Daniel Stenberg documents persistent security failures in NuGet's package repository, where severely outdated curl versions (7.51.0 from 2016 with 64+ known vulnerabilities) continue to be hosted and downloaded thousands of times weekly. Microsoft MSRC refused responsibility, claiming package security is entirely the responsibility of individual package maintainers rather than the platform.
Security researcher discovered an RCE vulnerability in a PHP application by exploiting insufficient input validation on a user ID parameter passed to shell_exec(curl) calls. By bypassing the integer-only check and injecting backtick-delimited shell commands, the attacker achieved code execution running as root.
A writeup demonstrating how to escalate a banner grabbing reconnaissance finding into critical vulnerabilities (DoS and memory corruption) on IIS servers using MS15-034 (CVE-2015-1635), exploitable via HTTP Range headers and Metasploit modules.