Vulnerability Report: Buffer Overflow in Path Sanitization on 16/06/2026
curl disclosed a bug submitted by newstuff321: https://hackerone.com/reports/3804525 [...]
InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Flock Cameras Are Being Used for Stalking on 16/06/2026
There are over a dozen cases around the country where police officers are using the Flock surveillance camera system to obsessively and illegally stalk people. Alternate link. [...]
AI Changed Vulnerability Discovery Fast on 16/06/2026
AI Security's Last Mile Problem with Michael Mckinley on 16/06/2026
Unauthenticated file deletion via deleteFileMessage DDP method allows permanent destruction of any uploaded file on 16/06/2026
Rocket.Chat disclosed a bug submitted by eldudareeno: https://hackerone.com/reports/3611837 [...]
Global expertise, built with EU data needs in mind on 16/06/2026
Malicious Conflux Endpoint Can Leave Stale Global OOO Queue Accounting After Teardown on 16/06/2026
Tor disclosed a bug submitted by aptupdate: https://hackerone.com/reports/3701692 - Bounty: $100 [...]
Unauthenticated reading of every file via livechat auth and predicting MongoDB ObjectId() on 15/06/2026
Rocket.Chat disclosed a bug submitted by aikido_security: https://hackerone.com/reports/3687142 [...]
Reflected Cross-Site Scripting (XSS) found on IBM.com domain on 15/06/2026
IBM disclosed a bug submitted by entrovyx: https://hackerone.com/reports/3664261 [...]
Incomplete Suppression of Transfer-Encoding: chunked Header in HTTP/2 After Redirect From HTTP/1.1 on 15/06/2026
curl disclosed a bug submitted by unknowperson0212: https://hackerone.com/reports/3793495 [...]
Secure cookies leaked to HTTP origins through HTTPS forwarding proxy on 15/06/2026
curl disclosed a bug submitted by daviey: https://hackerone.com/reports/3803415 [...]
How I Made $30,000 Hacking Broken Access Control on 15/06/2026
$30K from one bug class: broken access control. Here's how 3 "lows" chain into account takeover on 15/06/2026
The FCC Wants to Eliminate Burner Phones on 15/06/2026
A proposed FCC rule would kill burner phones: phones whose accounts are not attached to a particular person. The FCC plans to do this by legally forcing the country’s telecoms to store a wealth of personal information about essentially all phone customers, including a government issued identification number and their physical address, alarming privacy advocates and civil rights activists who [...]
UI Consent Bypass via Comma Injection in `addAutoApproveTarget` User-Approval Dialog and Persistence Layer Disagree on Target Scope, Yielding Authen on 15/06/2026
PortSwigger Web Security disclosed a bug submitted by hacker-kartel: https://hackerone.com/reports/3717354 [...]
Holding blobs for ransom: Four methods for Azure Storage ransomware on 15/06/2026
This post explores four vectors for threat actors to abuse Azure Storage to maliciously encrypt victim blobs, including step-by-step explanations and event codes for detection. [...]
ContinuumCon 2026 - Day 3 on 14/06/2026
Upcoming Speaking Engagements on 14/06/2026
This is a current list of where and when I am scheduled to speak: I’m giving a keynote at Cybernation 2026 in Berlin, Germany, on June 24, 2026. I’m speaking at the Potsdam Conference on National Cybersecurity at the Hasso Plattner Institut in Potsdam, Germany. The event runs June 24–25, 2026, and my talk will be the evening of June 24. I’m participating in a panel discussion at the Austrian Inst [...]
Burp Suite Professional: browser-powered crawl can write attacker-controlled files through file input handling on 14/06/2026
PortSwigger Web Security disclosed a bug submitted by kawakatz: https://hackerone.com/reports/3712279 - Bounty: $5000 [...]
ContinuumCon 2026 - Day 2 on 13/06/2026
Duplicate chunked Transfer-Encoding lets a malicious origin smuggle a response across reused HTTP proxy connections on 13/06/2026
curl disclosed a bug submitted by violet12331: https://hackerone.com/reports/3795615 [...]
