796 matches found
CVE-2026-41301
OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attacker can send forged direct messages to create pending pairi...
PT-2026-33868
OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attacker can send forged direct messages to create pending pairi...
SoK: Reshaping Research on Network Intrusion Detection Systems
Network Intrusion Detection Systems NIDS have been studied for decades. Hundreds of papers have, e.g., proposed ways to enhance, harden or bypass NIDS. However, the findings of prior literature are hardly reflected in real-world operational contexts. Such a disconnection is problematic for resear...
Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode
Summary Several API endpoints in authenticated mode have no authentication at all. They respond to completely unauthenticated requests with sensitive data or allow state-changing operations. No account, no session, no API key needed. Verified against the latest version. Discord: sagi03581 Steps t...
GHSA-XFQJ-R5QW-8G4J Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode
Summary Several API endpoints in authenticated mode have no authentication at all. They respond to completely unauthenticated requests with sensitive data or allow state-changing operations. No account, no session, no API key needed. Verified against the latest version. Discord: sagi03581 Steps t...
GHSA-QQX8-2XMM-JRV8 ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider
Summary The webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego...
Understanding Student Experiences with TLS Client Authentication
Mutual TLS mTLS provides strong, certificate-based authentication for both clients and servers, yet its adoption for user-facing websites remains rare. This paper presents a longitudinal study of mTLS usability, tracking 46 senior and graduate computer science students who configured client...
Challenges and Future Directions in Agentic Reverse Engineering Systems
Agentic systems built on large language models LLMs are increasingly being used for complex security tasks, including binary reverse engineering RE. Despite recent growth in popularity and capability, these systems continue to face limitations in realistic settings. Cutting-edge systems still fai...
How the Internet Broke Everyone’s Bullshit Detectors
From AI-generated images to restricted satellite data, the systems used to verify what’s real online are struggling to keep up...
EUVD-2026-19289
Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the process that parses WWW-Authenticate challenges from an upstream registry. An attacker can obtain upstream credentials by manipulating the bearer realm URL to redirect authentication requests to a...
CVE-2026-33540
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used...
DEBIAN-CVE-2026-33540
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used...
UBUNTU-CVE-2026-33540
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used...
CVE-2026-33540
CVE-2026-33540 affects the Distribution toolkit. In prior releases (before 3.1.0) and in pull-through cache mode, it parses WWW-Authenticate challenges to discover token auth endpoints, taking the realm URL from a bearer challenge without validating it against the upstream host. An attacker-contr...
Blocking children from social media is a badly executed good idea
While we can probably all agree that there is more than enough proof that social media is bad for the mental health of our children, the methods we are trying to block or ban them seem to do more harm than good. Across the world, lawmakers are tripping over each other to be seen “doing something”...
zixem_challenges
No d...
Anduril Wants to Own the Future of War Tech. Mishaps, Delays, and Challenges Abound
From drones to missiles to submarines, the $30.5 billion defense startup wants to transform how the tools of war are made. It’s not all going as planned...
EUVD-2025-208717
Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges. This issue was fixed in version 1.4.6...
CVE-2025-69246 Lack of bruteforce protection in Raytha CMS
Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges. This issue was fixed in version 1.4.6...