Introducing HTTP/2 Bomb: a remote DoS in nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. A single client pins 32GB of server memory in 10s. Found by Codex. Blog post: blog.calif.io/p/codex-discov… PoCs: github.com/califio/publicati…

Calif is on such a roll. "Vulnerability research is cooked", I said last week; alternate possibility: vulnerability research is now the funnest thing in the world. Getting a highly situational nginx bug working w/ Claude: blog.calif.io/p/claude-human…

MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747) To our knowledge, this is the first remote kernel exploit both discovered and exploited by an AI. blog.calif.io/p/mad-bugs-cla…

A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets. A step-by-step guide to exploiting a 20-year-old bug in the Linux kernel to achieve full privilege escalation and container escape, plus a cool bug-hunting heuristic. open.substack.com/pub/calif/…

Our latest research is out! If you missed a good write-up for nice vulnerabilities, I brought you one! Enjoy the reading! @FearsOff @Cloudflare

RIP fine-tuning ☠️ This new Stanford paper just killed it. It’s called 'Agentic Context Engineering (ACE)' and it proves you can make models smarter without touching a single weight. Instead of retraining, ACE evolves the context itself. The model writes, reflects, and edits its own prompt over and over until it becomes a self-improving system. Think of it like the model keeping a growing notebook of what works. Each failure becomes a strategy. Each success becomes a rule. The results are absurd: 10.6% better than GPT-4–powered agents on AppWorld. 8.6% on finance reasoning. 86.9% lower cost and latency. No labels. Just feedback. Everyone’s been obsessed with “short, clean” prompts. ACE flips that. It builds long, detailed evolving playbooks that never forget. And it works because LLMs don’t want simplicity, they want *context density. If this scales, the next generation of AI won’t be “fine-tuned.” It’ll be self-tuned. We’re entering the era of living prompts.

Dropping my kernel exploitation notes I've been working on since I first started researching in this I'll keep updating the repo so please, let me know if there's smthg unclear or must be fixed You'll also find future writeups & challenges authored there. github.com/M0ngi/Kernel-Expl…

Just wrote a ~2.5 page blog post on Client Side Path Traversal, covering what CSPT is, why it can be so impactful, some advanced exploitation and WAF bypass techniques, and a bug which I found in a live hacking event (redacted ofc) matanber.com/blog/cspt-level…

I'm speechless

I contributed with 7 web challenges for #BHMEA2023 this year, hope you like them! Congrats to @strellic for blooding today’s insane chall 🤯

Excited to launch my first browser extension, DOMLogger ! Now available for both Firefox and Chromium! 🎉 DOMLogger allows you to monitor, intercept, and debug JavaScript sinks based on customizable configurations 🔥 Check it out 👇 github.com/kevin-mizu/domlog… 1/5

I wasn't knowing what to do yesterday night so, I decided to create an XSS challenge 🚩 There is nothing to win, I made it just for fun! If you want to try it out, click on the link below 👇 mizu.re/challenges/xss_1/ind… The final goal it to pop an alert without any interaction 🔥

CVE-2023-38831 Winrar exploit generator github.com/b1tg/CVE-2023-388… #cve #infosec #pentesting

just wrote about an issue in flask_sock package which allows executing HTTP requests in the same WebSocket stream, which effectively bypasses frontend server rules, it was part of a CTF challenge at Securinets CTF: repzret.blogspot.com/2023/08….

Here is a write-up of a fun web challenge from the @SecuriNets CTF I worked on with @xanhacks and @0xThaz, featuring CRLF injections and service worker cache poisoning. log-s.xyz/posts/securinets-q… Enjoy 😁

I'am dropping a writeup for Two tasks released at @SecuriNets CTF Quals 2k23. 0 CSP: XSS through Service worker cache poisoning and CRLF injection. Mark4archive: Race condition, Websocket request smuggling, LFI, Deserialization -> RCE. nzeros.me/2023/08/08/securin…

I'll drop this here. An analysis for exploiting _dl_fini function in libc 2.31 and 2.35 In 2.31, we had plenty of attack points to control the execution flow. In 2.35 __rtld_lock_lock_recursive became in a read only area so we have less options. Enjoy. github.com/M0ngi/CTF-Writeup…