Product

Ostorlab is launching a powerful, highly targeted AI orchestration engine accessible through two distinct UI workflows: Single Vulnerability Assessment (SVA) and Dig Deeper. While both features share the exact same underlying AI logic, capabilities, and "Bring-Your-Own-Key" structure, they are tailored for different entry points in your workflow. SVA is launched as a fresh, standalone scan for targeted, cost-efficient assessments, fix validations, or bug bounty verifications. Dig Deeper is triggered directly from an existing finding within a scan report to instantly investigate false positives or trace exploit paths. Together, they give teams surgical control over how they test and validate individual vulnerabilities.

Product

This release introduces Single Vulnerability Assessment (SVA) for targeted validation, Dig Deeper for granular root-cause investigation, Live Attack Scenario Risk & Status Tracking, Scan Report PDF Design Improvement, full multilanguage localization, and new compliance whitelisting support.

Security

A technical breakdown of CVE-2026-42208, a CVSS 9.3 critical unauthenticated SQL Injection vulnerability in the LiteLLM Proxy API. Improper parameterization of the Bearer token within raw SQL queries used for complex multi-table joins allows blind boolean-based timing attacks, enabling unauthenticated attackers to exfiltrate sensitive data including virtual API keys, user information, and LLM spend logs directly from the database.

Security

A technical breakdown of DirtyFrag, a pair of Linux kernel local privilege escalation vulnerabilities (CVE-2026-43284 and CVE-2026-43500, CVSS 7.8 HIGH) that allow any unprivileged local user to obtain root on most major Linux distributions. By chaining an xfrm-ESP and an RxRPC in-place decryption path flaw, both rooted in the same page-cache write primitive as Dirty Pipe and Copy Fail, the exploit overwrites read-only page cache pages without a race condition, achieving near-100% reliability.

Security

A technical breakdown of CVE-2026-44109, a CVSS 9.2 Critical authentication bypass vulnerability in OpenClaw (< 2026.4.15). Two fail-open logic inversions in the Feishu/Lark plugin — one in the webhook signature validator and one in the card-action replay guard — allow an unauthenticated attacker to inject arbitrary events into OpenClaw's command dispatch engine. When the bot has execution tools enabled, this translates directly to unauthenticated remote code execution on the host machine with the privileges of the OpenClaw process.

Security

A deep dive into a critical Server-Side Request Forgery (SSRF) vulnerability in Chatwoot's upload endpoint (≤ v4.12.1). The /api/v1/accounts/:id/upload endpoint accepts an external_url parameter validated only by a scheme check, allowing any authenticated agent to force the server to fetch arbitrary internal URLs. The full response body is returned in-band through ActiveStorage blobs — turning the upload endpoint into a full-read proxy. Live exploitation on a DigitalOcean droplet confirmed in-band exfiltration of cloud metadata including droplet ID, hostname, SSH public keys, and full metadata bundles. Fixed in v4.13.0.

Security

A DORA compliance checklist helps banking and fintech organizations evaluate operational resilience across core areas like ICT risk, incident response, resilience testing, third-party governance, and oversight, while tracking implementation progress and supporting audit readiness.

Security

A static analysis of TV_V_23.apk, a multi-stage Android banking malware platform attributed with high confidence to the BeatBanker / BTMOB cluster. Distributed as a trojanized fork of the open-source LumoLight flashlight app, the sample chains a native bootstrap, a Firebase-driven orchestrator, a cryptominer-and-keepalive helper, and a full operator RAT with accessibility abuse, screen capture, and runtime-configurable banking-app targeting. Covers the full infection chain, anti-analysis design, attribution, IOCs, and defender recommendations.