InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
Any installed app can force immediate logout and persistent DOS of authenticated Basecamp sessions via unprotected exported StartActivity on 04/07/2026
Basecamp disclosed a bug submitted by zerodaysec_xyz: https://hackerone.com/reports/3764217 - Bounty: $287 [...]
let's vibe on 04/07/2026
admin.shopify.com: Shopify Flow continues sending internal emails to a configured recipient after the staff author is removed on 03/07/2026
Shopify disclosed a bug submitted by abahack: https://hackerone.com/reports/3628961 [...]
Are your employees using AI? on 03/07/2026
Flock Cameras Can Surveil Cars Without License Plates on 03/07/2026
This is from a 2024 company presentation: Officers can also tap into data showing a car’s decals, bumper stickers, back and top racks—along with temporary and unique state tags. Flock calls it a “Vehicle Fingerprint” and it’s touted as a way for law enforcement officials to get more information “even when you don’t have full plate information,” the c [...]
FBI Seizes NetNut Proxy Platform, Popa Botnet by BrianKrebs on 02/07/2026
The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botn [...]
Non-Production API Endpoints for the Amazon S3 Tables Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration on 02/07/2026
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3780277 [...]
We get this question a lot on 02/07/2026
jitsi-meet: Prosody/Jigasi missing header whitelist in mod_filter_iq_rayo allows arbitrary SIP header injection and Caller ID spoofing on 02/07/2026
8x8 disclosed a bug submitted by pmgjoe: https://hackerone.com/reports/3789570 - Bounty: $100 [...]
jitsi-call-analytics: Unauthenticated arbitrary file write via path traversal in `/api/v1/uploads/analyze` on 02/07/2026
8x8 disclosed a bug submitted by r1skr1der: https://hackerone.com/reports/3485343 - Bounty: $100 [...]
Yelp for Business: locked Email field silently editable via API on 02/07/2026
Yelp disclosed a bug submitted by 0xmanticore: https://hackerone.com/reports/3766455 [...]
Celebrating 1 Million Subscribers on July 8th! on 02/07/2026
Cybersecurity Mission Creep in the US on 02/07/2026
Interesting paper: “Cybersecurity Mission Creep.” Abstract: Cybersecurity is experiencing mission creep. Policymakers are casting more and more problems as issues of cybersecurity. So reframed, wildly different policy issues, from misinformation, to child social media safety laws, to antitrust regulations, to alleged journalist misconduct, to anti-sex trafficking statutes become what t [...]
GPT-5.5-Cyber built a zlib fuzzing lab in a day on 02/07/2026
We’re running Patch the Planet, an ongoing collaboration with OpenAI that pairs Trail of Bits engineers directly with more than 30 open-source projects. Its goal is to front-run a serious problem facing open-source maintainers: highly capable models like GPT-5.5-Cyber will soon create a firehose of bug reports, and OSS maintainers are already spread thin. Our plan is to point OpenAI’s latest model [...]
Splatoon 3 In-Match Integrity Bypass via Consensus Reflection Attack on Unordered Peer Submission on 02/07/2026
Nintendo disclosed a bug submitted by hana2736: https://hackerone.com/reports/3559522 [...]
[Splatoon 3] Kick other players with NplnLogin message on 02/07/2026
Nintendo disclosed a bug submitted by alzxk11: https://hackerone.com/reports/3813932 [...]
Exceeding the maximum number of spaces allowed by exploiting a Race Condition in the Workspace creation process on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3295500 [...]
Insecure Direct Object Reference (IDOR) allows creating folders. on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353057 [...]
Delete any folder for any user within the organization on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353035 [...]
Privilege Escalation Access to the Alert Subscribers page for users with low privileges on 01/07/2026
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353000 [...]
Improper Input Validation HTTP Response Parser Unconditionally Accepts Bare CR in Status Line on 01/07/2026
Node.js disclosed a bug submitted by saif-01: https://hackerone.com/reports/3648681 [...]
Beyond Usernames on 01/07/2026
Papa Johns Surveillance-Based Advertising on 01/07/2026
Papa Johns is spying on people’s buying activities to predict when they are low on food: The pizza chain recently tapped NBCUniversal, Instacart and the dentsu-owned media agency Carat for help reaching consumers when they’re low on groceries—and thus more likely to be swayed by a mouth-watering ad. The idea is to reach hungry consumers by “knowing what is in their fridge w [...]
