InfoSec Planet

A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.

Able to bypass authorization logic and gain more access then intended

on 15/07/2026

GitHub disclosed a bug submitted by vaib25vicky: https://hackerone.com/reports/3713965 [...]

See full content

Q and A: RATS Q1 - How Do You Develop A Tinkering Mindset

on 15/07/2026

See full content

Bedrock AgentCore Starter Toolkit Creates Gateway IAM Roles Without Confused Deputy Protections

on 15/07/2026

AWS VDP disclosed a bug submitted by mistercloudsec: https://hackerone.com/reports/3632577 [...]

See full content

A Video Screen That Is Also a Camera

on 15/07/2026

Amazing: Researchers from ETH Zurich in Switzerland, however, managed to create a new type of pixel that can simultaneously do both. This hypercharged pixel, called a Fourier pixel, can generate and sense arbitrary light fields and tap into a pixel’s full potential for carrying information by manipulating light’s intensity, oscillation phases, and polarization. The team reported its fi [...]

See full content

Your Weekly Test Is Already Too Late.

on 15/07/2026

See full content

Q and A: RATS Q2 What Is A Good Web App Hacking Workflow

on 14/07/2026

See full content

Stored XSS on Trix Editor version latest (2.1.16) - Sanitizer Bypass

on 14/07/2026

Basecamp disclosed a bug submitted by newbiefromcoma: https://hackerone.com/reports/3581911 - Bounty: $337 [...]

See full content

Microsoft Patches a Record 570 Security Flaws

by BrianKrebs on 14/07/2026

Microsoft Corp. today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence. Nearly 60 of the bugs qu [...]

See full content

bedrock-mantle.api.aws accepts Bedrock API keys outside the IAM Deny, CloudTrail signal, and invocation logging AWS publishes for Bedrock keys

on 14/07/2026

AWS VDP disclosed a bug submitted by mistercloudsec: https://hackerone.com/reports/3702072 [...]

See full content

Backdoored TortoiseSVN Installer

on 14/07/2026

See full content

Upcoming Speaking Engagements

on 14/07/2026

This is a current list of where and when I am scheduled to speak: I’m speaking (virtually) at the Policy-Relevant Privacy Research Workshop in Calgary, Canada, on Monday, July 20, 2026. I’m speaking at Boston Leadership Exchange in Boston, Massachusetts, USA, on Wednesday, July 22, 2026. I’m speaking at Cognitive Security Conference in Las Vegas, Nevada, USA. The conference runs August 6-7, 2026; [...]

See full content

Vulnerability in FIFA’s Network

on 14/07/2026

FIFA’s network was vulnerable to anyone with even minimal access. [...]

See full content

More Scans Are Not Continuous Security.

on 14/07/2026

See full content

Is Your Continuous Threat Exposure Management Actually Continuous with Michiel Prins

on 14/07/2026

See full content

Compromised AsyncAPI npm packages: inside a CI supply-chain attack

on 14/07/2026

On July 14, 2026, four npm packages in the @asyncapi namespace, totaling over 3 million weekly downloads, were compromised to deliver credential-stealing malware. We investigate how the attack unfolded and how to know if you're affected. [...]

See full content

AI Control Platform vs. AI Firewall vs. AI Gateway: Clearing Up The Terminology

by Tim Erlin on 13/07/2026

Editor's note: This article was originally published by Tim Erlin on LinkedIn. It has been republished here with the author's permission. https://www.linkedin.com/pulse/ai-control-platform-vs-firewall-gateway-clearing-up-tim-erlin-ypodc It seems like every security vendor now sells "AI security." The WAF companies, the API gateway companies, the cloud platforms, the proxy startups: all of them [...]

See full content

SELECT ... INTO OUTFILE does not enforce the FILE WRITE privilege unprivileged arbitrary file write on the server

on 13/07/2026

SingleStore disclosed a bug submitted by bisht-ji: https://hackerone.com/reports/3780695 [...]

See full content

Lessons Learned from CISA’s Recent GitHub Leak

by BrianKrebs on 13/07/2026

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a postmortem on a recent data leak in which a contractor published dozens of internal CISA credentials — including AWS Govcloud keys — in a public GitHub repository for almost six months before being notified by KrebsOnSecurity. Experts say the gaps identified in the agency’s initial response provide important [...]