ContinuumCon 2026 - Day 1 on 12/06/2026
Friday Squid Blogging: Squid-Inspired Fluid Pump on 12/06/2026
This fluid pump was inspired by the way squids propel themselves through the water. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Bernie Sanders’ AI Sovereign Wealth Fund Plan on 12/06/2026
Let no one accuse Bernie Sanders of ducking the big questions. Writing in the New York Times last week, the senator asked: “Will the future of humanity be determined by a handful of billionaires who have promoted and developed AI, with virtually no democratic input, who stand to become even richer and more powerful than they are today?” We agree entirely that this is one of the most po [...]
Factoring "short-sleeve" RSA keys with polynomials on 12/06/2026
What happens when the bits of an RSA private key are heavily biased toward 0 instead of being randomly generated? The public key’s bits could be biased enough for us to detect these incorrectly generated keys in the wild. Together with Hanno Böck of the badkeys project, we found hundreds of unique keys that not only have this property, but can be quickly factored. We also found the bug that led to [...]
Incomplete Fix for CVE-2026-21637: OCSPRequest and resumeSession Events Crash Node.js TLS Server via Unhandled Synchronous Exceptions on 12/06/2026
Node.js disclosed a bug submitted by shinchan_69: https://hackerone.com/reports/3781015 [...]
Payload Podcast 008 - Ryan Hausknecht on 12/06/2026
Command Injection via Unsanitized Bundling Options in `aws-cdk-lib/aws-lambda-nodejs` on 11/06/2026
AWS VDP disclosed a bug submitted by inkerton: https://hackerone.com/reports/3558713 [...]
Firecracker Out-of-bounds Read/Write Local Privilege Escalation Vulnerability on 11/06/2026
AWS VDP disclosed a bug submitted by terrynini38514: https://hackerone.com/reports/3738654 [...]
CRLF Injection via Custom HTTP Headers on 11/06/2026
curl disclosed a bug submitted by bugthiru: https://hackerone.com/reports/3741744 [...]
heap-use-after-free in state.referer when CURLOPT_REFERER replaced or cleared after perform on 11/06/2026
curl disclosed a bug submitted by fg0x0: https://hackerone.com/reports/3774279 [...]
RCE + PAT Exfiltration via pull_request_target in privacy-configuration/auto-respond-pr.yml Direct Supply Chain to All DDG Browsers on 11/06/2026
DuckDuckGo disclosed a bug submitted by 6r1ff1n: https://hackerone.com/reports/3619288 [...]
RCE + Supply Chain Attack via pull_request_target in content-scope-scripts/semver-label.yml Affects All DuckDuckGo Browsers on 11/06/2026
DuckDuckGo disclosed a bug submitted by 6r1ff1n: https://hackerone.com/reports/3619287 [...]
SSRF via Improper Redirect Validation in Rocket.Chat oEmbed Function on 11/06/2026
Rocket.Chat disclosed a bug submitted by button142857: https://hackerone.com/reports/3383079 [...]
SSRF via improper validation after DNS name resolution in the link-preview feature on 11/06/2026
Rocket.Chat disclosed a bug submitted by button142857: https://hackerone.com/reports/3393664 [...]
Enhanced License Plate Tracking on 11/06/2026
The surveillance company Leonardo wants more data: A surveillance company plans to add sensors to automatic license plate readers (ALPRs) that would mean the devices, as well as capture the license plate of passing vehicles, would also sweep up unique identifiers of mobile phones, wearables, and other Bluetooth-enabled devices in those cars, potentially letting law enforcement identify specific dr [...]
LIVE: 🕵️ CTF Prize Draw | Cybersecurity on 11/06/2026
Securing the uncharted territories of AI systems. A discussion with Leo Racanelli by Eleanor Barlow on 11/06/2026
The intersection of AI and cybersecurity is reshaping how we find, fix, and think about vulnerabilities. Yet for all the headlines, few conversations cut through the noise to ask what AI means for those on the ground: the hunters, the security engineers, and the organizations trying to secure their data. In this blog, we open up that discussion, with insights from Leo Racanelli for an unflinching [...]
