Security

A technical breakdown of CVE-2026-26019, a CVSS 4.1 medium Server-Side Request Forgery vulnerability in the LangChain Community JavaScript package (< 1.1.14). The RecursiveUrlLoader class uses a naive string prefix check to validate crawled URLs, allowing an attacker to bypass the default preventOutside restriction with a suffixed domain and redirect the crawler to internal network assets, potentially exposing sensitive credentials and metadata endpoints.

Security

A mobile-first guide to DORA regulation and DORA compliance for BFSI teams. Learn how to define your scope, simplify your release process, and avoid the traps that create unnecessary compliance work.

Security

We work with mobile apps every day, and over time we’ve found a list of open-source tools that consistently make our testing more powerful, faster and fun. In this article, we’ve highlighted 10 mobile app pentesting tools we love using everyday.

Security

A technical breakdown of CVE-2025-64712, a CVSS 9.8 critical path traversal remote code execution vulnerability in the Unstructured Python library (< 0.18.18). Unsanitized attachment filenames in Outlook MSG processing allow for path traversal, enabling an attacker to overwrite arbitrary files via a crafted MSG file and achieve code execution.

Security

A technical breakdown of CVE-2026-1357, a CVSS 9.8 critical unauthenticated remote code execution vulnerability in the WPvivid Backup & Migration plugin (≤ 0.9.123). Two chained flaws, a cryptographic fail-open and an unsanitized path traversal, allow arbitrary file write and shell upload without credentials.

Security

This article lists eight (8) open-source AI pentest tools. It covers how autonomous agents are potentially changing the way security testing is done.

Product

2025 marked the turning point where AI in cybersecurity graduated from experimental prototypes to production-grade engines. In this retrospective, we explore how Ostorlab’s new AI Pentest Engine and AI Monkey Tester are already uncovering critical vulnerabilities in the wild, including a complex arbitrary file read chain in Signal for Android. From mapping global banking risks to orchestrating scans with OXO Titan, dive into the year we redefined what automated security testing can actually do.

Security

For years, Android’s openness was one of its biggest strengths. Anyone could build an app, share it, and sideload it freely. Users were warned about the risks, but the choice was always theirs. Starting in 2026, Android will require developer verification for apps to run on certified devices. Apps from unverified developers can be blocked, even when users knowingly install them. Google calls it security. Critics call it a loss of freedom. Understanding what’s changing and where Android draws the line now matters more than ever.