See full content

Payload Podcast 009 - Steven Flores

on 13/07/2026

See full content

This Hacker Made $8,000 Hacking a Major Retailer's AI Chatbot Over DNS (Live Demo!)

on 13/07/2026

See full content

AI Data Centers and the Concentration of Wealth

on 13/07/2026

This essay was written with Nathan E. Sanders, and originally appeared in The Guardian. Opposition to AI data centers has emerged as a primary theme in US politics, one that—surprisingly—doesn’t fall along party lines. We applaud people coming together for constructive debate on any issue, and agree that communities need to evaluate whether any economic benefits these data center [...]

See full content

Rust-proof your code with our new Testing Handbook chapter

on 13/07/2026

We’ve added a new chapter to our Testing Handbook: a comprehensive guide to security testing Rust programs. This chapter covers the tools and techniques we use at Trail of Bits to validate the security of Rust programs and systems. fn main() {(|f:&dyn Fn(u128)->Box< dyn Iterator<Item= char>+'static>|f(*[&( 0x7B736D70683F73u128<<64| 0x7A6A6D7C3F7A667D),&(0x7B73 [...]

See full content

NEW AI Hacking Challenges with Andrew Bellini!

on 11/07/2026

See full content

Friday Squid Blogging: “Squidbleed” Vulnerability

on 10/07/2026

In a rare combined cybersecurity/squid post, a twenty-nine-year-old squid proxy bug can leak HTTP requests. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]

See full content

Soft Skills for the Job Market: Applying for Jobs

on 10/07/2026

See full content

The most severe exposure lives in the quiet overlap between tech, people, and process. ♾️

on 10/07/2026

See full content

Fake Microsoft Installer

on 10/07/2026

See full content

AI Surveillance and Social Progress

on 10/07/2026

In the near future, AI-powered surveillance systems will be able to track everything we do in public, and much of what we do in private. And if we do something wrong—shoplift, litter, jaywalk, you name it—the system will notice, retain it, tie it to your official government record, communicate that fact to you, and provide real-time alerts to any relevant authorities… and maybe a [...]

See full content

See you at Black Hat USA 2026!

on 09/07/2026

See full content

Kiro IDE Stores Auth Tokens with World-Readable Permissions (0644)

on 09/07/2026

AWS VDP disclosed a bug submitted by mistercloudsec: https://hackerone.com/reports/3630605 [...]

See full content

The Language of AI Could Change How Humans Speak

on 09/07/2026

Because of the way they are trained, large language models capture only a slice of human language. They’re trained on the written word, from textbooks to social media posts, and our speech as captured in movies and on television. These models have minimal access to the unscripted conversations we have face to face or voice to voice. This is the vast majority of speech, and a vital component [...]

See full content

Heading to Vegas? Meet PortSwigger at Black Hat, BSides, and DEF CON 34.

on 09/07/2026

First hand of the week: Find us at BSides Workshop: Burp But Yours, with Hannah and Tib3rius Center stage: Visit us at Black Hat USA - Booth 5342 Lightning talks at the booth Catch our researchers' br [...]

See full content

Not-so-anonymous telemetry: The @injectivelabs/sdk-ts backdoor

on 09/07/2026

A malicious commit disguised as SDK telemetry briefly compromised @injectivelabs/sdk-ts, exfiltrating wallet mnemonics and private keys. [...]

See full content

LIVE: 1 Million Subscribers | DEF CON/Summer Camp Giveaway

on 08/07/2026

See full content

TeamPCP Attention

on 08/07/2026

See full content

Welcome to the best security page ever.

on 08/07/2026

See full content

Felons, Fraudsters Flog Offensive Cybersecurity Startup

by BrianKrebs on 08/07/2026

A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying platform they operated under assumed names. The X/Twitter account IRIS C2 (@C2IRIS) has gained more than 4,000 [...]

See full content

Cybersecurity and the Gap Between Skill and Ability

on 08/07/2026

Last week, national security agencies from the Five Eyes—that’s the rich, English-language-speaking countries club—jointly released a statement warning of the increasing cyber risks of AI models: in particular, their ability to autonomously hack into systems and networks. The statement was more measured than some of the breathless headlines about it, and the advice they gave is p [...]