Entra Agent ID: The blueprint blast radius on 11/06/2026
Entra Agent ID is an extension of Entra's application model that provides identities for AI agents. Unlike applications, the agent identity model allows linking a single app registration (blueprint) to multiple identities and their associated privileges, increasing the potential blast radius of a compromised agent. [...]
curl-ipv4-percent-normalization-SSRF on 10/06/2026
curl disclosed a bug submitted by monk17: https://hackerone.com/reports/3791168 [...]
Trailing-Dot Hostname in Redirect Silently Strips Client Certificate and Auth Credentials on 10/06/2026
curl disclosed a bug submitted by azraelxuemo: https://hackerone.com/reports/3791191 [...]
curl/libcurl vulnerable to TLS truncation attacks on 10/06/2026
curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/1826392 [...]
Who Runs the Ransomware Group ‘The Gentlemen?’ by BrianKrebs on 10/06/2026
A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims. This post examines clues pointing to a real life identity for the administrator of The Gentlemen ransomware group. A graphic create [...]
NSO Group Hacking WhatsApp Despite Court Order on 10/06/2026
WhatsApp has caught the NSO Group phishing its users, in violation of a court order. [...]
A Record-Breaking Patch Tuesday for June 2026 by BrianKrebs on 09/06/2026
Microsoft today released software updates to plug nearly 200 security holes across its Windows operating systems and supported software, a record number of fixes for the company’s monthly Patch Tuesday cycle. Nearly three dozen of those bugs earned Microsoft’s most dire “critical” rating, and exploit code for at least three of the weaknesses is now publicly available. The s [...]
GPS As a Key Distribution Platform on 09/06/2026
This is interesting: The U.S. military has likely been quietly broadcasting codes for its global encryption network using public GPS for nearly 20 years, turning each satellite into a hidden “numbers station,” according to Steven Murdoch… That means every device that uses GPS has been receiving hidden government information for years, and nobody outside the military knew it until [...]
Secrets to PNPT Debrief Success on 09/06/2026
SSH/SFTP connection reuse can bypass SSH key identity after ssh_config_matches removal on 09/06/2026
curl disclosed a bug submitted by byteray_ltd: https://hackerone.com/reports/3788506 [...]
SOCKS5 no-auth accepted despite username/password-only authentication on 09/06/2026
curl disclosed a bug submitted by kalfkinen: https://hackerone.com/reports/3786077 [...]
Action Text ReDoS (Ruby 3.1 or lower) on 09/06/2026
Ruby on Rails disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/2389431 [...]
Intigriti named Best Security Company of 2026 at the SC Awards by Eleanor Barlow on 09/06/2026
We are delighted to share that Intigriti has won Best Security Company (under 250 employees), at this year’s SC Awards Europe. What it means to be an SC Award winner For over 25 years, the SC Awards Europe have defined what excellence looks like in cybersecurity, recognizing the organizations, technologies, and leaders shaping the future of the industry. On the 3rd of June 2026, Intigriti met wi [...]
Critical Zcash Vulnerability Found and Fixed on 08/06/2026
If you’re a user—owner?—of this cryptocurrency, this is important: On May 29, the security researcher Taylor Hornby found a critical vulnerability in Zcash Orchard privacy pool using Claude Opus 4.8. The Zcash team hired Hornby specifically to look for this kind of issue. He found one fast enough to be embarrassing. The Orchard pool is the newest and most advanced shielded transa [...]
your future awaits hackers on 08/06/2026
Content creations was both a blessing and a curse. #bugbounty on 08/06/2026
This Hacker Made $7,000 Hacking AI With One Email on 08/06/2026
Anthropic’s Project Glasswing Update on 08/06/2026
In April, Anthropic initated Project Glasswing. The idea was to let companies use their new model to find and fix vulnerabilities in their own software. It was a fantastic PR move, and so many press outlets have uncritically parroted Anthropic’s claims that it’s now common wisdom that Mythos is better at finding software vulnerabilities than other models. Which is just not true. In any [...]
libcurl: HTTP/1.x bare LF byte in response header value enables cookie jar pollution and POST body/credential exfiltration via redirect RC=0, curl 8 on 08/06/2026
curl disclosed a bug submitted by torkd1: https://hackerone.com/reports/3785919 [...]
