Announcing Ostorlab for Bitrise: Mobile security scans in your CI
Ostorlab now integrates with Bitrise to run automated mobile application security scans inside CI workflows. Using a Bitrise Secret plus a simple Script step, teams can install the Ostorlab CLI and run ostorlab ci-scan run against the same build artifacts produced by the pipeline (e.g., Android APK, Android AAB, or iOS IPA). The integration helps shift security left by shortening feedback loops and catching vulnerabilities earlier, with options to tailor scans via profiles (fast, full, agentic deep scan) and optional inputs like test credentials, SBOM, and UI prompts.
Fri 27 March 2026
CVE-2026-2599 : Unauthenticated PHP Object Injection → WP_HTML_Token POP Chain
A technical breakdown of CVE-2026-2599, a CVSS 9.8 Critical unauthenticated PHP Object Injection ...
Wed 25 March 2026
Mobile Operational Resilience Under DORA: The simplest drill library for BFSI journeys
A mobile-first guide to DORA compliance for BFSI teams. Learn how to define your scope, simplify ...
Tue 24 March 2026
Ostorlab Launches Agentic Deep Scan: The next-generation vulnerability scanner
Ostorlab has launched Agentic Deep Scan, a next-generation vulnerability scanner that validates r...
Thu 19 March 2026
Exploit CVE-2025-68461 : Roundcube Webmail SVG Animate XSS Sanitizer Bypass
A technical breakdown of CVE-2025-68461, a CVSS 7.2 high stored Cross-Site Scripting vulnerability in Roundcube Webmail (< 1.5.12 and < 1.6.12). The rcube_washtml sanitizer blocks SVG \ tags that target the href attribute, but the attribute_value() comparison does not strip XML namespace prefixes before matching. An attacker can use attributeName="xlink:href" to bypass the check entirely, delivering unsanitized javascript: URIs in the values attribute directly into the rendered email DOM. JavaScript execution is currently prevented by an accidental namespace corruption in PHP's DOMDocument::loadHTML() which strips the xlink namespace declaration, but the sanitizer bypass is confirmed and the vulnerability remains exploitable under alternative parser configurations such as the Masterminds HTML5 parser or PHP 8.4's Dom\HTMLDocument.
GHSA-cr3w-cw5w-h3fj: 1-Click RCE in Saltcorn
Analysis of GHSA-cr3w-cw5w-h3fj, a CVSS 9.7 critical XSS-to-RCE vulnerability in Saltcorn (≤ 1.5.0-beta.19). Two chained flaws, reflected XSS in route parameters and command injection in backup generation, enable remote code execution via administrator phishing.
Latest posts
DORA Compliance for Mobile Releases: The easiest baseline, verdict, and exceptions model
A mobile-first guide to DORA regulation and DORA compliance for BFSI teams. Learn how to define your scope, simplify your release process, and avoid the traps that create unnecessary compliance work.
Tue 10 March 2026
CVE-2026-26019 : LangChain RecursiveUrlLoader Server-Side Request Forgery Vulnerability
A technical breakdown of CVE-2026-26019, a CVSS 4.1 medium Server-Side Request Forgery vulnerability in the LangChain Community JavaScript package (< 1.1.14). The RecursiveUrlLoader class uses a naive string prefix check to validate crawled URLs, allowing an attacker to bypass the default preventOutside restriction with a suffixed domain and redirect the crawler to internal network assets, potentially exposing sensitive credentials and metadata endpoints.
Wed 04 March 2026
DORA Compliance for Mobile Teams: Understanding scope and what you need to do
A mobile-first guide to DORA regulation and DORA compliance for BFSI teams. Learn how to define your scope, simplify your release process, and avoid the traps that create unnecessary compliance work.
Tue 03 March 2026
Top 10 Mobile Pentesting Tools in 2026
We work with mobile apps every day, and over time we’ve found a list of open-source tools that consistently make our testing more powerful, faster and fun. In this article, we’ve highlighted 10 mobile app pentesting tools we love using everyday.
Fri 27 February 2026
CVE-2025-64712: Path Traversal RCE in Unstructured Library MSG Processing
A technical breakdown of CVE-2025-64712, a CVSS 9.8 critical path traversal remote code execution vulnerability in the Unstructured Python library (< 0.18.18). Unsanitized attachment filenames in Outlook MSG processing allow for path traversal, enabling an attacker to overwrite arbitrary files via a crafted MSG file and achieve code execution.
Mon 23 February 2026
CVE-2026-1357: Unauthenticated RCE in WPvivid Backup Plugin
A technical breakdown of CVE-2026-1357, a CVSS 9.8 critical unauthenticated remote code execution vulnerability in the WPvivid Backup & Migration plugin (≤ 0.9.123). Two chained flaws, a cryptographic fail-open and an unsanitized path traversal, allow arbitrary file write and shell upload without credentials.
Fri 20 February 2026
8 Open-Source AI Pentest Tools for Security Teams in 2026
This article lists eight (8) open-source AI pentest tools. It covers how autonomous agents are potentially changing the way security testing is done.
Fri 30 January 2026
Ostorlab 2025 Year in Review
2025 marked the turning point where AI in cybersecurity graduated from experimental prototypes to production-grade engines. In this retrospective, we explore how Ostorlab’s new AI Pentest Engine and AI Monkey Tester are already uncovering critical vulnerabilities in the wild, including a complex arbitrary file read chain in Signal for Android. From mapping global banking risks to orchestrating scans with OXO Titan, dive into the year we redefined what automated security testing can actually do.
Wed 28 January 2026
Changelog
View all changesMobile Benchmarking, Monkey Tester Reliability, and Deeper Web Crawling
Tue 23 September 2025