Security
CVE-2026-2599 : Unauthenticated PHP Object Injection → WP_HTML_Token POP Chain
A technical breakdown of CVE-2026-2599, a CVSS 9.8 Critical unauthenticated PHP Object Injection vulnerability in the "Contact Form Entries" WordPress plugin (≤ 1.4.7). The download_csv function deserializes untrusted user input without allowed_classes restrictions. When combined with WordPress 6.4.0-6.4.1, the built-in WP_HTML_Token class provides a complete all-public POP chain leading to full Remote Code Execution via two unauthenticated HTTP requests.
Wed 25 March 2026
Mobile Operational Resilience Under DORA: The simplest drill library for BFSI journeys
A mobile-first guide to DORA compliance for BFSI teams. Learn how to define your scope, simplify ...
Tue 24 March 2026
Exploit CVE-2025-68461 : Roundcube Webmail SVG Animate XSS Sanitizer Bypass
A technical breakdown of CVE-2025-68461, a CVSS 7.2 high stored Cross-Site Scripting vulnerabilit...
Tue 17 March 2026
GHSA-cr3w-cw5w-h3fj: 1-Click RCE in Saltcorn
Analysis of GHSA-cr3w-cw5w-h3fj, a CVSS 9.7 critical XSS-to-RCE vulnerability in Saltcorn (≤ 1.5....
Wed 11 March 2026
DORA Compliance for Mobile Releases: The easiest baseline, verdict, and exceptions model
A mobile-first guide to DORA regulation and DORA compliance for BFSI teams. Learn how to define your scope, simplify your release process, and avoid the traps that create unnecessary compliance work.
CVE-2026-26019 : LangChain RecursiveUrlLoader Server-Side Request Forgery Vulnerability
A technical breakdown of CVE-2026-26019, a CVSS 4.1 medium Server-Side Request Forgery vulnerability in the LangChain Community JavaScript package (< 1.1.14). The RecursiveUrlLoader class uses a naive string prefix check to validate crawled URLs, allowing an attacker to bypass the default preventOutside restriction with a suffixed domain and redirect the crawler to internal network assets, potentially exposing sensitive credentials and metadata endpoints.
Latest posts
DORA Compliance for Mobile Teams: Understanding scope and what you need to do
A mobile-first guide to DORA regulation and DORA compliance for BFSI teams. Learn how to define your scope, simplify your release process, and avoid the traps that create unnecessary compliance work.
Tue 03 March 2026
Top 10 Mobile Pentesting Tools in 2026
We work with mobile apps every day, and over time we’ve found a list of open-source tools that consistently make our testing more powerful, faster and fun. In this article, we’ve highlighted 10 mobile app pentesting tools we love using everyday.
Fri 27 February 2026
CVE-2025-64712: Path Traversal RCE in Unstructured Library MSG Processing
A technical breakdown of CVE-2025-64712, a CVSS 9.8 critical path traversal remote code execution vulnerability in the Unstructured Python library (< 0.18.18). Unsanitized attachment filenames in Outlook MSG processing allow for path traversal, enabling an attacker to overwrite arbitrary files via a crafted MSG file and achieve code execution.
Mon 23 February 2026
CVE-2026-1357: Unauthenticated RCE in WPvivid Backup Plugin
A technical breakdown of CVE-2026-1357, a CVSS 9.8 critical unauthenticated remote code execution vulnerability in the WPvivid Backup & Migration plugin (≤ 0.9.123). Two chained flaws, a cryptographic fail-open and an unsanitized path traversal, allow arbitrary file write and shell upload without credentials.
Fri 20 February 2026
8 Open-Source AI Pentest Tools for Security Teams in 2026
This article lists eight (8) open-source AI pentest tools. It covers how autonomous agents are potentially changing the way security testing is done.
Fri 30 January 2026
Android Requires Developer Verification Starting from 2026
For years, Android’s openness was one of its biggest strengths. Anyone could build an app, share it, and sideload it freely. Users were warned about the risks, but the choice was always theirs. Starting in 2026, Android will require developer verification for apps to run on certified devices. Apps from unverified developers can be blocked, even when users knowingly install them. Google calls it security. Critics call it a loss of freedom. Understanding what’s changing and where Android draws the line now matters more than ever.
Tue 27 January 2026
That Time a Zero (could have) Broke the Internet's Plumbing (CVE-2026-0915)
An AI-assisted analysis uncovered a 30-year-old uninitialized buffer vulnerability in glibc's _nss_dns_getnetbyaddr_r function. This case study details how a zero-input edge case bypasses loop logic, causing the library to transmit raw stack memory to external DNS servers, and benchmarks how various AI models succeeded in identifying this subtle logic error where human review failed.
Wed 21 January 2026
Javascript Interface Exposure
Ostorlab's Pentest Engine identified a JavaScript bridge exposure in an Android WebView, allowing unauthenticated native method invocation via deep links. This case study details how the engine bypassed insecure Intent handling to manipulate the native UI, validating a potent social engineering vector while confirming the effectiveness of the underlying sandbox.
Wed 07 January 2026