V1Plugin.Decrypt panics on empty ciphertext (Remote DoS) on 28/05/2026
AWS VDP disclosed a bug submitted by misop00p: https://hackerone.com/reports/3620748 [...]
InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
V2Plugin.Decrypt panics on empty ciphertext (Remote DoS) on 28/05/2026
AWS VDP disclosed a bug submitted by misop00p: https://hackerone.com/reports/3620753 [...]
iOS Brave Playlist "Open in Private Tab" bypasses FaceID requirement for Private Tabs on 28/05/2026
Brave Software disclosed a bug submitted by aaront: https://hackerone.com/reports/3693295 [...]
Real Folks of Cyber | Dan Berger | DITL on 28/05/2026
Introducing Insights: self-serve reporting for security teams by Andrea Meza on 28/05/2026
Security teams running Bug Bounty programs often require similar insights and reporting to prove the value and ROSI for security initiatives, and often ask questions such as: What changed? Where are we spending? Are we improving? What needs attention right now? Until now, answering those questions often meant exporting data, stitching together spreadsheets, or pulling screenshots from [...]
FBI’s 2025 Internet Crime Report on 27/05/2026
The 2025 Internet Crime Report was published a few weeks ago, but I only just saw it. Lots of interesting statistics. Press release. News articles. [...]
Frontier AI teams are leveling up their models with Bugcrowd’s new RLE on 27/05/2026
Google served me Malware on 27/05/2026
Fast Code. Zero Security. Real Problem. on 27/05/2026
Payload Podcast 007 with Andy Piazza (klrgrz) on 26/05/2026
ContinuumCon Teaser: solst/ice, Zack Korman, & Spencer Alessi!! on 26/05/2026
Identifying People Using Wi-Fi Routers on 26/05/2026
Not identifying people based on their use of Wi-Fi routers, but identifying people using Wi-Fi signals. This is accomplished through what is known as WiFi sensing, or the use of WiFi signals to infer information about a physical environment. When radio signals like WiFi travel through a space, they interact with the objects and people around them. Those signals can be reflected, scattered, or abso [...]
You're Fixing the Wrong Vulnerabilities. on 26/05/2026
CEO insights: holding on to the human line in the age of AI adoption by Stijn Jans on 26/05/2026
As part of our recent AI series, I’ve been sharing my insights on the key topics, questions, and debates currently shaping the industry. I have covered my opinions regarding holding the human layer sacred in the AI era, where I explored what I deem is the beating heart of the Bug Bounty industry, AI strengths and weaknesses, where human hackers fit in, and what businesses will face in the next 3 t [...]
Heap-OOB read in urlapi `redirect_url()` via `CURLU_GUESS_SCHEME` + `CURLU_NO_GUESS_SCHEME` flow on 25/05/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3751715 [...]
curl GnuTLS backend accepts a clientAuth-only certificate for HTTPS server authentication on 25/05/2026
curl disclosed a bug submitted by jingzhou: https://hackerone.com/reports/3752567 [...]
Autotranslate DDP Method Exposes Private Messages Without Authentication or Room Access Check on 25/05/2026
Rocket.Chat disclosed a bug submitted by deprrous: https://hackerone.com/reports/3734326 [...]
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks by BrianKrebs on 25/05/2026
Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure o [...]
Your CISO Can't See the Risk. on 25/05/2026
RatCTF - Uncle Rat HACKS @NullSecurityX 's Box on 24/05/2026
☔️🌅 on 23/05/2026
NULL pointer dereference in node:sqlite DatabaseSync#applyChangeset() via malformed SQLite changeset on 23/05/2026
Node.js disclosed a bug submitted by junius: https://hackerone.com/reports/3736889 [...]
Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (`StringBytes::Encode`) on 23/05/2026
Node.js disclosed a bug submitted by v1ct0rv0nd00m: https://hackerone.com/reports/3752489 [...]
BSides Dublin 2026 Talk Slides on 23/05/2026
🦗 There hasn’t been a post here in years and I really should do something about this, but in the meantime here are my slides for my BSides Dublin 2026 talk Fighting Fire with Fire: Using AI to Scale Your Product Security Team https://docs.google.com/presentation/d/1zuB920nmw4UtKP3ZsHoUT9Eqi04NVLD7upWK6C9Vmhg I will update this post when the recording is posted on YouTube. [...]
