team
on 30/12/2025
See full content
My Favorite Bug Bounty Findings In 2025
on 30/12/2025
See full content
Using AI-Generated Images to Get Refunds
on 30/12/2025
Scammers are generating images of broken merchandise in order to apply for refunds.
[...]
See full content
The story of how i found XSS on GOOGLE - and did not get paid for it!
on 30/12/2025
See full content
HTTP/2 and HTTP/3 Header Injection in curl
on 30/12/2025
curl disclosed a bug submitted by cyberguardianrd: https://hackerone.com/reports/3481849 [...]
See full content
Proxy-Authorization header is leaked to origin server after redirect from proxied to direct connection
on 30/12/2025
curl disclosed a bug submitted by yupiy: https://hackerone.com/reports/3480713 [...]
See full content
SMTP CRLF Injection & Protocol Desynchronization in libcurl
on 29/12/2025
curl disclosed a bug submitted by ltl_professor: https://hackerone.com/reports/3481595 [...]
See full content
Happy 16th Birthday, KrebsOnSecurity.com!
by BrianKrebs on 29/12/2025
KrebsOnSecurity.com celebrates its 16th anniversary today! A huge “thank you” to all of our readers — newcomers, long-timers and drive-by critics alike. Your engagement this past year here has been tremendous and truly a salve on a handful of dark days. Happily, comeuppance was a strong theme running through our coverage in 2025, with a primary focus on entities that enabled comp [...]
See full content
Telnet Suboption Buffer Pointer Underflow in lib/telnet.c leads to Out-of-Bounds Read
on 29/12/2025
curl disclosed a bug submitted by stif: https://hackerone.com/reports/3480712 [...]
See full content
Developer geographic
on 29/12/2025
See full content
CrossLayer State Confusion in libcurl: Credential & KeyMaterial Persistence Across Redirect / Connection Reuse Boundaries
on 28/12/2025
curl disclosed a bug submitted by onevone: https://hackerone.com/reports/3480641 [...]
See full content
WebSocket Logic Error: Control Frame (PING/PONG) Starvation causes Connection Drop (DoS) during large transfers
on 28/12/2025
curl disclosed a bug submitted by efrsxcv: https://hackerone.com/reports/3480039 [...]
See full content
Heap Buffer Over-read in lib/http2.c (on_header) handling PUSH_PROMISE frames
on 28/12/2025
curl disclosed a bug submitted by efrsxcv: https://hackerone.com/reports/3480078 [...]
See full content
CRLF Injection / Protocol Smuggling in libcurl via CURLOPT_USERNAME (IMAP)
on 28/12/2025
curl disclosed a bug submitted by efrsxcv: https://hackerone.com/reports/3479984 [...]
See full content
HTTP/3 Protocol Smuggling and Header Injection via CRLF in QPACK value conversion
on 27/12/2025
curl disclosed a bug submitted by 0x0000nosfu: https://hackerone.com/reports/3479203 [...]
See full content
Security hardening: missing integer overflow check in curl_load_library()
on 27/12/2025
curl disclosed a bug submitted by y_security: https://hackerone.com/reports/3479019 [...]
See full content
Where to Find Cybersecurity News
on 26/12/2025
See full content
Protocol Smuggling / CRLF Injection via Gopher Protocol allows Arbitrary Command Injection
on 25/12/2025
curl disclosed a bug submitted by 0x0000nosfu: https://hackerone.com/reports/3477023 [...]
See full content
Integer Overflow in `curl_easy_escape()` may lead to heap buffer overflow and stack memory disclosure on 32-bit platforms
on 25/12/2025
curl disclosed a bug submitted by vovohelo: https://hackerone.com/reports/3476928 [...]
See full content
Public-suffix cookie injection when libpsl is disabled
on 25/12/2025
curl disclosed a bug submitted by pwnie: https://hackerone.com/reports/3475472 [...]