See full content

Mutation testing comes to DAML

on 08/07/2026

In April we released Mewt, our open-source mutation-testing engine that finds the gaps in your test suite. Today we’re expanding it with support for DAML, the language Canton Network applications are written in. Mewt now reads DAML, generates several classes of mutants (including two built for DAML’s authorization primitives), and runs them through your existing test suite to count how many [...]

See full content

Coordinated GitHub API enumeration and access token abuse

on 08/07/2026

Datadog Security Research has tracked multiple coordinated campaigns enumerating GitHub organizations, repositories, and users through the public GitHub API, abusing leaked access tokens, and cloning private repositories. [...]

See full content

Google Is Suing Chinese Scammers Who Are Using Gemini

on 07/07/2026

Not sure this will have any effect, but I support the effort: According to Google’s legal filing, Outsider Enterprise operates through Telegram. The group offers phishing-as-a-service to individuals who may not be technically savvy enough to set up fraudulent websites and text campaigns on their own. In its Telegram channels, Outsider Enterprise reportedly provided instructions on how to use [...]

See full content

OS Command Injection in `aws-cdk-lib` NodejsFunction via Unsanitized `OsCommand` Helper (Supply Chain RCE)

on 06/07/2026

AWS VDP disclosed a bug submitted by kaporia: https://hackerone.com/reports/3637898 [...]

See full content

Stop what you're doing

on 06/07/2026

See full content

Open Source Malware

on 06/07/2026

See full content

I Made an AI Agent That Reverses CVEs While I Sleep

on 06/07/2026

See full content

France to Stop Certifying Non-Quantum-Safe Encryption

on 06/07/2026

France is accelerating its transition to post-quantum encryption: France’s cybersecurity agency ANSSI said on Tuesday it would stop certifying security products that lack quantum-resistant encryption, a move that will force government bodies and critical operators to shift away from older systems. Samih Souissi, ANSSI’s chief of staff, said at the France Quantum conference that the age [...]

See full content

THE MOD WORKS! lets improve it

on 06/07/2026

See full content

Entra Agent ID: Protect, detect, respond

on 06/07/2026

This post continues and concludes our series on Agent ID, by outlining steps that an administrator or security team can take to secure blueprints and agent identities created in their local Entra ID tenant. [...]

See full content

the vibe continues

on 05/07/2026

See full content

Any installed app can force immediate logout and persistent DOS of authenticated Basecamp sessions via unprotected exported StartActivity

on 04/07/2026

Basecamp disclosed a bug submitted by zerodaysec_xyz: https://hackerone.com/reports/3764217 - Bounty: $287 [...]

See full content

let's vibe

on 04/07/2026

See full content

admin.shopify.com: Shopify Flow continues sending internal emails to a configured recipient after the staff author is removed

on 03/07/2026

Shopify disclosed a bug submitted by abahack: https://hackerone.com/reports/3628961 [...]

See full content

Are your employees using AI?

on 03/07/2026

See full content

FBI Seizes NetNut Proxy Platform, Popa Botnet

by BrianKrebs on 02/07/2026

The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botn [...]

See full content

Non-Production API Endpoints for the Amazon S3 Tables Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration

on 02/07/2026

AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3780277 [...]

See full content

We get this question a lot

on 02/07/2026

See full content

jitsi-meet: Prosody/Jigasi missing header whitelist in mod_filter_iq_rayo allows arbitrary SIP header injection and Caller ID spoofing

on 02/07/2026

8x8 disclosed a bug submitted by pmgjoe: https://hackerone.com/reports/3789570 - Bounty: $100 [...]

See full content

jitsi-call-analytics: Unauthenticated arbitrary file write via path traversal in `/api/v1/uploads/analyze`

on 02/07/2026

8x8 disclosed a bug submitted by r1skr1der: https://hackerone.com/reports/3485343 - Bounty: $100 [...]

See full content

Yelp for Business: locked Email field silently editable via API

on 02/07/2026

Yelp disclosed a bug submitted by 0xmanticore: https://hackerone.com/reports/3766455 [...]

See full content

Celebrating 1 Million Subscribers on July 8th!

on 02/07/2026

See full content

GPT-5.5-Cyber built a zlib fuzzing lab in a day

on 02/07/2026

We’re running Patch the Planet, an ongoing collaboration with OpenAI that pairs Trail of Bits engineers directly with more than 30 open-source projects. Its goal is to front-run a serious problem facing open-source maintainers: highly capable models like GPT-5.5-Cyber will soon create a firehose of bug reports, and OSS maintainers are already spread thin. Our plan is to point OpenAI’s latest model [...]

