Able to bypass authorization logic and gain more access then intended on 15/07/2026
GitHub disclosed a bug submitted by vaib25vicky: https://hackerone.com/reports/3713965 [...]
GitHub disclosed a bug submitted by vaib25vicky: https://hackerone.com/reports/3713965 [...]
AWS VDP disclosed a bug submitted by mistercloudsec: https://hackerone.com/reports/3632577 [...]
Amazing: Researchers from ETH Zurich in Switzerland, however, managed to create a new type of pixel that can simultaneously do both. This hypercharged pixel, called a Fourier pixel, can generate and sense arbitrary light fields and tap into a pixel’s full potential for carrying information by manipulating light’s intensity, oscillation phases, and polarization. The team reported its fi [...]
Basecamp disclosed a bug submitted by newbiefromcoma: https://hackerone.com/reports/3581911 - Bounty: $337 [...]
Microsoft Corp. today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence. Nearly 60 of the bugs qu [...]
AWS VDP disclosed a bug submitted by mistercloudsec: https://hackerone.com/reports/3702072 [...]
This is a current list of where and when I am scheduled to speak: I’m speaking (virtually) at the Policy-Relevant Privacy Research Workshop in Calgary, Canada, on Monday, July 20, 2026. I’m speaking at Boston Leadership Exchange in Boston, Massachusetts, USA, on Wednesday, July 22, 2026. I’m speaking at Cognitive Security Conference in Las Vegas, Nevada, USA. The conference runs August 6-7, 2026; [...]
FIFA’s network was vulnerable to anyone with even minimal access. [...]
On July 14, 2026, four npm packages in the @asyncapi namespace, totaling over 3 million weekly downloads, were compromised to deliver credential-stealing malware. We investigate how the attack unfolded and how to know if you're affected. [...]
Editor's note: This article was originally published by Tim Erlin on LinkedIn. It has been republished here with the author's permission. https://www.linkedin.com/pulse/ai-control-platform-vs-firewall-gateway-clearing-up-tim-erlin-ypodc It seems like every security vendor now sells "AI security." The WAF companies, the API gateway companies, the cloud platforms, the proxy startups: all of them [...]
SingleStore disclosed a bug submitted by bisht-ji: https://hackerone.com/reports/3780695 [...]
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a postmortem on a recent data leak in which a contractor published dozens of internal CISA credentials — including AWS Govcloud keys — in a public GitHub repository for almost six months before being notified by KrebsOnSecurity. Experts say the gaps identified in the agency’s initial response provide important [...]
This essay was written with Nathan E. Sanders, and originally appeared in The Guardian. Opposition to AI data centers has emerged as a primary theme in US politics, one that—surprisingly—doesn’t fall along party lines. We applaud people coming together for constructive debate on any issue, and agree that communities need to evaluate whether any economic benefits these data center [...]
We’ve added a new chapter to our Testing Handbook: a comprehensive guide to security testing Rust programs. This chapter covers the tools and techniques we use at Trail of Bits to validate the security of Rust programs and systems. fn main() {(|f:&dyn Fn(u128)->Box< dyn Iterator<Item= char>+'static>|f(*[&( 0x7B736D70683F73u128<<64| 0x7A6A6D7C3F7A667D),&(0x7B73 [...]
In a rare combined cybersecurity/squid post, a twenty-nine-year-old squid proxy bug can leak HTTP requests. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
In the near future, AI-powered surveillance systems will be able to track everything we do in public, and much of what we do in private. And if we do something wrong—shoplift, litter, jaywalk, you name it—the system will notice, retain it, tie it to your official government record, communicate that fact to you, and provide real-time alerts to any relevant authorities… and maybe a [...]
AWS VDP disclosed a bug submitted by mistercloudsec: https://hackerone.com/reports/3630605 [...]
Because of the way they are trained, large language models capture only a slice of human language. They’re trained on the written word, from textbooks to social media posts, and our speech as captured in movies and on television. These models have minimal access to the unscripted conversations we have face to face or voice to voice. This is the vast majority of speech, and a vital component [...]
First hand of the week: Find us at BSides Workshop: Burp But Yours, with Hannah and Tib3rius Center stage: Visit us at Black Hat USA - Booth 5342 Lightning talks at the booth Catch our researchers' br [...]
A malicious commit disguised as SDK telemetry briefly compromised @injectivelabs/sdk-ts, exfiltrating wallet mnemonics and private keys. [...]
A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying platform they operated under assumed names. The X/Twitter account IRIS C2 (@C2IRIS) has gained more than 4,000 [...]
Last week, national security agencies from the Five Eyes—that’s the rich, English-language-speaking countries club—jointly released a statement warning of the increasing cyber risks of AI models: in particular, their ability to autonomously hack into systems and networks. The statement was more measured than some of the breathless headlines about it, and the advice they gave is p [...]
In April we released Mewt, our open-source mutation-testing engine that finds the gaps in your test suite. Today we’re expanding it with support for DAML, the language Canton Network applications are written in. Mewt now reads DAML, generates several classes of mutants (including two built for DAML’s authorization primitives), and runs them through your existing test suite to count how many [...]
Datadog Security Research has tracked multiple coordinated campaigns enumerating GitHub organizations, repositories, and users through the public GitHub API, abusing leaked access tokens, and cloning private repositories. [...]