Backdoors & Breaches: New scenarios and adaptations on 01/07/2026
Sharing new scenarios and adaptations to play the Datadog expansion pack of Backdoors & Breaches. [...]
Beyond CTF Labs on 30/06/2026
heap-use-after-free in curl_easy_cleanup() called from callback on 30/06/2026
curl disclosed a bug submitted by carehi1324: https://hackerone.com/reports/3833577 [...]
The Realities of AI Video Surveillance on 30/06/2026
The Financial Times has a good article on how AI is changing the capabilities of video surveillance, with information from both Israel/Iran and Russia. I wrote about this sort of thing a few years ago, how AI enables mass spying in the way that computers and networks enabled mass surveillance. The interesting development in the article is that AI allows people to ask natural language questions abo [...]
setopt(VERIFYPEER) from callback bypasses TLS verify on connection reuse on 30/06/2026
curl disclosed a bug submitted by a6b30108: https://hackerone.com/reports/3831432 [...]
Shipping post-quantum cryptography to Python on 30/06/2026
Post-quantum cryptography is now one pip-install away for the entire Python ecosystem. With funding from the Sovereign Tech Agency, we implemented support for ML-KEM, the NIST-standard key-establishment primitive, and ML-DSA, the NIST-standard digital-signature primitive, in pyca/cryptography. On June 22, 2026, the White House ordered the U.S. government to accelerate its transition to post-quantu [...]
ssh_config_matches is dead code: unauthorized SSH key reuse on 30/06/2026
curl disclosed a bug submitted by bigtang: https://hackerone.com/reports/3826843 [...]
CURLSHOPT_UNSHARE race can cause UAF in shared SSL session cache during HTTPS transfer on 30/06/2026
curl disclosed a bug submitted by smaeljaish771: https://hackerone.com/reports/3831345 [...]
libcurl upload read callbacks miss recursive API guard, allowing prohibited multi API reentry and ASAN-confirmed UAF on 30/06/2026
curl disclosed a bug submitted by th3hound: https://hackerone.com/reports/3832393 [...]
Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint on 30/06/2026
Discourse disclosed a bug submitted by dpaysm: https://hackerone.com/reports/3400140 - Bounty: $1024 [...]
Annual testing starts to look a little dusty when... on 29/06/2026
Inverted ternary in peerlist_manager::filter() allows unlimited whitelist entries per host via different ports on 29/06/2026
Monero disclosed a bug submitted by kklam32: https://hackerone.com/reports/3547349 [...]
Remote node DOS on 29/06/2026
Monero disclosed a bug submitted by xnbya: https://hackerone.com/reports/876530 [...]
Factoring RSA Keys with Many Zeros on 29/06/2026
Interesting research on a new class of weak RSA keys: keys with lots of zeros. It turns out that these keys are out in the wild. The badkeys project is an open-source service that checks public keys for known vulnerabilities. While developing this tool, Hanno collected a massive number of real-world keys from public sources, including Certificate Transparency logs, internet-wide TLS and SSH scans, [...]
ConsentFix Exposed on 29/06/2026
Inside H1-813 Live Hacking Event with Salesforce in Tokyo on 29/06/2026
Robot Police Officers on 29/06/2026
We’ve taken one small step towards robot police officers: a drone capable of disarming a suspect: In a June 22 video posted on the Sacramento County Sheriff’s Office’s Instagram page, an officer wearing goggles can be seen operating a drone to retrieve a knife from an armed suspect hiding inside a cluttered house. “After not responding to negotiators, a drone was deployed inside the re [...]
Reconnaissance for exposure management: why context matters in the AI era by Radu Voloaga on 29/06/2026
Over the last few weeks, we’ve explored what AI is changing in security: discovery is faster (Vulnpocalypse now?), volume is higher (Common AI misconceptions debugged!), and the human layer triage (The AI Impact), judgment, and prioritization has become more important, not less (CEO Insights). But there’s a deeper implication hiding underneath all of that: most security teams still only learn from [...]
UAF read in mev_pollset_diff() trace path after curl_easy_pause() in socket callback on 28/06/2026
curl disclosed a bug submitted by homanp: https://hackerone.com/reports/3824303 [...]