See full content

Splatoon 3 In-Match Integrity Bypass via Consensus Reflection Attack on Unordered Peer Submission

on 02/07/2026

Nintendo disclosed a bug submitted by hana2736: https://hackerone.com/reports/3559522 [...]

See full content

[Splatoon 3] Kick other players with NplnLogin message

on 02/07/2026

Nintendo disclosed a bug submitted by alzxk11: https://hackerone.com/reports/3813932 [...]

See full content

Exceeding the maximum number of spaces allowed by exploiting a Race Condition in the Workspace creation process

on 01/07/2026

SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3295500 [...]

See full content

Insecure Direct Object Reference (IDOR) allows creating folders.

on 01/07/2026

SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353057 [...]

See full content

Delete any folder for any user within the organization

on 01/07/2026

SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353035 [...]

See full content

Privilege Escalation Access to the Alert Subscribers page for users with low privileges

on 01/07/2026

SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353000 [...]

See full content

Improper Input Validation HTTP Response Parser Unconditionally Accepts Bare CR in Status Line

on 01/07/2026

Node.js disclosed a bug submitted by saif-01: https://hackerone.com/reports/3648681 [...]

See full content

Beyond Usernames

on 01/07/2026

See full content

Backdoors & Breaches: New scenarios and adaptations

on 01/07/2026

Sharing new scenarios and adaptations to play the Datadog expansion pack of Backdoors & Breaches. [...]

See full content

Beyond CTF Labs

on 30/06/2026

See full content

heap-use-after-free in curl_easy_cleanup() called from callback

on 30/06/2026

curl disclosed a bug submitted by carehi1324: https://hackerone.com/reports/3833577 [...]

See full content

setopt(VERIFYPEER) from callback bypasses TLS verify on connection reuse

on 30/06/2026

curl disclosed a bug submitted by a6b30108: https://hackerone.com/reports/3831432 [...]

See full content

Shipping post-quantum cryptography to Python

on 30/06/2026

Post-quantum cryptography is now one pip-install away for the entire Python ecosystem. With funding from the Sovereign Tech Agency, we implemented support for ML-KEM, the NIST-standard key-establishment primitive, and ML-DSA, the NIST-standard digital-signature primitive, in pyca/cryptography. On June 22, 2026, the White House ordered the U.S. government to accelerate its transition to post-quantu [...]

See full content

ssh_config_matches is dead code: unauthorized SSH key reuse

on 30/06/2026

curl disclosed a bug submitted by bigtang: https://hackerone.com/reports/3826843 [...]

See full content

CURLSHOPT_UNSHARE race can cause UAF in shared SSL session cache during HTTPS transfer

on 30/06/2026

curl disclosed a bug submitted by smaeljaish771: https://hackerone.com/reports/3831345 [...]

See full content

libcurl upload read callbacks miss recursive API guard, allowing prohibited multi API reentry and ASAN-confirmed UAF

on 30/06/2026

curl disclosed a bug submitted by th3hound: https://hackerone.com/reports/3832393 [...]

See full content

Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint

on 30/06/2026

Discourse disclosed a bug submitted by dpaysm: https://hackerone.com/reports/3400140 - Bounty: $1024 [...]

See full content

Annual testing starts to look a little dusty when...

on 29/06/2026

See full content

Inverted ternary in peerlist_manager::filter() allows unlimited whitelist entries per host via different ports

on 29/06/2026

Monero disclosed a bug submitted by kklam32: https://hackerone.com/reports/3547349 [...]

See full content

Remote node DOS

on 29/06/2026

Monero disclosed a bug submitted by xnbya: https://hackerone.com/reports/876530 [...]

See full content

ConsentFix Exposed

on 29/06/2026

See full content

Inside H1-813 Live Hacking Event with Salesforce in Tokyo

on 29/06/2026

See full content

Reconnaissance for exposure management: why context matters in the AI era

by Radu Voloaga on 29/06/2026

Over the last few weeks, we’ve explored what AI is changing in security: discovery is faster (Vulnpocalypse now?), volume is higher (Common AI misconceptions debugged!), and the human layer triage (The AI Impact), judgment, and prioritization has become more important, not less (CEO Insights). But there’s a deeper implication hiding underneath all of that: most security teams still only learn from [...]

