security
CVE-2026-1357: Unauthenticated RCE in WPvivid Backup Plugin
A technical breakdown of CVE-2026-1357, a CVSS 9.8 critical unauthenticated remote code execution vulnerability in the WPvivid Backup & Migration plugin (≤ 0.9.123). Two chained flaws, a cryptographic fail-open and an unsanitized path traversal, allow arbitrary file write and shell upload without credentials.
Fri 20 February 2026
8 Open-Source AI Pentest Tools for Security Teams in 2026
This article lists eight (8) open-source AI pentest tools. It covers how autonomous agents are po...
Fri 30 January 2026
Android Requires Developer Verification Starting from 2026
For years, Android’s openness was one of its biggest strengths. Anyone could build an app, share ...
Tue 27 January 2026
Javascript Interface Exposure
Ostorlab's Pentest Engine identified a JavaScript bridge exposure in an Android WebView, allowing...
Wed 07 January 2026
Top Mobile App Security Testing Platforms 2026
Navigate the market for the Top Mobile App Security Testing Platforms 2026 by focusing on the criteria that actually matter for your delivery workflow. Our guide details exactly what to look for, including seamless CI/CD integration, powerful detection, and high-fidelity signal-to-noise ratios. Learn how to evaluate vendors on scalability, multiplatform support, and collaboration features to select a partner that secures your mobile releases without slowing you down.
Understanding Android's FLAG_SECURE for Screen Security
What Android’s FLAG_SECURE does, how it prevents screenshots and screen recordings of sensitive app content, how to implement it correctly, where it makes sense to use it, and the key limitations and UX trade-offs developers need to understand, including its behavior with casting and external displays.
Latest posts
AI Pentest Engine Discovers Critical WebSocket BFLA in GraphQL Subscriptions
Ostorlab's AI Pentest Engine systematically uncovered a critical Broken Function-Level Authorization (BFLA) vulnerability in a GraphQL WebSocket endpoint, allowing unauthenticated access to a real-time translation service. This case study details the AI's step-by-step process, from discovery to proof-of-concept.
Fri 26 December 2025
AI Engine Triggers Account Takeover via API Version Confusion
Methodical analysis beats blind fuzzing as Ostorlab's AI engine discovers cross-version password reset weakness and achieves account takeover without email access.
Mon 15 December 2025
Uncovering a Second-Order Data Exfiltration Chain in Modern SPAs
How a second-order client-side data exfiltration chain was discovered in a modern SPA, transforming a simple open redirect into a multi-stage data theft vulnerability through JavaScript analysis and exploit chain validation.
Wed 10 December 2025
Ostorlab AI Pentest Engine: How it Works
Technical deep dive into Ostorlab AI Pentest Engine inner working, from threat intelligence, risk identification, mobile support to vulnerability validation.
Mon 27 October 2025
Going Beyond: Ostorlab AI Engine Discovers Unknown Vulnerability Classes
Ostorlab’s reasoning-driven AI engine breaks past rule-based limits to surface previously unknown and hard-to-detect vulnerabilities—including WebView Safe Browsing bypasses, SQLi via projections, WebCrypto key exfiltration, and JWT verification ordering flaws—delivering deeper, smarter, complementary security coverage.
Mon 13 October 2025
Introducing Ostorlab Security Testing Benchmarks: Real Vulnerabilities, Real Impact
The first open-source benchmark suite featuring 93 realistic vulnerable mobile apps that mirror actual CVE and bug bounty findings - not theoretical textbook examples.
Mon 22 September 2025
Banking Report 2025: Security at the Core of Mobile Finance
Large-scale security analysis of 500+ top mobile banking apps reveals widespread vulnerabilities, decade-old codebases, and concerning backend centralization patterns.
Mon 15 September 2025
Automating Security Research: AI Engine Exploits Complex Blind Code Injection
Precision beats payload spray using Ostorlab's AI engine to systematically land RCE on Titiler and proves exfiltration without a single stack trace.
Thu 04 September 2025
Changelog
View all changesiOS TestFlight scan, Slack Integrations and other improvements
Mon 10 June 2024
Security Enhancements, Compliance Mapping, and User Experience Upgrades
Fri 13 October 2023