Technical writeup demonstrating a complete XSS worm built against Atmail webmail client that bypasses HTML sanitization via quote-mixing across multiple img tags and self-propagates by harvesting contacts and sending malicious emails with CSRF tokens. The attack chains content-filtering evasion, JavaScript execution, contact extraction, and automated worm distribution.

A technique to escalate self-XSS in Moodle into full XSS against arbitrary users by exploiting double session cookies with different paths combined with login CSRF or impersonation functionality, allowing arbitrary JavaScript execution in victim context for full account compromise.

A detailed technical writeup of discovering and exploiting polymorphic image-based XSS vulnerabilities on Google Scholar by embedding JavaScript payloads in JPEG/PNG metadata and entropy-coded segments that survive image processing transformations. The author developed techniques to bypass Google's image reprocessing backend and created a test suite for image library behavior analysis.

Slacker Slash is a path traversal vulnerability in Bun-based web applications caused by desynchronization between Bun's WHATWG-compliant URL parser (which preserves multiple leading slashes and backslashes) and POSIX-normalizing filesystem operations (which collapse them). Attackers bypass string-based middleware checks like startsWith() using double-slash notation (//admin) or sibling directory prefixes (public_backup) while the filesystem still resolves the requested file.

This article reverse-engineers Claude's generative UI implementation, revealing it uses a show_widget tool call with direct DOM injection (not iframes), progressive documentation disclosure via read_me, and live HTML streaming from CDNs secured by Content Security Policy. The author then implements a similar system for pi, a terminal-based coding agent, using Glimpse (a native macOS WKWebView library) to render interactive widgets.

A critical authentication bypass vulnerability in Companies House allowed unauthenticated access to any company's dashboard by using the browser back button after failing authentication. The flaw exposed personal information (home addresses, email, full dates of birth) for 5 million directors and enabled editing of company details and filing of accounts.

Comprehensive CTI research report on Sandworm/APT44 (Russian GRU GTsST/Unit 74455) covering 2009–2026, with evidence-labeled attribution, operational doctrine evolution, malware portfolio analysis, and SOC-actionable defensive guidance including detection engineering frameworks and control mappings.

Unpacker is a modular malware packer detection and unpacking tool that automatically identifies packers (UPX, ASPack, Themida, VMProtect, MPRESS) via signatures, entropy, and heuristics, then dispatches to the appropriate unpacker module—native decompression for UPX, emulation-based unpacking via Unicorn/Qiling for others—with built-in validation using string analysis and file metadata.

A comprehensive guide to static malware analysis workflow covering triage, string analysis, PE import analysis, and unpacking, with open-source tools and an orchestrator for automation. The article explains each step's purpose and how to execute the full workflow programmatically.

A multi-stage exploit chain targeting Qualcomm's GBL (Generic Bootloader Library) on Android 16 devices allows bootloader unlocking by chaining an unsigned code execution vulnerability in the efisp partition with a fastboot command injection flaw that bypasses SELinux restrictions. The exploit has been successfully demonstrated on Xiaomi 17, Redmi K90 Pro Max, and POCO F8 Ultra devices.

A 2-week empirical study of six autonomous AI agents with real tools (email, shell, persistent storage) tested by 20 researchers in both benign and adversarial scenarios, documenting 10 security vulnerabilities (prompt injection, identity spoofing, non-owner compliance, social engineering bypass) and 6 cases of emergent safety behavior including cross-agent safety coordination without explicit instruction.

Security researchers from Irregular found that LLM-generated passwords from Claude, ChatGPT, and Gemini are fundamentally weak due to predictable patterns, with entropy around 27-20 bits instead of the 98-120 bits expected from truly random passwords. This allows passwords to be brute-forced in hours rather than centuries, despite appearing strong to standard password checkers.

This article explores how dependent type systems in Lean 4 can serve as executable specifications, allowing AI-generated code to be verified as correct by the compiler rather than through traditional testing. The author demonstrates this with a worked example of AI-generated sorting implementations where the type signature itself encodes the correctness proof.

PHP unserialize() can be exploited to achieve RCE through gadget chains—sequences of object destructors and method calls in common frameworks like Monolog. The article demonstrates how to craft serialized payloads targeting real-world applications using tools like phpggc, with a practical example from an ebook webshop that accepted serialized data in cookies.

Technical writeup demonstrating SQL injection bypass of ModSecurity WAF using MySQL comment encoding (/*!50000*/) and alternative payload construction with MOD/DIV operators and variable assignment to extract WordPress database credentials and schema information.

