19.4.13 - 24.4.13

CVE-2026-8054 DotCMS pre auth SQL Injection

That's my chain — a full chain w/ logic bugs only! No memory corruption, no AI, and of course no collisions at all 😉

New post: We tested the Mythos showcase vulnerabilities with open models. They recovered similar scoped analysis! 8/8 models found the flagship FreeBSD zero-day, including a 3B model. Rankings reshuffle completely across tasks => the AI cybersecurity frontier is super jagged!

New on the Anthropic Engineering Blog: How we use a multi-agent harness to push Claude further in frontend design and long-running autonomous software engineering. Read more: anthropic.com/engineering/ha…

I hacked Claude Code! It turns out "agentic" is just a fancy new way to get a shell. I achieved full RCE and hijacked organization API keys. CVE-2025-59536 | CVE-2026-21852 research.checkpoint.com/2026… #ai #Claude

#CVE-2025-67303 ComfyUI-Manager Remote Code Execution 突然想起来我还有推特昨晚用我的Agent 10分钟分析的，之后的RCE就是CVE-2024-21574利用的复活

“看看 etherscan都要收费”😂

gpt-oss is out! we made an open model that performs at the level of o4-mini and runs on a high-end laptop (WTF!!) (and a smaller one that runs on a phone). super proud of the team; big triumph of technology.

1/4 dbugs LIVE dbugs.ptsecurity.com — vulnerabilities’ home See trends, discover more, read AI summaries, have all references at hand, and your profile with all your CVEs and CVSS score on a leaderboard. ⬇️ See thread: what’s live what’s next ⬇️

After 9 months of cranking, cursing, and cursoring, and drawing on over 20 years experience running #HITB's Call for Papers, I bring you CFP Directory - a single system to make it easier for speakers to submit and organizers to connect and curate talks: cfp.directory/

很好，这次我也是受害者了...被 @getAlby 偷走 0.00174788 BTC($191.96)。能偷是因为这是 Alby 的托管账号。我是很震惊的，因为这鬼协议我必然是不知情的... 我猜是不是会给我发邮件通知，果然 2025/5/1 给我发了个： Updates to our Terms of Service – Please Review 我在邮件正文底部发现了这个“偷窃协议”： An inactivity fee will apply to legacy Alby Accounts with a shared wallet created in 2023 or earlier, if there has been no account activity for 12 consecutive months. 然后我这笔 BTC 在 2025/5/26 被偷走了... 开眼界了...🤯😵‍💫😱

SSRF Cache Poisoning Stored XSS = Account Takeover

#vulhub #CyberSecurity #opensource #infosec Announcing some exciting news from the Vulhub project! We've been busy making big improvements: 1⃣. Completely rebuilt our website from the ground up! Check it out: vulhub.org

thanks @Bugcrowd P1 warrior hoodie

Great collaborations with @haxor31337 find a cool account-takeover vulnerability

1. find a JavaMelody Unauth Access in hxxp://xxx/monitoring 2. explore and find /monitoring?part=processes java -Dsendgrid=SG.xxxxxxx org.apache.catalina.startup.Bootstrap start 3. test sendgrid API key GET /v3/scopes Host: api.sendgrid.com Authorization: xx

search to download Chrome

Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic. As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address. Our security team, alongside leading blockchain forensic experts and partners, is actively investigating the incident. Any teams with expertise in blockchain analytics and fund recovery who can assist in tracing these assets are welcome to collaborate with us. We want to assure our users and partners that all other Bybit cold wallets remain fully secure. All client funds are safe, and our operations continue as usual without any disruption. Transparency and security remain our top priorities, and we will provide updates asap

We are super proud and honored to have @xynexis join us as our Event Partner for #OOTB Jakarta happening next month! xynexis.com/ #HITB #25YearsInTheBox #Jakarta #Indonesia