Friday Squid Blogging: Regulating Squid Fishing in the South Pacific on 22/05/2026
The South Pacific Regional Fisheries Management Organization (SPRFMO) needs to regulate squid fishing in the South Pacific. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Lawmakers Demand Answers as CISA Tries to Contain Data Leak by BrianKrebs on 22/05/2026
Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked [...]
Soft Skills for the Job Market: Communication on 22/05/2026
CISA Security Leak on 22/05/2026
Crazy story: Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, a [...]
We hardened zizmor's GitHub Actions static analyzer on 22/05/2026
In March 2026, attackers exploited a pull_request_target misconfiguration in the aquasecurity/trivy-action GitHub Action to exfiltrate organization and repository secrets, then used those credentials to backdoor LiteLLM on PyPI (see Trivy’s post-mortem for the full timeline). zizmor is a static analyzer that GitHub Actions users run to catch exactly these misconfigurations before they ship. [...]
Your Security Stack Is Already Obsolete. on 22/05/2026
The harsh reality of cybersecurity on 21/05/2026
Group restriction bypass via bearer token in user_oidc (SETTING_RESTRICT_LOGIN_TO_GROUPS not enforced in Backend::getCurrentUserId) on 21/05/2026
Nextcloud disclosed a bug submitted by msatz: https://hackerone.com/reports/3572848 [...]
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada by BrianKrebs on 21/05/2026
Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, [...]
macOS Kernel Memory Corruption Exploit on 21/05/2026
A group used Anthropic’s Mythos AI model to help find a kernel memory corruption vulnerability and exploit on Apple’s M5. News article. [...]
One Dev Just Broke Your Security. on 21/05/2026
Vibe Coding, AppSec, and the New Threat Surface on 21/05/2026
How Triage Assist is raising the bar in crowdsourced security by Stijn Bogaerts on 21/05/2026
AI is changing the volume and accelerating the pace of vulnerability submissions. If you've been following our recent AI series, you already know that submission growth isn't a quality problem; it's a coordination problem. As Head of Triage, Lennaert Oudshoorn, outlines in his recent post, ‘The AI impact: A triager’s perspective’, the security industry is experiencing a surge in vulnerability disc [...]
Unpatchable Vulnerabilities of Kubernetes: CVE-2021-25740 on 21/05/2026
A look at how Kubernetes CVE-2021-25740 allows users with EndpointSlice access to redirect traffic via shared ingress and load balancer services. [...]
curl --skip-existing has a TOCTOU race that lets a post-check symlink redirect the later download write on 20/05/2026
curl disclosed a bug submitted by sdjasj: https://hackerone.com/reports/3747959 [...]
Credentials forwarded to HTTP after HTTPSHTTP same-port redirect url_set_data_creds uses scheme-blind comparator on 20/05/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3733946 [...]
On AI Security on 20/05/2026
Good report: Executive Summary: Let’s say you wanted to make sure that your AI is secure. Can you just maximize the security and privacy benchmark and call it a day? Nope, because benchmarks don’t actually work for measuring AI capabilities (even when they are NOT emergent systemic properties like security). So let’s take a step back: how do you measure security in the first plac [...]
Building Secure AI Systems: What Security Leaders Know That Builders Don't | HumanX 2026 on 20/05/2026
POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint) on 20/05/2026
CoinMate.io disclosed a bug submitted by glferreira-devsecops: https://hackerone.com/reports/3676308 [...]
HMAC signature verification omits endpoint and payload allowing request forgery on CoinMate API on 20/05/2026
CoinMate.io disclosed a bug submitted by glferreira-devsecops: https://hackerone.com/reports/3670955 [...]
Busy submitting P1s on 19/05/2026
HTTP/3 paused transfer buffers incoming data without bound up to ~1 GiB on 19/05/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3734947 [...]
Schannel custom-CA path skips Extended Key Usage enforcement on 19/05/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3734992 [...]
Connection reuse ignores haproxyprotocol and HAPROXY_CLIENT_IP settings, allowing PROXY context to persist across transfers on 19/05/2026
curl disclosed a bug submitted by 7omoo: https://hackerone.com/reports/3741135 [...]
SSL session-cache peer key omits signature_algorithms: strict-sigalg handle silently resumes a permissive sibling's session on 19/05/2026
curl disclosed a bug submitted by hexproof: https://hackerone.com/reports/3739561 [...]