Not sure this will have any effect, but I support the effort: According to Google’s legal filing, Outsider Enterprise operates through Telegram. The group offers phishing-as-a-service to individuals who may not be technically savvy enough to set up fraudulent websites and text campaigns on their own. In its Telegram channels, Outsider Enterprise reportedly provided instructions on how to use [...]
AWS VDP disclosed a bug submitted by kaporia: https://hackerone.com/reports/3637898 [...]
France is accelerating its transition to post-quantum encryption: France’s cybersecurity agency ANSSI said on Tuesday it would stop certifying security products that lack quantum-resistant encryption, a move that will force government bodies and critical operators to shift away from older systems. Samih Souissi, ANSSI’s chief of staff, said at the France Quantum conference that the age [...]
This post continues and concludes our series on Agent ID, by outlining steps that an administrator or security team can take to secure blueprints and agent identities created in their local Entra ID tenant. [...]
Basecamp disclosed a bug submitted by zerodaysec_xyz: https://hackerone.com/reports/3764217 - Bounty: $287 [...]
Shopify disclosed a bug submitted by abahack: https://hackerone.com/reports/3628961 [...]
The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botn [...]
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3780277 [...]
8x8 disclosed a bug submitted by pmgjoe: https://hackerone.com/reports/3789570 - Bounty: $100 [...]
8x8 disclosed a bug submitted by r1skr1der: https://hackerone.com/reports/3485343 - Bounty: $100 [...]
Yelp disclosed a bug submitted by 0xmanticore: https://hackerone.com/reports/3766455 [...]
We’re running Patch the Planet, an ongoing collaboration with OpenAI that pairs Trail of Bits engineers directly with more than 30 open-source projects. Its goal is to front-run a serious problem facing open-source maintainers: highly capable models like GPT-5.5-Cyber will soon create a firehose of bug reports, and OSS maintainers are already spread thin. Our plan is to point OpenAI’s latest model [...]
Nintendo disclosed a bug submitted by hana2736: https://hackerone.com/reports/3559522 [...]
Nintendo disclosed a bug submitted by alzxk11: https://hackerone.com/reports/3813932 [...]
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3295500 [...]
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353057 [...]
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353035 [...]
SingleStore disclosed a bug submitted by bl4ck-: https://hackerone.com/reports/3353000 [...]
Node.js disclosed a bug submitted by saif-01: https://hackerone.com/reports/3648681 [...]
Sharing new scenarios and adaptations to play the Datadog expansion pack of Backdoors & Breaches. [...]
curl disclosed a bug submitted by carehi1324: https://hackerone.com/reports/3833577 [...]
curl disclosed a bug submitted by a6b30108: https://hackerone.com/reports/3831432 [...]
Post-quantum cryptography is now one pip-install away for the entire Python ecosystem. With funding from the Sovereign Tech Agency, we implemented support for ML-KEM, the NIST-standard key-establishment primitive, and ML-DSA, the NIST-standard digital-signature primitive, in pyca/cryptography. On June 22, 2026, the White House ordered the U.S. government to accelerate its transition to post-quantu [...]
curl disclosed a bug submitted by bigtang: https://hackerone.com/reports/3826843 [...]
curl disclosed a bug submitted by smaeljaish771: https://hackerone.com/reports/3831345 [...]
curl disclosed a bug submitted by th3hound: https://hackerone.com/reports/3832393 [...]
Discourse disclosed a bug submitted by dpaysm: https://hackerone.com/reports/3400140 - Bounty: $1024 [...]
Monero disclosed a bug submitted by kklam32: https://hackerone.com/reports/3547349 [...]
Monero disclosed a bug submitted by xnbya: https://hackerone.com/reports/876530 [...]
Over the last few weeks, we’ve explored what AI is changing in security: discovery is faster (Vulnpocalypse now?), volume is higher (Common AI misconceptions debugged!), and the human layer triage (The AI Impact), judgment, and prioritization has become more important, not less (CEO Insights). But there’s a deeper implication hiding underneath all of that: most security teams still only learn from [...]
curl disclosed a bug submitted by homanp: https://hackerone.com/reports/3824303 [...]
curl disclosed a bug submitted by stze: https://hackerone.com/reports/3823985 [...]
Cookies are one of the most fundamental building blocks of the modern web, and yet they are often overlooked from a security perspective. When misconfigured, they can potentially lead to exposure of sensitive session data, enable several client-side attacks, and in severe cases, even allow attackers to impersonate users completely. In this article, we'll explore what cookies are, how they work and [...]
curl disclosed a bug submitted by b1gtang: https://hackerone.com/reports/3826199 [...]
curl disclosed a bug submitted by tneelc: https://hackerone.com/reports/3823932 [...]
Hi hackers, Welcome to the latest edition of Bug Bytes! In this month's issue, we are featuring: A 10-year-old pre-auth RCE in phpBB Earning $500K hacking Google with AI Reading any Salesforce Marketing Cloud account's emails New DOMPurify sanitizer bypass Mapping abandoned S3 buckets to redo SolarWinds at scale And so much more! Let's dive in! Using AI the smart way: interview with Cristian [...]
Release of GuardDog 3.0, an open-source tool to identify malicious packages, featuring a new YARA-based rules engine, a risk scoring engine, and built-in sandboxing. [...]
Revive Adserver disclosed a bug submitted by doomtech: https://hackerone.com/reports/3781492 [...]
Revive Adserver disclosed a bug submitted by garuthacktvist: https://hackerone.com/reports/3783738 [...]
Revive Adserver disclosed a bug submitted by kanon4: https://hackerone.com/reports/3780806 [...]