Summary An unauthenticated attacker can remotely execute arbitrary code via the CWMP protocol on the ipTIME router. Vendor Response We have tried to reach out to the vendor through multiple channels (email and via KISA) but have not been able to receive any…

On 2026-05-11, an attacker chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork↔base trust boundary, and OIDC token extraction from runner memory to publish 84 malicious versions across 42 @tanstack/* packages on npm.…

yes, as in singular one. Back in April 2026 Anthropic caused a lot of media noise when they concluded that their new AI model Mythos is dangerously good at finding security flaws in source code. Apparently Mythos was so good at this that Anthropic would not…

A hands-on OpenClaw experiment reveals that AI agent security hinges on model quality, showing how prompt injection defenses weaken across cheaper LLM tiers.

AI-assisted vulnerability research is the fuzzer era all over again. Same spike, same plateau. Here is why bug counts are only half the story.

Learn how malicious Claude Code skills can abuse dynamic context commands to execute before model-level prompt injection defenses can intervene.

XBOW discovered CVE-2026-45185, a critical unauthenticated RCE in Exim, and used the disclosure window to test how far human and autonomous exploit development could go.

AI cyberwar autonomous agents are already inside US infrastructure. How nation-states weaponize AI — and what comes next.

258 Vulnerabilities in AI-Generated Code (and a Scanner for All of Them) I saw a post recently listing 20 common vulnerabilities in AI-coded apps. Good list. Also wildly optimistic. I've been using AI coding assistants…

Findings, disclosures, methodology notes — sent into the dark like a PING.

The technique of EntryPoint Hijacking introduces a stealthier approach to code injection as it doesn’t use API calls that create a new thread within the context of a process, and it independe…

Deploying Keycloak is easy. Running it in production is not. Compare on-prem, IaaS, Marketplace, PaaS, and SaaS to find the deployment model that fits your team, and your actual operational capacity.

On psychological contracts, timeline opacity, and the limits of researcher good faith in responsible vulnerability disclosure.

Threat intelligence report: WaSteal: 126-Extension WhatsApp Data Collection Network. Research by MalExt Sentry.

MAILDROP-01 Public Disclosure: Apple Maildrop URLs expose unsigned, client-controlled filename, size, and icon parameters — phishing-grade identity spoofing on icloud.com. Apple Security Bounty case OE1950888220.