Use-after-free in `mev_forget_socket` when `curl_easy_pause()` is called from a `CURL_POLL_REMOVE` socket callback (incomplete fix of CVE-2026-9080) on 28/06/2026
curl disclosed a bug submitted by stze: https://hackerone.com/reports/3823985 [...]
How to pentest - 101 [CNWPP] deliverables + basic network hacking on 27/06/2026
Exploiting insecure cookie policies by Aurélien on 27/06/2026
Cookies are one of the most fundamental building blocks of the modern web, and yet they are often overlooked from a security perspective. When misconfigured, they can potentially lead to exposure of sensitive session data, enable several client-side attacks, and in severe cases, even allow attackers to impersonate users completely. In this article, we'll explore what cookies are, how they work and [...]
Security debt has a nasty interest rate. on 26/06/2026
The Chinese Control the Majority of Argentina’s Squid Fleet on 26/06/2026
Chinese companies control nearly two-thirds of Argentina’s own squid fleet. [...]
Meta Is Testing Facial Recognition for Police and Military on 26/06/2026
We know that ICE wants to deploy eyeglasses with facial recognition that can identify people in real time. Turns out Meta is prototyping the feature with a Pentagon supplier. (Alternate news story.) [...]
Facebook Phishing Fails on 26/06/2026
Real Folks of Cyber | Pearce Barry | Day in the Life on 26/06/2026
mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0 on 26/06/2026
curl disclosed a bug submitted by b1gtang: https://hackerone.com/reports/3826199 [...]
CURLOPT_HAPROXY_CLIENT_IP lacks input validation, enabling HAProxy PROXY protocol injection on 26/06/2026
curl disclosed a bug submitted by tneelc: https://hackerone.com/reports/3823932 [...]
One Million Passports Leaked Online on 26/06/2026
A database of almost a million passports from around the world was leaked online. Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk. [...]
Intigriti Bug Bytes #237 - June 2026 🚀 by Ayoub on 26/06/2026
Hi hackers, Welcome to the latest edition of Bug Bytes! In this month's issue, we are featuring: A 10-year-old pre-auth RCE in phpBB Earning $500K hacking Google with AI Reading any Salesforce Marketing Cloud account's emails New DOMPurify sanitizer bypass Mapping abandoned S3 buckets to redo SolarWinds at scale And so much more! Let's dive in! Using AI the smart way: interview with Cristian [...]
Introducing GuardDog 3.0: A new rules engine, transparent sandboxing, and more on 26/06/2026
Release of GuardDog 3.0, an open-source tool to identify malicious packages, featuring a new YARA-based rules engine, a risk scoring engine, and built-in sandboxing. [...]
Getting Started with the TCM Security Academy on 25/06/2026
AI and Liability on 25/06/2026
Earlier this month, a German court ruled that Google is liable for its AI search summaries. Rejecting defenses like “users can check for themselves,” and that they generally know “that information generated with AI should not be blindly trusted,” the court held that the AI’s summaries are reflections of the company and “above all an expression of Google’s [...]
Disable SmartScreen Fast on 25/06/2026
PHP code injection in delivery-limitation `logical` validation bypass - XML-RPC setChannelTargeting on 25/06/2026
Revive Adserver disclosed a bug submitted by doomtech: https://hackerone.com/reports/3781492 [...]
XMLRPC login leak exposes valid session ID enabling unauthorized API access on 25/06/2026
Revive Adserver disclosed a bug submitted by garuthacktvist: https://hackerone.com/reports/3783738 [...]
Reflected XSS via unsanitised refresh parameter in zone invocation tag on 25/06/2026
Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3780806 [...]
PHP code injection in delivery-limitation `logical` validation bypass on 25/06/2026
Revive Adserver disclosed a bug submitted by riodrwn: https://hackerone.com/reports/3780854 [...]
Stored XSS in maintenance tools via unescaped entity names on 25/06/2026
Revive Adserver disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/3781311 [...]
CSRF in zoneinclude.php allows unauthorized banner and campaign linking on 25/06/2026
Revive Adserver disclosed a bug submitted by an_gr_y: https://hackerone.com/reports/3781691 [...]
Missing ownership validation allows crossmanager trackercampaign linking on 25/06/2026
Revive Adserver disclosed a bug submitted by hakuopi: https://hackerone.com/reports/3780709 [...]
Reflected XSS in statsvideo.php via improperly encoded URL parameters on 25/06/2026
Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3793243 [...]
HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent` on 25/06/2026
Node.js disclosed a bug submitted by yushengchen: https://hackerone.com/reports/3582376 [...]
Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix) on 25/06/2026
Node.js disclosed a bug submitted by cyberjoker: https://hackerone.com/reports/3618831 [...]
Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat on 25/06/2026
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3688064 [...]
Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching on 25/06/2026
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3656869 [...]
TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections on 25/06/2026
Node.js disclosed a bug submitted by 3d7omb: https://hackerone.com/reports/3649802 [...]
Permission Model bypass via FileHandle.utimes() in the promises API on 25/06/2026
Node.js disclosed a bug submitted by muhammaddaffa: https://hackerone.com/reports/3625987 [...]
Proxy credentials leaked in ERR_PROXY_TUNNEL error message on 25/06/2026
Node.js disclosed a bug submitted by nssys: https://hackerone.com/reports/3720313 [...]
Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames on 25/06/2026
Node.js disclosed a bug submitted by kingsd: https://hackerone.com/reports/3676863 [...]
Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings on 25/06/2026
Node.js disclosed a bug submitted by tmeletlidis: https://hackerone.com/reports/3656716 [...]
Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS) on 25/06/2026
Node.js disclosed a bug submitted by erichen: https://hackerone.com/reports/3760016 [...]
The bugs that ruin your weekend aren't on your automated reports. 💀 on 24/06/2026
Where have I gone? on 24/06/2026
Github got Hacked by CATS on 24/06/2026
HTTPS proxy connection reuse lets one easy handle inherit another handle's mTLS-authenticated proxy session on 24/06/2026
curl disclosed a bug submitted by zhenyan: https://hackerone.com/reports/3735180 [...]
CVE-2026-11564: Native CA trust persist on 24/06/2026
curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3788984 [...]
CVE-2026-12064: proto-default skips SSH verification on 24/06/2026
curl disclosed a bug submitted by alienowo: https://hackerone.com/reports/3797526 [...]
CVE-2026-11586: WS Auto-PONG memory exhaustion on 24/06/2026
curl disclosed a bug submitted by evergarden1123: https://hackerone.com/reports/3788931 [...]
CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop on 24/06/2026
curl disclosed a bug submitted by vectorqueue: https://hackerone.com/reports/3783438 [...]
CVE-2026-10536: HTTP/2 stream-dependency tree UAF on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3751697 [...]
CVE-2026-8924: trailing dot domain super cookie on 24/06/2026
curl disclosed a bug submitted by vegagent: https://hackerone.com/reports/3733905 [...]
CVE-2026-9547: SSH improper host validation on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3751712 [...]
CVE-2026-9546: sending old referer on 24/06/2026
curl disclosed a bug submitted by fafawf: https://hackerone.com/reports/3754343 [...]
CVE-2026-9079: stale proxy password leak on 24/06/2026
curl disclosed a bug submitted by keen4n: https://hackerone.com/reports/3750295 [...]
CVE-2026-9080: UAF after pause in socket callback on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3749204 [...]
CVE-2026-8286: wrong STARTTLS connection reuse on 24/06/2026
curl disclosed a bug submitted by bagder: https://hackerone.com/reports/3718195 [...]
CVE-2026-8932: incomplete mTLS config matching in conn reuse on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3733910 [...]
CVE-2026-8927: env-set cross-proxy Digest auth state leak on 24/06/2026
curl disclosed a bug submitted by adyej: https://hackerone.com/reports/3744543 [...]
CVE-2026-8925: SASL double-free on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735193 [...]
CVE-2026-8926: password leak with netrc and user in URL on 24/06/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735184 [...]
CVE-2026-8458: wrong reuse for different services on 24/06/2026
curl disclosed a bug submitted by areksaxyz: https://hackerone.com/reports/3721183 [...]
Insufficient checks in the file path parameter allow writing to unauthorized directories on 24/06/2026
SingleStore disclosed a bug submitted by axolot23: https://hackerone.com/reports/3384615 [...]
CVE-2026-9545: exposing HTTP/3 early data on 24/06/2026
curl disclosed a bug submitted by hahahkim: https://hackerone.com/reports/3752888 [...]
CVE-2026-11856: cross-origin Digest auth state leak on 24/06/2026
curl disclosed a bug submitted by jjchuck: https://hackerone.com/reports/3793260 [...]