DNS domain search list followed for extant domain missing A or AAAA records on 08/06/2026
curl disclosed a bug submitted by maxhearnden: https://hackerone.com/reports/3780733 [...]
OpenSSL TLS 1.2 session resumption accepts expired server certificates in libcurl on 07/06/2026
curl disclosed a bug submitted by awofjawofjfawf: https://hackerone.com/reports/3781305 [...]
curl cross-origin HTTPS redirect reuses TLS client certificate for unintended second-origin mTLS authentication on 07/06/2026
curl disclosed a bug submitted by fanhua: https://hackerone.com/reports/3749428 [...]
curl External-Controlled Filename in `--url @file` Leads to Arbitrary File Overwrite on 07/06/2026
curl disclosed a bug submitted by alphalaab: https://hackerone.com/reports/3766392 [...]
Valid share tokens allow to access tempory upload files of share owner on 07/06/2026
Nextcloud disclosed a bug submitted by pirikara: https://hackerone.com/reports/3483708 [...]
Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC on 07/06/2026
Nextcloud disclosed a bug submitted by priyanka010: https://hackerone.com/reports/3489490 - Bounty: $2500 [...]
PIN bypass in PassCodeActivity via back button on 07/06/2026
Nextcloud disclosed a bug submitted by alper_ozturk: https://hackerone.com/reports/3625210 [...]
Superbacked helps the right people recover what matters on 06/06/2026
JHT Course Launch! Windows Maldev 6 on 06/06/2026
Why CAPIE[M] is the best API hacking certificate in the API Hacking industry on 06/06/2026
TCM Security CTF Walkthrough on 05/06/2026
GnuTLS OCSP stapling accepts unrelated SingleResponse (no cert-ID binding) on 05/06/2026
curl disclosed a bug submitted by argus-systems: https://hackerone.com/reports/3784125 [...]
CURLOPT_PROXY_CRLFILE / CURLOPT_PROXY_ISSUERCERT / CURLOPT_PROXY_ISSUERCERT_BLOB silently ignored on backends that don't support them on 05/06/2026
curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3717552 [...]
Shared HSTS cache accessed without lock on 05/06/2026
curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3718265 [...]
RTSP Digest auth state leaks across origins on reused libcurl easy handle on 05/06/2026
curl disclosed a bug submitted by hamaowo: https://hackerone.com/reports/3776535 [...]
TFTP upload ignores --continue-at / CURLOPT_RESUME_FROM and leaks skipped local file prefix on 05/06/2026
curl disclosed a bug submitted by bowen111: https://hackerone.com/reports/3776433 [...]
libcurl 8.20.0 ignores HTTP Digest domain protection space and preemptively leaks Digest auth outside the declared scope on 05/06/2026
curl disclosed a bug submitted by skksndk: https://hackerone.com/reports/3774977 [...]
CURLOPT_COOKIE leaked to cross-origin redirect target CURLOPT_UNRESTRICTED_AUTH bypass for the STRING_COOKIE path on 05/06/2026
curl disclosed a bug submitted by azraelxuemo: https://hackerone.com/reports/3766065 [...]
Try these bug bounty tips ↓ on 05/06/2026
BIG SHOW TODAY & AI vibes on 04/06/2026
Introducing the Wallarm AI Control Platform: One closed loop for AI security and API security. by Tim Erlin on 04/06/2026
TL;DR- AI deployment has outpaced AI governance. Most enterprises running AI on AWS cannot answer four basic security questions about what's running, what it's doing,how to stop it, and how to prove it's under control.- The Wallarm AI Control Platform closes this gap: one platform for Discover, Observe,Enforce, and Govern — running natively in your AWS environment.- Infrastructure Discovery maps [...]