See full content
Heap Buffer Over-Read via Malicious SMB Server READ_ANDX Response
on 25/12/2025
curl disclosed a bug submitted by strokep: https://hackerone.com/reports/3470073 [...]
See full content
How To: Use the best hacking tool around
on 25/12/2025
See full content
Hero highlight -Zack0x01
on 24/12/2025
See full content
I have INCREDIBLE news
on 24/12/2025
See full content
Check out brutelogic ❤️❤️
on 24/12/2025
See full content
tabnabbing in roundcube webmail
on 24/12/2025
Nextcloud disclosed a bug submitted by waloodi109: https://hackerone.com/reports/3367676 [...]
See full content
December CTF Challenge: Chaining XS leaks and postMessage XSS
by Ayoub on 24/12/2025
At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security researcher community. December's challenge by Renwa took inspiration from the Marvel Cinematic Universe, specifically Thanos's quest to collect all six Infinity Stones. This challenge required us to chain multiple client-side vulnerabilities across different subdomains to ultimately achie [...]
See full content
When It's an Engineer's Turn to do Elf on the Shelf 🎅
on 23/12/2025
See full content
HAProxy Connection Reuse leads to IP Spoofing and mTLS Context Smuggling
on 23/12/2025
curl disclosed a bug submitted by anonymous_237: https://hackerone.com/reports/3475613 [...]
See full content
The Rise of the Bionic Hacker: Real Data Shaping Cybersecurity in 2026
on 23/12/2025
See full content
libcurl WebSocket handshake accepts any Sec-WebSocket-Accept
on 23/12/2025
curl disclosed a bug submitted by pwnie: https://hackerone.com/reports/3474865 [...]
See full content
From Agent2Agent Prompt Injection to Runtime Self-Defense: How Wallarm Redefines Agentic AI Security
by Tim Erlin on 23/12/2025
Is an AI-to-AI attack scenario a science fiction possibility only for blockbusters like the Terminator series of movies?
Well, maybe not!
Researchers recently discovered that one AI agent can “inject malicious instructions into a conversation, hiding them among otherwise benign client requests and server responses.” While known AI threats involve tricking an agent with malicious data, this [...]
See full content
[nextcloud/mail] Blind SSRF to Internal Network via "List-Unsubscribe" SMTP Header when allow_local_remote_servers is allowed
on 23/12/2025
Nextcloud disclosed a bug submitted by lauritz: https://hackerone.com/reports/2902856 [...]
See full content
Inside H1-6102: Live Hacking Event with Salesforce in Sydney
on 22/12/2025
See full content
Link unfurling calls out to arbitrary URLs and the private-network guard misses link-local addresses
on 22/12/2025
Basecamp disclosed a bug submitted by brumbelow: https://hackerone.com/reports/3445890 [...]
See full content
well
on 22/12/2025
See full content
Functional Regression in Digest Authentication: Failure to handle optional spaces and escaped quotes
on 21/12/2025
curl disclosed a bug submitted by herdiyanitdev: https://hackerone.com/reports/3473384 [...]
See full content
A logic error in detect_proxy caused truncation of environment variable names for long protocol schemes.
on 21/12/2025
curl disclosed a bug submitted by herdiyanitdev: https://hackerone.com/reports/3473182 [...]
See full content
The perfect tool ——- wait what’s that?
on 21/12/2025
See full content
The perfect toolkit doesn’t exist
on 21/12/2025
See full content
Unbounded memory consumption via compressed HTTP responses (gzip/brotli/zstd)
on 21/12/2025
curl disclosed a bug submitted by gaurav0212: https://hackerone.com/reports/3471553 [...]
See full content
I asked 10+ hunters who made 500K$+ what their secret is
on 20/12/2025
See full content
I need some help
on 20/12/2025
See full content
Heap Buffer Over-Read via Malicious SMB Server READ_ANDX Response
on 20/12/2025
curl disclosed a bug submitted by strokep: https://hackerone.com/reports/3470095 [...]
See full content
Learn Cyber Deception!
on 20/12/2025
See full content