An unauthenticated local WebSocket server in the CurseForge launcher allowed any website to trigger remote code execution via attacker-controlled JVM arguments.

A couple of months ago, I received a request from a random Internet user to add CSRF protection to my little web framework Microdot, and I thought it was a fantastic idea.When I set off to do this…

Sonar Foundation Agent is a coding agent for general software issues, developed at Sonar by the former AutoCodeRover team. As of November 3, 2025, Sonar Foundation Agent scores 75% on SWE-bench Verified, while maintaining a low average cost of $1.26 and a…

Server-Side Request Forgery (SSRF) is a critical web application vulnerability that is frequently misunderstood but highly impactful when…

Every day, thousands of web services generate PDF (Portable Document Format) files—bills, contracts, reports. This step is often treated as a technical routine, “just convert the HTML,” but in practice it’s exactly where a trust boundary is crossed. The renderer…

Partial disclosure of a bug bounty report: turning a harmless XSS behind a WAF into a realistic phishing vector.

How do you secure one of Europe’s largest universities against endless cyber threats? Discover how Universidade do Porto and Ethiack turned a sprawling, exposed attack surface into a controlled and proactive cybersecurity stronghold.

We’re releasing go-panikint, a modified Go compiler that turns silent integer overflows into explicit panics. We used it to find a live integer overflow in the Cosmos SDK’s RPC pagination logic, showing how this approach eliminates a major blind spot for…

What's Changed
✨ New Features

Enabled TLS session caching in the client pool to improve connection reuse and reduce handshake overhead (internal) by @dwisiswant0 in #6713
Added support for pro...

MongoBleed vulnerability (CVE-2025-14847) leaks MongoDB heap memory without auth via zlib. See affected versions, exposure, and fixes.

Technical analysis of CVE-2025-61922 leading to zero-click account takeover in PrestaShop Checkout < 5.0.5

Contribute to jenish-sojitra/JSAnalyzer development by creating an account on GitHub.

Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentations, and whitepapers. This is great, but it also means genuinely reusable te

Ethical Hacking and Cybersecurity Blog

Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentations, and whitepapers. This is great, but it also means genuinely reusable te

How does Predator spyware transform from running code into active surveillance? This technical deep-dive reverse-engineers the internal factory architecture that dynamically creates camera monitoring, VoIP interception, and keylogging modules through Unix…

n8n Ni8mare - Unauthenticated Arbitrary File Read to RCE Chain (CVSS 10.0) - Chocapikk/CVE-2026-21858

Discover how Patchstack helps secure Seahawk Media users with real-time protection.

Welcome to 2026!

While we are all waiting for the scheduled SSLVPN ITW exploitation programming that occurs every January, we’re back from Christmas and idle hands, idle minds, yada yada.

In December, we were alerted to a vulnerability in SmarterTools’…