The AI Slop Era: Do Most Vulnerabilities Actually Matter? on 03/06/2026
Bugmageddon: When AI Breaks the Security Model | Live with Bugcrowd on 03/06/2026
Missing access control when linking banners or campaigns to zones on 03/06/2026
Revive Adserver disclosed a bug submitted by darky_os: https://hackerone.com/reports/3650504 [...]
Missing access control when linking trackers to campaigns on 03/06/2026
Revive Adserver disclosed a bug submitted by darky_os: https://hackerone.com/reports/3650582 [...]
Blind SQL injection via clientid parameter in zoneinclude.php on 03/06/2026
Revive Adserver disclosed a bug submitted by titanrain: https://hackerone.com/reports/3653196 [...]
Reflected XSS via clientid parameter in zoneinclude.php on 03/06/2026
Revive Adserver disclosed a bug submitted by titanrain: https://hackerone.com/reports/3653316 [...]
PHP code injection via delivery limitation logical on 03/06/2026
Revive Adserver disclosed a bug submitted by 0x4c616e: https://hackerone.com/reports/3656781 [...]
Stored XSS via Full Name field in userlog email entries on 03/06/2026
Revive Adserver disclosed a bug submitted by 3l4: https://hackerone.com/reports/3669623 [...]
Session ID reuse allowing XMLRPC API authentication bypass on 03/06/2026
Revive Adserver disclosed a bug submitted by 0x4c616e: https://hackerone.com/reports/3672641 [...]
Missing access control when modifying parent entities via XMLRPC on 03/06/2026
Revive Adserver disclosed a bug submitted by 3l4: https://hackerone.com/reports/3677576 [...]
Banner status override by advertiserlevel users on 03/06/2026
Revive Adserver disclosed a bug submitted by v3rtical: https://hackerone.com/reports/3678828 [...]
Stored XSS via malicious usernames in audit log details + Username validation bypass in XMLRPC addUser on 03/06/2026
Revive Adserver disclosed a bug submitted by 3l4: https://hackerone.com/reports/3680090 [...]
PHP code injection via unexpected delivery limitation parameter on 03/06/2026
Revive Adserver disclosed a bug submitted by rajib_mahmud: https://hackerone.com/reports/3744200 [...]
Are ANY hacking scenes actually good? on 03/06/2026
The sorry state of skill distribution on 03/06/2026
Public skill marketplaces are being flooded with malicious skills that steal credentials, exfiltrate data, and hijack agents. In response, a segment of the security industry released skill scanners, a new family of tools designed to detect malicious skills before they’re installed. But we tested them, and they don’t work. We recently bypassed ClawHub’s malicious skill detector, Cisco’s agent skill [...]
PRE_PROXY change leaks stale Proxy Digest state across proxy-chain boundary on 03/06/2026
curl disclosed a bug submitted by hungly09: https://hackerone.com/reports/3777381 [...]
curl/libcurl 8.20.0 NOPROXY bypass via uppercase-hex IPv4 aliases leaks off-proxy Basic credentials to the configured proxy on 03/06/2026
curl disclosed a bug submitted by arkss: https://hackerone.com/reports/3773293 [...]
SMTP connection reuse ignores --ssl-reqd / CURLOPT_USE_SSL and reuses a clear-text STARTTLS session on current master on 03/06/2026
curl disclosed a bug submitted by hualuo: https://hackerone.com/reports/3770979 [...]
Proxy CONNECT response poisoning via authentication retry in cf-h1-proxy.c (libcurl) on 03/06/2026
curl disclosed a bug submitted by lvtable: https://hackerone.com/reports/3767963 [...]
Top 5 Active Directory Pentesting Tools on 02/06/2026
Incomplete fix for CVE-2022-35406: meta-redirect content-type check bypassable via parameter injection on 02/06/2026
PortSwigger Web Security disclosed a bug submitted by hacker-kartel: https://hackerone.com/reports/3775183 [...]