A critical rounding convention bug in Vesu's Singleton liquidation contract allowed attackers to steal user funds through malicious pool extension contracts, flashloans, and improper handling of the receive_as_shares flag. The vulnerability was discovered via Immunefi bug bounty, remediated by removing the affected liquidation logic and whitelisting pool extensions within 5 days.
A critical access control vulnerability was discovered in oasisDEX's MultiplyProxyActions contract where the recreateTrigger function performs an unsafe delegatecall assuming msg.sender is AutomationBot, allowing external attackers to execute arbitrary code in the command context and potentially access user vault funds or cause system denial of service. The researcher found the vulnerability had already been patched a month prior, highlighting the importance of verifying contract versions against live deployments.
A privilege escalation vulnerability in Tokemak's liquidity controllers allows attackers with ADD_LIQUIDITY_ROLE to steal protocol funds by manipulating pool ratios and exploiting the deploy() function's lack of price validation. The attack creates a malicious liquidity pool with a skewed token ratio, triggers the controller to deposit at the bad ratio, then extracts tokens through swaps, potentially stealing entire reserve amounts of FOX and ALCX tokens.
Two vulnerabilities discovered in Magento allowing remote code execution and local file read with low-privilege admin accounts: the first exploits path traversal in product design layout XML to execute arbitrary PHP code via custom product option file uploads, and the second leverages path traversal in email template CSS directives to read arbitrary files.
A DevOps engineer discovered unauthenticated remote code execution as root on exposed Marathon instances by leveraging the task scheduling API to execute arbitrary commands. The vulnerability exploits the lack of authentication on Marathon's HTTP interface combined with the platform's ability to execute arbitrary bash commands through scheduled tasks.
A path traversal vulnerability in GitHub Desktop's x-github-client:// URI scheme handler allowed arbitrary code execution on macOS by opening malicious application bundles from a cloned repository without user interaction or Gatekeeper validation. The vulnerability was patched in GitHub Desktop v1.3.4.
Research demonstrating a complete RCE attack chain on DeskPro helpdesk software through multiple chained vulnerabilities: insufficient API access control (leaking JWT secrets and admin config), and insecure deserialization in the template editor. The exploit was demonstrated against Bitdefender's support center, achieving remote code execution from an unauthenticated user registration.
A Jenkins instance was found vulnerable to RCE due to improper access control, allowing unauthenticated users to gain admin access via GitHub OAuth and execute arbitrary Groovy scripts. The vulnerability was discovered during subdomain enumeration and responsibly disclosed to the organization's CTO.
A bug bounty researcher discovered RCE on an abandoned staging web service via an unauthenticated PUT HTTP method that allowed arbitrary file uploads, enabling PHP web shell deployment and subsequent internal network traversal with privilege escalation through credential reuse and weak security practices.
SQL injection vulnerability discovered on tw.stock.yahoo.com in the getjson.php endpoint where double URL decoding bypass allowed unescaped single quotes in the 's' parameter, enabling attackers to execute arbitrary SQL queries with root database privileges. The vulnerability leveraged insufficient input validation combined with incomplete quote stripping after the first decode pass.
An IDOR vulnerability in Facebook Events allowed attackers to add any user—including non-friends and blocked contacts—as co-hosts to personal events by tampering with the co_hosts parameter in the event creation request. The vulnerability was patched by Facebook and rewarded $750 through their bug bounty program.
A researcher discovered a sandbox escape vulnerability in HackerEarth's Theia IDE that allowed remote code execution by accessing the disabled terminal through VS Code's 'Task: Run selected text' command. The exploit enabled reading AWS credentials, SSL certificates, and other sensitive system files from the underlying infrastructure.
A developer at Stripe relied on client-side HTML class disabling during account lockout/session timeout, allowing an attacker with a logged-in session to use browser inspect element to remove the disabled class and bypass authentication checks to invite themselves as an administrator. The vulnerability was fixed after responsible disclosure with a $500 bounty.
A comprehensive writeup documenting multiple race condition vulnerabilities discovered across major platforms including Cobalt.io, Facebook, Mega, and Keybase, demonstrating how concurrent requests can bypass security controls for unauthorized financial transactions, account confirmations, and resource redemptions. The article includes detailed exploitation techniques and timelines of responsible disclosure across various bug bounty programs.
A researcher discovered a local file inclusion (LFI) vulnerability on Google's production servers at springboard.google.com through directory enumeration and authorization bypass, escalating from an initial auth bypass to full LFI with admin privileges, ultimately earning a $13,337 bounty from Google's Vulnerability Reward Program.
Veeam patched four critical RCE vulnerabilities in Backup & Replication (CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, CVE-2026-21708) allowing low-privileged users and Backup Viewer accounts to execute remote code, plus multiple high-severity privilege escalation and credential extraction flaws. Patches released in versions 12.3.2.4465 and 13.0.1.2067 as VBR is commonly targeted by ransomware gangs for lateral movement and backup destruction.
Pwn2Own Berlin 2026 announces its competition framework for May 14, 2026, featuring 31 targets across 10 categories with over $1,000,000 in prizes, including expanded AI categories (Databases, Coding Agents, Local Inference) and new AWS Firecracker targets alongside traditional virtualization, browsers, and enterprise applications.
Microsoft released patches for 84 vulnerabilities in its March Patch Tuesday cycle, including 8 critical-severity flaws and 2 publicly disclosed zero-days. The majority of patched issues involve privilege escalation (46) and remote code execution (18).
UNC6426 exploited stolen credentials from the nx npm supply chain compromise to obtain GitHub tokens, then escalated access to AWS admin privileges and exfiltrated data within 72 hours. The attack demonstrates a complete kill chain from initial package compromise through cloud credential theft to full environment breach.
Monthly security patch review covering March 2026 releases from Adobe (80 CVEs across 8 bulletins) and Microsoft (94 CVEs total including third-party updates), with detailed analysis of critical vulnerabilities including Office RCE via Preview Pane, Windows Print Spooler RCE, Excel XSS enabling Copilot data exfiltration, and Windows Graphics elevation-of-privilege bugs.