Ostorlab: Mobile App Security Testing for Android and iOS

Tag

RCE

CVE-2026-27971 : Qwik server$ Unauthenticated Remote Code Execution

A technical breakdown of CVE-2026-27971, a CVSS 9.2 critical unauthenticated remote code execution vulnerability in Qwik (< 1.19.1). Unsafe deserialization in the server$ RPC flow allows attacker-controlled QRL objects to be reconstructed from application/qwik-json requests, enabling arbitrary module path and symbol resolution and, where require() is available,remote code execution via crafted server-side function invocation.

Aziz Elbelaychy


            Wed 01 April 2026

Security

CVE-2026-2599 : Unauthenticated PHP Object Injection → WP_HTML_Token POP Chain

A technical breakdown of CVE-2026-2599, a CVSS 9.8 Critical unauthenticated PHP Object Injection ...

Mohammed Lachhab


                  Wed 25 March 2026

Security

GHSA-cr3w-cw5w-h3fj: 1-Click RCE in Saltcorn

Analysis of GHSA-cr3w-cw5w-h3fj, a CVSS 9.7 critical XSS-to-RCE vulnerability in Saltcorn (≤ 1.5....

Mohammed Lachhab


                  Wed 11 March 2026

Security

CVE-2025-64712: Path Traversal RCE in Unstructured Library MSG Processing

A technical breakdown of CVE-2025-64712, a CVSS 9.8 critical path traversal remote code execution...

Aziz Elbelaychy


                  Mon 23 February 2026

Security

CVE-2026-1357: Unauthenticated RCE in WPvivid Backup Plugin

A technical breakdown of CVE-2026-1357, a CVSS 9.8 critical unauthenticated remote code execution vulnerability in the WPvivid Backup & Migration plugin (≤ 0.9.123). Two chained flaws, a cryptographic fail-open and an unsanitized path traversal, allow arbitrary file write and shell upload without credentials.

Mohammed Lachhab


                  Fri 20 February 2026

Security

Pre-Auth Root RCE Vulnerability in CyberPanel: Deep Dive Exploit Analysis

A technical analysis of a vulnerability in CyberPanel, a Pre-Auth Root RCE, including confirmed exploitation paths, investigated components, and research methodology findings.

Ostorlab


                  Wed 30 October 2024

Latest posts

Security

Actively Exploited CVE-2022-21445, Deep Dive

The article delves into the technical details of this CVE, its potential impact, and the methods used to detect and exploit it.

Nour Eddine Masdoufi


                    Wed 25 September 2024

Security

Text4Shell (CVE-2022-42889) in Mobile Applications ... should I worry?

CVE-2022-42889 is a vulnerability in the Apache Commons Text Library caused by string interpolation abusing powerful handlers and present in popular application like Amazon Shopping, Udemy and Grammarly. This article goes over the applicability and risk of this vulnerability for Mobile Applications.

Alaeddine Mesbahi


                    Mon 24 October 2022

Security

How did we react to Log4j vulnerability? Read our analysis for mobile applications.

What is the impact of Log4j vulnerability on mobile applications

Martin Salis


                    Mon 20 December 2021

Changelog

View all changes

RCE

CVE-2026-27971 : Qwik server$ Unauthenticated Remote Code Execution

CVE-2026-2599 : Unauthenticated PHP Object Injection → WP_HTML_Token POP Chain

GHSA-cr3w-cw5w-h3fj: 1-Click RCE in Saltcorn

CVE-2025-64712: Path Traversal RCE in Unstructured Library MSG Processing

CVE-2026-1357: Unauthenticated RCE in WPvivid Backup Plugin

Pre-Auth Root RCE Vulnerability in CyberPanel: Deep Dive Exploit Analysis

Latest posts

Actively Exploited CVE-2022-21445, Deep Dive

Text4Shell (CVE-2022-42889) in Mobile Applications ... should I worry?

How did we react to Log4j vulnerability? Read our analysis for mobile applications.

Changelog

Subscribe to the Ostorlab Newsletter