Source code auditing built on artificial intelligence. End-to-end vulnerability detection in source code. Results backed by CVEs. Built by the research team at ISEC. More at striga.ai

First public finding from Striga. Two vulnerabilities in n8n's expression engine chained into remote code execution. 230K+ active users, nearly 200M Docker pulls. CVE-2026-27577, CVSSv4.0 9.4 Critical. striga.ai/research/break…

news.ycombinator.com/item?id=474552…

We used Striga to discover a high-severity vulnerability in axios, the most downloaded HTTP client in JavaScript. Any Node.js service that forwards user-controlled JSON through axios can be crashed with a single request. CVE-2026-25639. Patched in 1.13.5. striga.ai/research/crash…

news.ycombinator.com/item?id=475409…

A buffer overflow in GNU inetutils telnetd has been sitting in the codebase since 1994. Pre-auth, no credentials needed, just a TCP connection to port 23. The vulnerability was reported by Adiel Sol from Dream Security (CVE-2026-32746, CVSS 9.8). We used Striga to analyze

news.ycombinator.com/item?id=475998…

We recently audited pac4j, a widely used Java security framework for authentication and authorization. We found several high-severity vulnerabilities in the LDAP and CSRF modules. All were responsibly disclosed to the maintainers and have been fixed in pac4j 6.4.1, 5.7.10,

Unauthenticated RCE in Apache Tomcat (CVE-2026-34486) The EncryptInterceptor was supposed to protect cluster communication. A fix for a padding oracle vulnerability moved one line outside a try block, and the encryption layer silently started forwarding every failed