A step-by-step walkthrough of exploiting boolean-based SQL injection through the User-Agent HTTP header to enumerate database version, table names, column names, and extract user credentials from a MariaDB database.

A SQL injection vulnerability achieved through double-quote injection in a signed API endpoint. The attacker discovered the MD5 signature generation method was documented, leaked the SecretKey, and exploited it to bypass signature validation and perform time-based blind SQL injection attacks resulting in a CVSS 10.0 critical vulnerability with $2000 bounty payout.

A bug bounty writeup demonstrating an account takeover vulnerability combining IDOR and weak encryption in a password reset function. The attacker decrypted Zlib-compressed tokens, discovered an Adler-32 checksum constraint, located a Transaction_Token endpoint via directory fuzzing, and automated exploitation to forge valid password reset links for arbitrary accounts.

A bug bounty hunter documents their journey discovering a time-based blind SQL injection vulnerability in a sorting parameter by using MySQL version detection via comment syntax to narrow payload scope, ultimately bypassing WAF filters with the payload (select*from(select(sleep(10)))a) and earning a $3500 bounty.

Researcher demonstrates chaining missing rate limits with Math.random() predictability via race conditions to bypass 2FA OTP validation in a Node.js-based React-Native mobile application, combined with SQL injection in the OTP endpoint affecting multiple authentication flows.

A researcher discovered an account takeover vulnerability in a login-with-OTP system by exploiting loose coupling between email and OTP validation. By changing the email parameter in the /login/signin POST request to a victim's email while using a valid OTP sent to the attacker's email, they could gain unauthorized access to any user account.

A high-severity vulnerability in Sui's Narwhal consensus layer allowed attackers to crash validator nodes via memory exhaustion by requesting large numbers of certificate digests without limits, enabling temporary total network shutdown. The bug was fixed by removing the vulnerable GetCertificates and GetPayloadAvailability handlers.

A critical vulnerability in tBTC's L2WormholeGateway contract allowed attackers to mint unlimited Layer 2 tBTC tokens by exploiting the depositWormholeTbtc function through a reentrancy-like pattern in cross-chain bridging. The vulnerability was discovered via Immunefi bug bounty, patched before exploitation, and mitigated by removing the vulnerable function and adding reentrancy protection.

zkSync Lite suffered a critical vulnerability in its packed floating-point format implementation where unconstrained witness allocation in the parse_with_exponent_le function allowed attackers to generate valid proofs with arbitrary mantissa values, enabling unauthorized token minting, freezing, and transaction tampering. The vulnerability was patched by enforcing constraints on mantissa calculations using an into_allocated_num method.

Two critical rounding errors in The Graph's smart contracts allowed attackers to avoid paying curation taxes and bypass token lock durations through batch processing of small amounts. The vulnerabilities were patched after responsible disclosure by whitehat @GregadETH, resulting in a $290,497 bug bounty.

Raydium's increase_liquidity function failed to validate whether remaining_accounts[0] was the correct TickArrayBitmapExtension account, allowing attackers to manipulate tick states and drain liquidity pools by bypassing intended price boundary checks. The whitehat discovered this critical flaw on January 10, 2024, and received a $505,000 bounty.

A critical reentrancy vulnerability in O3Swap's swap() function allows attackers to exploit ERC777 token callbacks to re-enter and artificially inflate balances, enabling unauthorized token swaps for larger amounts than initially authorized.

Scroll executed an emergency upgrade on April 25, 2025 to patch two critical vulnerabilities: a soundness bug in OpenVM 1.0.0's auipc opcode circuit (off-by-one in enumeration causing insufficient range checking) and a message spoofing vulnerability in the bridge's EnforcedTxGateway contract that could allow arbitrary token minting on L2.

ChainLight researchers discovered a critical soundness bug in zkSync Era's ZK-circuit that allowed malicious provers to generate fake proofs for invalidly executed blocks. The bug was responsibly disclosed to Matter Labs, which deployed a fix and awarded a 50K USDC bounty.

Researcher discovered two critical vulnerabilities in Sei Network's Cosmos blockchain: (1) an unhandled panic in ABCI EndBlocker that could halt the chain via a vesting account at a calculable coinbase address, and (2) a logic flaw in EVM balance handling allowing arbitrary fund transfers across accounts. Both were caught pre-mainnet and awarded $75k and $2M respectively.