See full content

UAF read in mev_pollset_diff() trace path after curl_easy_pause() in socket callback

on 28/06/2026

curl disclosed a bug submitted by homanp: https://hackerone.com/reports/3824303 [...]

See full content

Use-after-free in `mev_forget_socket` when `curl_easy_pause()` is called from a `CURL_POLL_REMOVE` socket callback (incomplete fix of CVE-2026-9080)

on 28/06/2026

curl disclosed a bug submitted by stze: https://hackerone.com/reports/3823985 [...]

See full content

How to pentest - 101 [CNWPP] deliverables + basic network hacking

on 27/06/2026

See full content

Exploiting insecure cookie policies

by Aurélien on 27/06/2026

Cookies are one of the most fundamental building blocks of the modern web, and yet they are often overlooked from a security perspective. When misconfigured, they can potentially lead to exposure of sensitive session data, enable several client-side attacks, and in severe cases, even allow attackers to impersonate users completely. In this article, we'll explore what cookies are, how they work and [...]

See full content

Security debt has a nasty interest rate.

on 26/06/2026

See full content

Facebook Phishing Fails

on 26/06/2026

See full content

Real Folks of Cyber | Pearce Barry | Day in the Life

on 26/06/2026

See full content

mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0

on 26/06/2026

curl disclosed a bug submitted by b1gtang: https://hackerone.com/reports/3826199 [...]

See full content

CURLOPT_HAPROXY_CLIENT_IP lacks input validation, enabling HAProxy PROXY protocol injection

on 26/06/2026

curl disclosed a bug submitted by tneelc: https://hackerone.com/reports/3823932 [...]

See full content

Intigriti Bug Bytes #237 - June 2026 🚀

by Ayoub on 26/06/2026

Hi hackers, Welcome to the latest edition of Bug Bytes! In this month's issue, we are featuring: A 10-year-old pre-auth RCE in phpBB Earning $500K hacking Google with AI Reading any Salesforce Marketing Cloud account's emails New DOMPurify sanitizer bypass Mapping abandoned S3 buckets to redo SolarWinds at scale And so much more! Let's dive in! Using AI the smart way: interview with Cristian [...]

See full content

Introducing GuardDog 3.0: A new rules engine, transparent sandboxing, and more

on 26/06/2026

Release of GuardDog 3.0, an open-source tool to identify malicious packages, featuring a new YARA-based rules engine, a risk scoring engine, and built-in sandboxing. [...]

See full content

Getting Started with the TCM Security Academy

on 25/06/2026

See full content

Disable SmartScreen Fast

on 25/06/2026

See full content

PHP code injection in delivery-limitation `logical` validation bypass - XML-RPC setChannelTargeting

on 25/06/2026

Revive Adserver disclosed a bug submitted by doomtech: https://hackerone.com/reports/3781492 [...]

See full content

XMLRPC login leak exposes valid session ID enabling unauthorized API access

on 25/06/2026

Revive Adserver disclosed a bug submitted by garuthacktvist: https://hackerone.com/reports/3783738 [...]

See full content

Reflected XSS via unsanitised refresh parameter in zone invocation tag

on 25/06/2026

Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3780806 [...]

See full content

Sources

The content of this page is fetched from the following sources:

  1. Datadog Security Labs
  2. The Trail of Bits Blog
  3. Schneier on Security
  4. Krebs on Security
  5. Google Online Security Blog
  6. $BLOG_TITLE
  7. Agarri : Sécurité informatique offensive
  8. Alex Chapman's Blog
  9. www.alphabot.com
  10. Bug Bounty Reports Explained
  11. Bugcrowd
  12. cat ~/footstep.ninja/blog.txt
  13. Ezequiel Pereira
  14. HackerOne
  15. surajdisoja.me
  16. InsiderPhD
  17. Intigriti
  18. John Hammond
  19. LiveOverflow
  20. NahamSec
  21. PortSwigger Blog
  22. Rana Khalil
  23. Richard’s Infosec blog
  24. Ron Chan
  25. ropnop blog
  26. STÖK
  27. Sun Knudsen
  28. The Cyber Mentors
  29. The unofficial HackerOne disclosure timeline
  30. The XSS Rat
  31. TomNomNom
  32. Wallarm