Tag

Security

Learn how source code security testing works, why traditional SAST creates false positives, and how agentic analysis turns scanner signals into actionable findings.

Security

The Definitive Guide to Mobile App Vetting: Securing the Enterprise App Ecosystem

This comprehensive guide covers the architecture, risk methodologies, and deployment frameworks r...

Fri 19 June 2026

Security

Exploit CVE-2026-42208: LiteLLM Unauthenticated SQL Injection via Bearer Token

A technical breakdown of CVE-2026-42208, a CVSS 9.3 critical unauthenticated SQL Injection vulner...

Fri 22 May 2026

Security

DirtyFrag: Universal Linux Local Privilege Escalation via Page-Cache Write

A technical breakdown of DirtyFrag, a pair of Linux kernel local privilege escalation vulnerabili...

Wed 13 May 2026

A technical breakdown of CVE-2026-44109, a CVSS 9.2 Critical authentication bypass vulnerability in OpenClaw (< 2026.4.15). Two fail-open logic inversions in the Feishu/Lark plugin — one in the webhook signature validator and one in the card-action replay guard — allow an unauthenticated attacker to inject arbitrary events into OpenClaw's command dispatch engine. When the bot has execution tools enabled, this translates directly to unauthenticated remote code execution on the host machine with the privileges of the OpenClaw process.

A deep dive into a critical Server-Side Request Forgery (SSRF) vulnerability in Chatwoot's upload endpoint (≤ v4.12.1). The /api/v1/accounts/:id/upload endpoint accepts an external_url parameter validated only by a scheme check, allowing any authenticated agent to force the server to fetch arbitrary internal URLs. The full response body is returned in-band through ActiveStorage blobs — turning the upload endpoint into a full-read proxy. Live exploitation on a DigitalOcean droplet confirmed in-band exfiltration of cloud metadata including droplet ID, hostname, SSH public keys, and full metadata bundles. Fixed in v4.13.0.

Latest posts

DORA Compliance Checklist for Banking & Fintech: Audit-Ready Operational Resilience Validation

A DORA compliance checklist helps banking and fintech organizations evaluate operational resilience across core areas like ICT risk, incident response, resilience testing, third-party governance, and oversight, while tracking implementation progress and supporting audit readiness.

Wed 29 April 2026

The Complete Guide to Healthcare Application Security Testing: Protecting ePHI, Medical Apps, and Patient Trust

This comprehensive guide explores the critical role of application security testing in modern healthcare. It covers the shift toward application-driven care, the unique value of ePHI, and the regulatory landscape (HIPAA/GDPR). The article outlines a robust strategy for securing the healthcare ecosystem, including patient portals, APIs, and SaMD, while highlighting how autonomous tools like Ostorlab’s Deep Agentic Scan are defining the future of continuous, scalable security validation.

Thu 16 April 2026

Mobile Banking Security Testing: Protecting Financial Apps, Data, and Transactions

Protecting mobile banking apps requires more than securing the client alone. This guide explores the risks across devices, networks, and backend systems, and explains why continuous mobile security testing is essential for protecting financial data and transactions.

Thu 16 April 2026

Twenty CRM Serverless Functions Expose Critical RCE and Permanent Unauthenticated Backdoor Risk (CVE-2026-26720) - PoC & Exploit

A technical breakdown of CVE-2026-26720, a CVSS 9.8 Critical authenticated Remote Code Execution vulnerability in Twenty CRM (≤ v1.15.0). Any workspace member can create and execute serverless functions that run unsandboxed with full access to process.env, leaking APP_SECRET, PG_DATABASE_URL, and all server-side credentials. When combined with webhook-triggered workflows exposed via PublicEndpointGuard, a single authenticated attacker can install a permanent unauthenticated RCE backdoor accessible from anywhere on the internet.

Wed 15 April 2026

New Roundcube Webmail Vulnerabilities Disclosed : IMAP Command Injection and SSRF via CSS Proxying.

A deep dive into two critical vulnerabilities uncovered in Roundcube Webmail (< 1.6.14, 1.5.14, 1.7 RC4) during a source code review. OVE-2026-8 allows authenticated attackers to inject arbitrary IMAP commands via the _filter parameter due to missing CRLF sanitization. OVE-2026-9 enables Server-Side Request Forgery (SSRF) by exploiting the CSS proxying mechanism, allowing access to internal network resources and cloud metadata.

Wed 08 April 2026

CVE-2026-27971 : Qwik server$ Unauthenticated Remote Code Execution

A technical breakdown of CVE-2026-27971, a CVSS 9.2 critical unauthenticated remote code execution vulnerability in Qwik (< 1.19.1). Unsafe deserialization in the server$ RPC flow allows attacker-controlled QRL objects to be reconstructed from application/qwik-json requests, enabling arbitrary module path and symbol resolution and, where require() is available,remote code execution via crafted server-side function invocation.

Wed 01 April 2026

CVE-2026-2599 : Unauthenticated PHP Object Injection → WP_HTML_Token POP Chain

A technical breakdown of CVE-2026-2599, a CVSS 9.8 Critical unauthenticated PHP Object Injection vulnerability in the "Contact Form Entries" WordPress plugin (≤ 1.4.7). The download_csv function deserializes untrusted user input without allowed_classes restrictions. When combined with WordPress 6.4.0-6.4.1, the built-in WP_HTML_Token class provides a complete all-public POP chain leading to full Remote Code Execution via two unauthenticated HTTP requests.

Wed 25 March 2026

Exploit CVE-2025-68461 : Roundcube Webmail SVG Animate XSS Sanitizer Bypass

A technical breakdown of CVE-2025-68461, a CVSS 7.2 high stored Cross-Site Scripting vulnerability in Roundcube Webmail (< 1.5.12 and < 1.6.12). The rcube_washtml sanitizer blocks SVG \ tags that target the href attribute, but the attribute_value() comparison does not strip XML namespace prefixes before matching. An attacker can use attributeName="xlink:href" to bypass the check entirely, delivering unsanitized javascript: URIs in the values attribute directly into the rendered email DOM. JavaScript execution is currently prevented by an accidental namespace corruption in PHP's DOMDocument::loadHTML() which strips the xlink namespace declaration, but the sanitizer bypass is confirmed and the vulnerability remains exploitable under alternative parser configurations such as the Masterminds HTML5 parser or PHP 8.4's Dom\HTMLDocument.

Tue 17 March 2026


Previous
1 of 6