The curious case of exploiting locally running web app securitylab.github.com/advisories/GHS…

Looks like there were many folks that tried to exploit it. attackerkb.com/topics/Z2nlgnu… and the analysis by Crowdfense below, which also mentions another attempt github.com/TheN00bBuilder…

this is so insane. kCTF has a first-come-first-serve policy when it comes to 0day bounties when an instance releases. this team hand crafted a proof of work solver with avx-512 instructions to beat everyone else with an 0day to the flag: anemato.de/blog/kctf-vdf

🐍 How does a “Won’t Fix” CVE become a 160-comment thread… and a 5-year-old RCE that finally gets fixed? It involved deserialization bugs, real payloads, and a phone call from the beach. The full story of SnakeYAML 2.0 and secure-by-default APIs 👇 🔗infosecwriteups.com/%EF%B8%8F-insi…

Il a fait 38 °C aujourd’hui en France, en ce 11 juin. Ce n’est plus un simple fait divers : ces températures sont incompatibles avec la nidification des oiseaux. Lors des vagues de chaleur précoces, comme celles de 2019 ou 2022, des mortalités massives ont été observées chez

CVE-2025-53367: An exploitable out-of-bounds write that works on a fully up-to-date Ubuntu 25.04 github.blog/security/vulne…

I'm excited to be presenting at OpenSSF Community Days in Amsterdam. Come and learn not only small tips but general principles of keeping GitHub Actions secure! openssfcdeu2025.sched.com/event/25dH2/se…

I reported a very similar Actions injection vulnerability to SST for OpenCode. Allowed grabbing org owner token and NPM token. Fixed in github.com/sst/opencode/c…

lunbun.dev/blog/cve-2025-…

NEED YOUR HELP! My Friend/Teacher Soroush (Soroush Dalili) Is looking for a new company to join, you know him as the .NET-God, the guy who has popped exchange, sharepoint, has maintained ysoserial_.net for years, contributed to the exploitation scene numerous times, taught all of you

Haven't tested that, but most probably anchors already broke CodeQL for Actions blog.yossarian.net/2025/09/22/dea…

> new vulnerability > look inside > replacing legitimate DLL with malicious one in the same directory How the fuck is this a vulnerability lol

7-Zip: The PoCs for the old GHSL-2025-058 (CVE-2025-53816) and GHSL-2025-059 (CVE-2025-53817) have been published github.com/github/securit…

I didn't comment on their last rant but calling this CVE slop is cringe. In fact, vendors like this are exactly the reason to impose disclosure timeline restrictions. Imagine blaming researchers for reporting a UAF in a codec used by a framework with 100m users

GitHub Actions inputs are strings... until they aren't lucasroesler.com/posts/2022/2-g…

The blog.mantrainfosec.com/blog/18/prepar… post by Balazs Bucsay [EQ] shows how prepared statements can be exploited in NodeJS using mysql and mysql2 packages leading to SQLi! 🪄 So use of prepared statement might not be the ultimate solution here 🥵 as a side note, Balazs Bucsay [EQ] later found this