A proud moment for me. @striga_ai has been accepted into the NVIDIA Inception program, NVIDIA's global startup ecosystem. Past the resources, it is a moment of validation. Everything we have been building for over a year is starting to gain traction. Cheers.

Found another CVE in Apache software using striga.ai. We have a dozen more reported though I assume the queue is long these days. Let me know which open-source project I should point striga at next

PoCs for Apache Tomcat Unauth RCE (CVE-2026-34486) and Apache httpd Pre-auth RCE (CVE-2026-23918) are now public on our Github. Tomcat exploit is fully reliable. httpd chain works in a controlled lab setup with a known info leak. github.com/striga-ai/CVE-202… github.com/striga-ai/CVE-202…

Mythos: “too dangerous to release.” Reality: 1 low severity bug in 178k lines of curl. Marketing keeps outrunning engineering.​​​​​​​​​​​​​​​​ daniel.haxx.se/blog/2026/05/…

Probably our biggest find so far. Whole thing on open-weights, under $100 in compute

Critical Apache HTTP Server RCE (CVE-2026-23918) - Millions of Servers Potentially Exposed. Patches released thecybersecguru.com/news/apa…

Persistent RCE in @ollama's Windows auto-updater. An HTTP header decides where the downloaded file lands on disk. The signature check that would catch this is one line: return nil. Windows runs the dropped binary every login. CVE-2026-42248 CVE-2026-42249. Affected: 0.12.10 - 0.22.0. Still unpatched after the 90-day disclosure window. Thanks to @CERT_Polska for picking up coordination with the vendor unresponsive. striga.ai/research/ollama-wi…

ARC-AGI-3 has the lowest human bar of any AI benchmark out there. Almost all benchmarks require specialized knowledge that make them inaccessible to 99% of humans (like, say SWE-Bench). ARC-AGI-3 is feasible by regular people.

Unauthenticated RCE in Apache Tomcat (CVE-2026-34486) The EncryptInterceptor was supposed to protect cluster communication. A fix for a padding oracle vulnerability moved one line outside a try block, and the encryption layer silently started forwarding every failed decryption straight into unfiltered Java deserialization. We found it with Striga, built the exploit, and reported it to The Apache Software Foundation. striga.ai/research/tomcat-tr…

Got this email from GitHub, possibly related to the Claude Code codebase leak but the repo they're referencing is a fork of Anthropic's own public repo It's not the codebase one, it's a repo with Skills, examples, docs, etc. If you want more details, here's all the info: github.com/github/dmca/blob/…

A buffer overflow in GNU inetutils telnetd has been sitting in the codebase since 1994. Pre-auth, no credentials needed, just a TCP connection to port 23. The vulnerability was reported by Adiel Sol from Dream Security (CVE-2026-32746, CVSS 9.8). We used Striga to analyze the byte constraints, demonstrate a GOT hijack on 32-bit targets, and build a hybrid RCE proof-of-concept for 64-bit systems. striga.ai/research/pre-auth-…

We used Striga to discover a high-severity vulnerability in axios, the most downloaded HTTP client in JavaScript. Any Node.js service that forwards user-controlled JSON through axios can be crashed with a single request. CVE-2026-25639. Patched in 1.13.5. striga.ai/research/crashing-…

This is why AST-based sandboxing in JavaScript is fundamentally fragile, every new syntax feature is a potential gap. news.ycombinator.com/item?id…