Tag

vulnerability

Security

DirtyFrag: Universal Linux Local Privilege Escalation via Page-Cache Write

A technical breakdown of DirtyFrag, a pair of Linux kernel local privilege escalation vulnerabilities (CVE-2026-43284 and CVE-2026-43500, CVSS 7.8 HIGH) that allow any unprivileged local user to obtain root on most major Linux distributions. By chaining an xfrm-ESP and an RxRPC in-place decryption path flaw, both rooted in the same page-cache write primitive as Dirty Pipe and Copy Fail, the exploit overwrites read-only page cache pages without a race condition, achieving near-100% reliability.

Aziz Elbelaychy
Wed 13 May 2026

Security

CVE-2026-5205: Critical SSRF in Chatwoot — How a Single Upload Parameter Exposes Cloud Credentials

A deep dive into a critical Server-Side Request Forgery (SSRF) vulnerability in Chatwoot's upload...

Wed 29 April 2026

Security

Twenty CRM Serverless Functions Expose Critical RCE and Permanent Unauthenticated Backdoor Risk (CVE-2026-26720) - PoC & Exploit

A technical breakdown of CVE-2026-26720, a CVSS 9.8 Critical authenticated Remote Code Execution ...

Wed 15 April 2026

Security

New Roundcube Webmail Vulnerabilities Disclosed : IMAP Command Injection and SSRF via CSS Proxying.

A deep dive into two critical vulnerabilities uncovered in Roundcube Webmail (< 1.6.14, 1.5.14, 1...

Wed 08 April 2026

Security

CVE-2026-27971 : Qwik server$ Unauthenticated Remote Code Execution

A technical breakdown of CVE-2026-27971, a CVSS 9.2 critical unauthenticated remote code execution vulnerability in Qwik (< 1.19.1). Unsafe deserialization in the server$ RPC flow allows attacker-controlled QRL objects to be reconstructed from application/qwik-json requests, enabling arbitrary module path and symbol resolution and, where require() is available,remote code execution via crafted server-side function invocation.

Wed 01 April 2026

Security

CVE-2026-2599 : Unauthenticated PHP Object Injection → WP_HTML_Token POP Chain

A technical breakdown of CVE-2026-2599, a CVSS 9.8 Critical unauthenticated PHP Object Injection vulnerability in the "Contact Form Entries" WordPress plugin (≤ 1.4.7). The download_csv function deserializes untrusted user input without allowed_classes restrictions. When combined with WordPress 6.4.0-6.4.1, the built-in WP_HTML_Token class provides a complete all-public POP chain leading to full Remote Code Execution via two unauthenticated HTTP requests.

Wed 25 March 2026

Latest posts

Security

Exploit CVE-2025-68461 : Roundcube Webmail SVG Animate XSS Sanitizer Bypass

A technical breakdown of CVE-2025-68461, a CVSS 7.2 high stored Cross-Site Scripting vulnerability in Roundcube Webmail (< 1.5.12 and < 1.6.12). The rcube_washtml sanitizer blocks SVG \ tags that target the href attribute, but the attribute_value() comparison does not strip XML namespace prefixes before matching. An attacker can use attributeName="xlink:href" to bypass the check entirely, delivering unsanitized javascript: URIs in the values attribute directly into the rendered email DOM. JavaScript execution is currently prevented by an accidental namespace corruption in PHP's DOMDocument::loadHTML() which strips the xlink namespace declaration, but the sanitizer bypass is confirmed and the vulnerability remains exploitable under alternative parser configurations such as the Masterminds HTML5 parser or PHP 8.4's Dom\HTMLDocument.

Tue 17 March 2026

Security

GHSA-cr3w-cw5w-h3fj: 1-Click RCE in Saltcorn

Analysis of GHSA-cr3w-cw5w-h3fj, a CVSS 9.7 critical XSS-to-RCE vulnerability in Saltcorn (≤ 1.5.0-beta.19). Two chained flaws, reflected XSS in route parameters and command injection in backup generation, enable remote code execution via administrator phishing.

Wed 11 March 2026

Security

CVE-2026-26019 : LangChain RecursiveUrlLoader Server-Side Request Forgery Vulnerability

A technical breakdown of CVE-2026-26019, a CVSS 4.1 medium Server-Side Request Forgery vulnerability in the LangChain Community JavaScript package (< 1.1.14). The RecursiveUrlLoader class uses a naive string prefix check to validate crawled URLs, allowing an attacker to bypass the default preventOutside restriction with a suffixed domain and redirect the crawler to internal network assets, potentially exposing sensitive credentials and metadata endpoints.

Wed 04 March 2026

Security

CVE-2025-64712: Path Traversal RCE in Unstructured Library MSG Processing

A technical breakdown of CVE-2025-64712, a CVSS 9.8 critical path traversal remote code execution vulnerability in the Unstructured Python library (< 0.18.18). Unsanitized attachment filenames in Outlook MSG processing allow for path traversal, enabling an attacker to overwrite arbitrary files via a crafted MSG file and achieve code execution.

Mon 23 February 2026

Security

CVE-2026-1357: Unauthenticated RCE in WPvivid Backup Plugin

A technical breakdown of CVE-2026-1357, a CVSS 9.8 critical unauthenticated remote code execution vulnerability in the WPvivid Backup & Migration plugin (≤ 0.9.123). Two chained flaws, a cryptographic fail-open and an unsanitized path traversal, allow arbitrary file write and shell upload without credentials.

Fri 20 February 2026

Security

Uncovering a Second-Order Data Exfiltration Chain in Modern SPAs

How a second-order client-side data exfiltration chain was discovered in a modern SPA, transforming a simple open redirect into a multi-stage data theft vulnerability through JavaScript analysis and exploit chain validation.

Wed 10 December 2025

Product

Scan, Sync, Remediate: Ostorlab Meets Vanta for Faster Audits

This article announces the new integration between Ostorlab and Vanta, explains how it works, outlines the setup process, and highlights the key benefits for security and compliance teams.

Tue 20 May 2025

Security

Defending Against GraphQL Attacks: A Deep Dive into Common Vulnerabilities

This article is an in-depth look at the most common GraphQL vulnerabilities, why they occur, and how they can be mitigated.

Mon 21 October 2024

Changelog

View all changes
Previous
1 of 2
Next