Hi I am Sairaj Dattu Thorat and I’m in 11th grade right now.. and few months ago I started my bug bounty journey and I wanted to make…

Our Vulnerability Researchers uncovered vulnerabilities in the code of Ollama, a popular tool to run LLMs locally. Dive into the details of how LLMs are implemented and what can go wrong.

The adoption of Large Language Models (LLMs) and AI coding assistants has radically accelerated the development lifecycle, offering the potential for developers to achieve up to a 55% increase in productivity and complete tasks twice as fast.

elttam is a globally recognised, independent information security company, renowned for our advanced technical security assessments.

A critical vulnerability in mcp-remote affected 558,846 downloads. The bug was client-side, but the attack exploited OAuth dynamic discovery—a trust assumption that breaks for autonomous agents.

The List-Unsubscribe SMTP header is standardized but often overlooked during security assessments. It allows email clients to provide an easy way for end-users to unsubscribe from mailing lists.
This post discusses how this header can be abused to perform…

What started as a free and open source tool to solve our own problem has grown to become SonarQube, a product now used by more than 7 million developers around the world to review and improve the quality and security of over 750 billion lines of code every…

An unauthenticated local WebSocket server in the CurseForge launcher allowed any website to trigger remote code execution via attacker-controlled JVM arguments.

A couple of months ago, I received a request from a random Internet user to add CSRF protection to my little web framework Microdot, and I thought it was a fantastic idea.When I set off to do this…

Sonar Foundation Agent is a coding agent for general software issues, developed at Sonar by the former AutoCodeRover team. As of November 3, 2025, Sonar Foundation Agent scores 75% on SWE-bench Verified, while maintaining a low average cost of $1.26 and a…

Server-Side Request Forgery (SSRF) is a critical web application vulnerability that is frequently misunderstood but highly impactful when…

Every day, thousands of web services generate PDF (Portable Document Format) files—bills, contracts, reports. This step is often treated as a technical routine, “just convert the HTML,” but in practice it’s exactly where a trust boundary is crossed. The renderer…

Partial disclosure of a bug bounty report: turning a harmless XSS behind a WAF into a realistic phishing vector.

How do you secure one of Europe’s largest universities against endless cyber threats? Discover how Universidade do Porto and Ethiack turned a sprawling, exposed attack surface into a controlled and proactive cybersecurity stronghold.

We’re releasing go-panikint, a modified Go compiler that turns silent integer overflows into explicit panics. We used it to find a live integer overflow in the Cosmos SDK’s RPC pagination logic, showing how this approach eliminates a major blind spot for…

What's Changed
✨ New Features

Enabled TLS session caching in the client pool to improve connection reuse and reduce handshake overhead (internal) by @dwisiswant0 in #6713
Added support for pro...

MongoBleed vulnerability (CVE-2025-14847) leaks MongoDB heap memory without auth via zlib. See affected versions, exposure, and fixes.

Technical analysis of CVE-2025-61922 leading to zero-click account takeover in PrestaShop Checkout < 5.0.5

Contribute to jenish-sojitra/JSAnalyzer development by creating an account on GitHub.

Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentations, and whitepapers. This is great, but it also means genuinely reusable te