The MCP OAuth specification mandates OAuth 2.1 with PKCE, but as of April 2026 not a single MCP client fully implements the refresh-token flow. Server teams are forced to issue dangerously long-lived access tokens as a workaround.

SEC-disclosed cybersecurity incidents, AI-tagged with Duke's breach taxonomy.

Benchmarking Hacktron's scanning pipeline shows that for most applications, smaller models run repeatedly can outperform larger frontier models on cost-to-recall.

A look at Spirit Airlines' abandoned but active web infrastructure after their sudden liquidation, and 3 defensive registrations that received immediate traffic.

Train a small CNN to recover 85% of keystrokes from audio captured by a laptop's built-in microphone.

Hunting Down the Google-Sent Phishing Wave Compromising 30,000+ Facebook Accounts

Traditional lateral movement techniques are no longer applicable in the modern era due to developments in the detection capability by most of the EDR vendors. Techniques that abuse legitimate Windo…

A fake Stripe event in a curl one-liner. No Stripe-Signature header. 1,542 of the apps we scanned this week returned a 200. That means anyone can forge payment events on those endpoints. Here is what we found and the six-line fix.

Proton Pass' second password is supposed to keep your vault safe even if your main account falls. Emergency Access with a wait time of None walks right past it.

After a small detour, the CloudSecTidbits series is back with new episodes. We had the opportunity to present them at the first DEFCON in Singapore few days ago during our DemoLabs sessions. Meeting Singapore’s community was indeed amazing - thanks again…

Have you noticed that almost every marketing email you receive looks somewhat similar, or has functionality that seems centralised? This is because most corporations have moved to some form of marketing cloud to facilitate sending mass email campaigns. This…

Setting up the environment + Hello World Inspecting and tampering HTTP requests and responses Inspecting and tampering WebSocket messages Creating […]

A compatibility matrix tracking OAuth refresh-token support across 14 MCP clients. Covers status, root causes, SDK layers, and server-side workarounds.

ASSIGNED (dcbugzillaresponse) in CA Program - CA Certificate Compliance. Last updated 2026-05-04.

100% free online tools: Website Security Scanner, Speed Test, URL Shortener (ShrinkIt), Database Converter, QR Code Generator, Encryption & more.

Cyera's research team discovered a critical memory-leak vulnerability in Ollama, the world's most popular platform for running large language models (LLMs) locally.

pyghidra-mcp v0.2.0 ships a GUI-backed mode that lets a local LLM drive a live Ghidra CodeBrowser at full project scope. Renames, plate comments, and cross-binary pivots land in real time, with every edit tagged in Ghidra’s undo history while the session…

A growing list of named vulnerabilities, attack techniques and exploits.