CURLOPT_PROXY_CAINFO_BLOB silently activates native CA store on Apple builds on 19/05/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735179 [...]
TLS peer-verification bypass via mid-transfer ssl_config mutation on 19/05/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735276 [...]
TLS verifyhost bypass in rustls, mbedTLS, and wolfSSL when verifypeer=0 on 19/05/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3734095 [...]
HTTP/2 proxy CONNECT tunnel unbounded 1xx chain (missing Curl_bump_headersize cap in cf-h2-proxy.c) on 19/05/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3734020 [...]
Laurie Anderson Is Quoting Me on 19/05/2026
Not by name, but Laurie Anderson quotes me in one of the tracks of her new album: My favorite quote is from a cryptologist who said “If you think technology will solve your problems, you don’t understand technology and you don’t understand your problems.” Also in interviews: “Of course, it’s ridiculous, outrageous, blah, blah, blah,” Anderson says about th [...]
Cross-repository IDOR in `/settings/security_analysis/bypass_reviewers` allows unauthorized delegated bypass reviewer modification on 19/05/2026
GitHub disclosed a bug submitted by ahacker1: https://hackerone.com/reports/3560256 [...]
Stop Measuring Time to Detect Start Measuring Time to Validate on 18/05/2026
CISA Admin Leaked AWS GovCloud Keys on Github by BrianKrebs on 18/05/2026
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it rep [...]
CURLOPT_HSTS_CTRL disables shared HSTS without share guard use-after-free and double-free on 18/05/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3733934 [...]
cookie: case-insensitive path comparison in replace_existing() allows cookie eviction across distinct paths on 18/05/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735238 [...]
libssh SFTP initialization ignores CURLOPT_TIMEOUT, hangs indefinitely on 18/05/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3735080 [...]
rustls backend silently ignores CURLOPT_CRLFILE when native CA store is active on 18/05/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3734935 [...]
HSTS multi-trailing-dot bypass-ish: possible incomplete fix for CVE-2022-30115 on 18/05/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3733984 [...]
I Built an AI Cybersecurity Research Factory (for CTFs & Vulnerabilities) on 18/05/2026
This GitHub README Hijacks Your AI and Spreads Like a Virus on 18/05/2026
New video: hacking AI coding assistants and IDEs. #bugbounty #ai on 18/05/2026
Zero-Day Exploit Against Windows BitLocker on 18/05/2026
It’s nasty, but it requires physical access to the computer: The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft provides to make disk contents off-limits to anyone without the decryption key, which is stored in a [...]
What Your Board Gets Wrong About AI Security by Tim Erlin on 18/05/2026
Editor's note: This article was originally published by Craig Riddell on LinkedIn. It has been republished here with the author's permission. Boards are giving AI security more airtime than ever. What they're not giving is the right framing. A year or two ago, AI was mostly a question of experimentation risk. Today, it's tied directly to revenue, customer experience, operational efficiency, [...]
Unauthenticated File Upload to CDN on 18/05/2026
Enjin disclosed a bug submitted by ph0r3nsic: https://hackerone.com/reports/3589247 [...]
IDOR: autotranslate.translateMessage Full Message Content Leak on 18/05/2026
Rocket.Chat disclosed a bug submitted by josan_george: https://hackerone.com/reports/3713682 [...]
CEO insights: beyond the AI model card by Stijn Jans on 18/05/2026
As part of our AI series, I recently released a blog on the topic of keeping the human layer sacred in the AI era. There, I shared my thoughts on where human intelligence fits, the decisions I believe companies will face in the next 3 to 5 years, and explored what I deem to be the beating heart of the Bug Bounty industry. Considering that discussion, I want to continue the conversation regarding [...]
Pathfinding Labs: Deploy, test, and learn from 100+ intentionally vulnerable AWS environments on 18/05/2026
Introducing Pathfinding Labs, a collection of intentionally vulnerable AWS environments for red teamers and blue teamers to deploy, exploit, and use for detection validation. [...]
The Security Buffer Is Gone on 17/05/2026
Trailing-dot IPv4 URL bypasses IP-address guard, allows wildcard DNS SAN match on 17/05/2026
curl disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3734921 [...]
