Introducing Ostorlab’s Single Vulnerability Assessment and Dig Deeper
Ostorlab is launching a powerful, highly targeted AI orchestration engine accessible through two distinct UI workflows: Single Vulnerability Assessment (SVA) and Dig Deeper. While both features share the exact same underlying AI logic, capabilities, and "Bring-Your-Own-Key" structure, they are tailored for different entry points in your workflow. SVA is launched as a fresh, standalone scan for targeted, cost-efficient assessments, fix validations, or bug bounty verifications. Dig Deeper is triggered directly from an existing finding within a scan report to instantly investigate false positives or trace exploit paths. Together, they give teams surgical control over how they test and validate individual vulnerabilities.
Tue 02 June 2026
Single Vulnerability Assessment (SVA), Dig Deeper, Scan Report PDF Design Improvement & Multilanguage Support
This release introduces Single Vulnerability Assessment (SVA) for targeted validation, Dig Deeper...
Mon 01 June 2026
Exploit CVE-2026-42208: LiteLLM Unauthenticated SQL Injection via Bearer Token
A technical breakdown of CVE-2026-42208, a CVSS 9.3 critical unauthenticated SQL Injection vulner...
Fri 22 May 2026
DirtyFrag: Universal Linux Local Privilege Escalation via Page-Cache Write
A technical breakdown of DirtyFrag, a pair of Linux kernel local privilege escalation vulnerabili...
Wed 13 May 2026
Exploit CVE-2026-44109 : OpenClaw Feishu Webhook Authentication Bypass to RCE
A technical breakdown of CVE-2026-44109, a CVSS 9.2 Critical authentication bypass vulnerability in OpenClaw (< 2026.4.15). Two fail-open logic inversions in the Feishu/Lark plugin — one in the webhook signature validator and one in the card-action replay guard — allow an unauthenticated attacker to inject arbitrary events into OpenClaw's command dispatch engine. When the bot has execution tools enabled, this translates directly to unauthenticated remote code execution on the host machine with the privileges of the OpenClaw process.
CVE-2026-5205: Critical SSRF in Chatwoot — How a Single Upload Parameter Exposes Cloud Credentials
A deep dive into a critical Server-Side Request Forgery (SSRF) vulnerability in Chatwoot's upload endpoint (≤ v4.12.1). The /api/v1/accounts/:id/upload endpoint accepts an external_url parameter validated only by a scheme check, allowing any authenticated agent to force the server to fetch arbitrary internal URLs. The full response body is returned in-band through ActiveStorage blobs — turning the upload endpoint into a full-read proxy. Live exploitation on a DigitalOcean droplet confirmed in-band exfiltration of cloud metadata including droplet ID, hostname, SSH public keys, and full metadata bundles. Fixed in v4.13.0.
Latest posts
DORA Compliance Checklist for Banking & Fintech: Audit-Ready Operational Resilience Validation
A DORA compliance checklist helps banking and fintech organizations evaluate operational resilience across core areas like ICT risk, incident response, resilience testing, third-party governance, and oversight, while tracking implementation progress and supporting audit readiness.
Wed 29 April 2026
Inside BeatBanker / BTMOB: Static Analysis of TV_V_23.apk, a Multi-Stage Android Banking Malware Platform
A static analysis of TV_V_23.apk, a multi-stage Android banking malware platform attributed with high confidence to the BeatBanker / BTMOB cluster. Distributed as a trojanized fork of the open-source LumoLight flashlight app, the sample chains a native bootstrap, a Firebase-driven orchestrator, a cryptominer-and-keepalive helper, and a full operator RAT with accessibility abuse, screen capture, and runtime-configurable banking-app targeting. Covers the full infection chain, anti-analysis design, attribution, IOCs, and defender recommendations.
Tue 28 April 2026
HarmonyOS Next Security Testing: Tools, Risks, and Differences from Android.
This guide covers the security testing tools, platform-specific risks, and the most common gaps security teams encounter when moving from Android-based testing to HarmonyOS Next applications. This article is for mobile security teams, AppSec engineers, and organizations shipping or auditing applications in the HarmonyOs ecosystem.
Tue 28 April 2026
Android Intent Redirection: Attack Vectors and Mitigations
A deep dive into Android intent redirection vulnerabilities, showing how exported “proxy” components can be abused to launch protected components, leak data via setResult(), steal content via URI grants, and hijack flows. Covers common misuse patterns and layered mitigations including validation, allowlists, IntentSanitizer, stripping dangerous flags, immutable PendingIntents, and reducing exported components.
Thu 23 April 2026
Introducing HarmonyOS App Scans + Huawei AppGallery Scans
Find a vulnerability scanner for HarmonyOS apps and Huawei AppGallery releases: Ostorlab adds automated, repeatable security scans so teams can continuously assess Huawei-distributed mobile apps and fix issues faster.
Mon 20 April 2026
Mobile Game Security Testing: Prevent Hacks, Cheating, and Revenue Loss
Mobile game security testing prevents cheating, hacks, and revenue loss by securing client, network, and backend layers. This guide covers the latest threats, testing methodologies, and best practices for mobile security teams and mobile game developers looking to keep their game safe, fair, and compliant.
Mon 20 April 2026
Mobile AppSec Testing Best Practices for High-Tech Teams Shipping at Scale
A technical guide to mobile application security testing best practices for high-tech teams shipping iOS and Android apps at scale, covering MAST vs SAST vs DAST, mobile attack-surface testing, evidence-rich findings, CI/CD integration, severity-based release gating, compliance considerations, and how to evaluate a mobile AppSec solution.
Thu 16 April 2026
The Complete Guide to Healthcare Application Security Testing: Protecting ePHI, Medical Apps, and Patient Trust
This comprehensive guide explores the critical role of application security testing in modern healthcare. It covers the shift toward application-driven care, the unique value of ePHI, and the regulatory landscape (HIPAA/GDPR). The article outlines a robust strategy for securing the healthcare ecosystem, including patient portals, APIs, and SaMD, while highlighting how autonomous tools like Ostorlab’s Deep Agentic Scan are defining the future of continuous, scalable security validation.
Thu 16 April 2026