FuzzPilot: Plateau-Triggered Recipe Validation for Structured Text Fuzzing

FuzzPilot is a controller for AFL++ that moves expensive reasoning out of the mutation hot path. When coverage plateaus, it snapshots the corpus, prepares candidate mutation recipes, evaluates them in short isolated AFL++ micro-campaigns, and promotes only recipes with positive validation reward...

VIPER-MCP: Detecting and Exploiting Taint-Style Vulnerabilities in Model Context Protocol Servers

Model Context Protocol MCP has emerged as a standard interface for connecting LLM agents to external tools. Because MCP servers expose privileged operations such as shell execution, network access, and file-system manipulation to agent-driven invocation, implementation flaws in tool handlers can...

ContraFix: Agentic Vulnerability Repair Via Differential Runtime Evidence and Skill Reuse

Large language model LLM agents are increasingly used for automated vulnerability repair AVR, where repository-level reasoning enables them to inspect context and produce source-code patches. However, recent empirical results show that these agents still struggle with real-world vulnerabilities...

No Attack Required: Semantic Fuzzing for Specification Violations in Agent Skills

LLM-powered agents can silently delete documents, leak credentials, or transfer funds on a routine user request, not because the agent was attacked, but because the skill it invoked broke its own declared safety rules. We call these specification violations: benign inputs cause a skill to breach...

EUVD-2024-53527

Malicious code in bioql PyPI...

Malicious code in react-mutator (npm)

The package react-mutator was found to contain malicious code...

MAL-2025-25219 Malicious code in lg-mutator-mobile-ads (npm)

The package lg-mutator-mobile-ads was found to contain malicious code...

Malicious code in lg-mutator-mobile-ads (npm)

The package lg-mutator-mobile-ads was found to contain malicious code...

MAL-2025-31804 Malicious code in react-mutator (npm)

The package react-mutator was found to contain malicious code...

@stryker-mutator/util vulnerable to Prototype Pollution

A prototype pollution in the function deepMerge of @stryker-mutator/util v8.6.0 allows attackers to cause a Denial of Service DoS via supplying a crafted payload...

GHSA-9J5Q-479X-43G2 @stryker-mutator/util vulnerable to Prototype Pollution

A prototype pollution in the function deepMerge of @stryker-mutator/util v8.6.0 allows attackers to cause a Denial of Service DoS via supplying a crafted payload...

@code-dungeon/yardstick (>=0.0.3 <=0.0.17), @kcutils/color (=0.2.0-rc.3) +39 more potentially affected by CVE-2024-57085 via @stryker-mutator/util (>=0.0.1 <=8.7.0)

@stryker-mutator/util NPM version =0.0.1, =0.0.3, =0.2.0-rc.0, =1.1.0, =1.0.0-alpha.3, =1.1.59, =1.0.0, =1.0.0, =5.2.0, =8.7.0 and more Source cves: CVE-2024-57085 Source advisory: OSV:GHSA-9J5Q-479X-43G2...

CVE-2024-57085

A prototype pollution in the function deepMerge of @stryker-mutator/util v8.6.0 allows attackers to cause a Denial of Service DoS via supplying a crafted payload...

CVE-2024-57085

A prototype pollution in the function deepMerge of @stryker-mutator/util v8.6.0 allows attackers to cause a Denial of Service DoS via supplying a crafted payload...

CVE-2024-57085

A prototype pollution in the function deepMerge of @stryker-mutator/util v8.6.0 allows attackers to cause a Denial of Service DoS via supplying a crafted payload...

CVE-2024-57085

CVE-2024-57085 affects the JavaScript library @stryker-mutator/util version 8.6.0, specifically the deepMerge function. A prototype pollution flaw in deepMerge can be triggered by a crafted payload, leading to Denial of Service (DoS). Some sources indicate an available PoC/ Exploitation in the wi...

Hop-by-hop abuse to malform header mutator

Impact Downstream services relying on the presence of headers set by the header mutator could be exploited. A client can drop the header set by the header mutator by including that header's name in the Connection header. Example minimal config: yaml - id: 'example' upstream: url:...

GHSA-W9MR-28MW-J8HG Hop-by-hop abuse to malform header mutator

Impact Downstream services relying on the presence of headers set by the header mutator could be exploited. A client can drop the header set by the header mutator by including that header's name in the Connection header. Example minimal config: yaml - id: 'example' upstream: url:...

Frida API Fuzzer - This Experimetal Fuzzer Is Meant To Be Used For API In-Memory Fuzzing

This experimental fuzzer is meant to be used for API in-memory fuzzing. The design is highly inspired and based on AFL/AFL++. ATM the mutator is quite simple, just the AFL's havoc and splice stages. I tested only the examples under tests/, this is a WIP project but is known to works at least on...

[Mutator v0.2.2.1] Wordlist mutator

This project aims to be a wordlist mutator with hormones, which means that some mutations will be applied to the result of the ones that have been already done, resulting in something like: corporation - C0rp0r4t10n2012 This software is usefull when applied to a few words, like company name and/o...