NULL pointer dereference in libcurl URL API redirect_url() with CURLU_DEFAULT_SCHEME on 17/05/2026
curl disclosed a bug submitted by mulan_dh: https://hackerone.com/reports/3736234 [...]
RatCTF.com - The BEST cybersecurity training platform on 17/05/2026
What Part of AI Hacking Actually Moves the Needle? on 16/05/2026
Hack a Drug Lord's Smart Toilet! on 16/05/2026
Friday Squid Blogging: Bigfin Squid on 16/05/2026
Article about the bigfin squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
The AI Tried to Escape Our Own Infrastructure. on 15/05/2026
SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution on 15/05/2026
Nextcloud disclosed a bug submitted by suul: https://hackerone.com/reports/3462991 [...]
[DUTCH] RatCTF - Wat is het en hoe gebruik je het? + Machine hacken on 15/05/2026
Bypassing On-Camera Age-Verification Checks on 15/05/2026
Some AI-based video age-verification checks can be fooled with a fake mustache. [...]
The Payload Podcast 006 on 15/05/2026
Mythos Didn’t Change What Gets Found It Changed How Reliably It Gets Found on 14/05/2026
Keep up the great work, hackers 👏 on 14/05/2026
Origin IP Exposed waf bypass on 14/05/2026
Yuga Labs disclosed a bug submitted by r00tsid: https://hackerone.com/reports/1821085 - Bounty: $250 [...]
Mythos, Glasswing, and the New Velocity of Cyber Risk on 14/05/2026
Kerberos/SPNEGO Connection Reuse Vulnerability on 14/05/2026
curl disclosed a bug submitted by rootofpi_ramesh: https://hackerone.com/reports/3725659 [...]
LIVE: 🕵️ HTB Sherlocks! | Cybersecurity | Blue Team on 14/05/2026
Backdoored Cemu release linked to TanStack and Mistral supply chain campaign on 14/05/2026
We investigate how a coordinated supply chain campaign that compromised npm and PyPI packages also backdoored the official Cemu Nintendo Wii U emulator GitHub release, reaching nearly 20,000 Linux users. [...]
Backdoored node-ipc npm releases steal developer credentials through DNS queries on 14/05/2026
An analysis of backdoored node-ipc npm releases that add an obfuscated credential collection and DNS exfiltration payload to the CommonJS entrypoint. [...]
Shai-Hulud Goes Open Source on 13/05/2026
A static analysis of the open-sourced Shai-Hulud offensive framework attributed to TeamPCP, covering its credential harvesting, supply chain poisoning, and exfiltration capabilities. [...]
Patch Tuesday, May 2026 Edition by BrianKrebs on 12/05/2026
Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code. That reality is on full display this month with some of the more widely-used software makers — including Apple, Google, Microsoft, Mozilla and Oracle — fixing near record volumes of secu [...]
Hackers are Using AI (much scary, very wow) on 12/05/2026
A Quick Way to Prove Your Cybersecurity Skillset! on 12/05/2026
Extending Security to MCP Servers: Closing a Critical Gap by Tim Erlin on 12/05/2026
The Model Context Protocol (MCP) is a de facto standard for providing structured access to privileged systems for AI agents and external integrations. It acts as a USB-C port for AI, enabling faster innovation by allowing organizations to expose tools, resources, and workflows without the time-consuming work of building APIs. Adoption has surged in recent months, and categories like payments, [...]
QuickSight Authorization Bypass: Chat Agents Accessible Despite Custom Permissions Denial on 12/05/2026
AWS VDP disclosed a bug submitted by jcow: https://hackerone.com/reports/3577145 [...]
The beast needs a cage: What's next for AppSec post-Mythos on 12/05/2026
Now that the dust has settled on Mythos dropping, there is space for more considered reflection on the direction of travel. Mythos wasn't a surprise; it's another data point on a trajectory that's bee [...]
Very Simple Real Bug Bounty Exploit - API Scope Bypass on 12/05/2026
Go fuzzing was missing half the toolkit. We forked the toolchain to fix it. on 12/05/2026
Go’s native fuzzing is useful, but it stands far behind state-of-the-art tooling that the Rust, C, and C++ ecosystems offer with LibAFL and AFL++. Path constraints are hard to solve. Structured inputs usually need handmade parsing. It doesn’t even detect several common bug classes, such as integer overflows, goroutine leaks, data races, and execution timeouts. So to make it better, we built [...]