CyberGym-E2E: Scalable Real-World Benchmark for AI Agents' End-To-End Cybersecurity Capabilities

AI has the potential to transform cybersecurity by enabling systems that can autonomously detect, analyze, and remediate software vulnerabilities. However, existing cybersecurity evaluations of AI systems are limited in scale or scope, and fail to capture the end-to-end lifecycle of real-world...

Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software

Anthropic on Friday disclosed that Project Glasswing has helped uncover more than 10,000 high- or critical-severity vulnerabilities across some of the most "systemically" important software across the world since the cybersecurity initiative went live last month. Project Glasswing is a defensive...

neo-pocs

neo-pocs Containerized proof-of-concept packages for reviewed...

PT-2026-37347

Name of the Vulnerable Software and Affected Versions Oracle Macaron Tool version 0.22.0 Description An unauthenticated attacker with network access via HTTP can compromise the Oracle Macaron Tool. This issue allows the attacker to bypass host address validation, which is the process of verifying...

Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories

Our research on Void Dokkaebi’s operations uncovered a campaign that turns infected developer repositories into malware delivery channels. By spreading through trusted workflows, organizational codebases, and open-source projects, the threat can scale from a single compromise to a broader supply...

OSS-CRS: Liberating AIxCC Cyber Reasoning Systems for Real-World Open-Source Security

DARPA's AI Cyber Challenge AIxCC showed that cyber reasoning systems CRSs can go beyond vulnerability discovery to autonomously confirm and patch bugs: seven teams built such systems and open-sourced them after the competition. Yet all seven open-sourced CRSs remain largely unusable outside their...

Automatic, Expressive, and Scalable Fuzzing with Stitching

Fuzzing is a powerful technique for finding bugs in software libraries, but scaling it remains difficult. Automated harness generation commits to fixed API sequences at synthesis time, limiting the behaviors each harness can test. Approaches that instead explore new sequences dynamically lack the...

Is Vibe Coding Safe? Benchmarking Vulnerability of Agent-Generated Code in Real-World Tasks

Vibe coding is a new programming paradigm in which human engineers instruct large language model LLM agents to complete complex coding tasks with little supervision. Although it is increasingly adopted, are vibe coding outputs really safe to deploy in production? To answer this question, we propo...

All You Need Is a Fuzzing Brain: an LLM-Powered System for Automated Vulnerability Detection and Patching

Our team, All You Need Is A Fuzzing Brain, was one of seven finalists in DARPA's Artificial Intelligence Cyber Challenge AIxCC, placing fourth in the final round. During the competition, we developed a Cyber Reasoning System CRS that autonomously discovered 28 security vulnerabilities - including...

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies. Last year, 74 vulnerabilities were classified as trending to compare the scale, just over 40,000 were added to NVD in 2024. All trending vulnerabilities are found in Western commercial products and...

GHSA-HMG8-H7QF-7CXR

creationtimestamp| type| source ---|---|--- 2025-01-14 17:04:36+00:00| seen| https://github.blog/open-source/git/git-security-vulnerabilities-announced-5/ 2025-01-14 19:11:33+00:00| published-proof-of-concept| https://t.me/DarkWebInformerCVEAlerts/1589...

zero-day

Zero-Day Vulnerabilities in Open-Source Projects This reposi...

ArtiPACKED Flaw Exposed GitHub Actions to Token Leaks

Discover how GitHub Actions artifacts leak sensitive authentication tokens, exposing popular open-source projects to security risks. Learn about…...

CISA and Partners Release Guidance for Exploring Memory Safety in Critical Open Source Projects

Today, CISA, in partnership with the Federal Bureau of Investigation, Australian Signals Directorate’s Australian Cyber Security Centre, and Canadian Cyber Security Center, released Exploring Memory Safety in Critical Open Source Projects. This guidance was crafted to provide organizations with...

Trellix Advanced Research Center patches 61,000 vulnerable open-source projects

Trellix Advanced Research Center Patches 61,000 Vulnerable Open-Source Projects By Trellix · January 23, 2023 This blog was written by Douglas McKee Late last year, the Trellix Advanced Research Center team uncovered a vulnerability in Python’s tarfile module. As we dug in, we realized this was...

Trellix Advanced Research Center patches 61,000 vulnerable open-source projects

Trellix Advanced Research Center Patches 61,000 Vulnerable Open-Source Projects By Trellix · January 23, 2023 This blog was written by Douglas McKee Late last year, the Trellix Advanced Research Center team uncovered a vulnerability in Python’s tarfile module. As we dug in, we realized this was...

A scanning tool for open-sourced software packages? Yes, please!

The Open Source Security Foundation OpenSSF, a collective of industry leaders aimed at improving the security of open-source software OSS, recently announced the release of a prototype tool that scans for malicious packages in open source repositories. This tool, conveniently called Package...

Don't be afraid of XXE vulnerabilities: understand the beast and how to detect them

Today XML External Entities XXE vulnerabilities are still ubiquitous, despite the fact that recommendations to protect against them have been an integral part of security standards for years. In this post, the first in a series of three blog posts, we will try to demystify XXE vulnerabilities and...

Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects

Continuous integration vendor Travis CI has patched a serious security flaw that exposed API keys, access tokens, and credentials, potentially putting organizations that use public source code repositories at risk of further attacks. The issue — tracked as CVE-2021-41077 — concerns unauthorized...

Etherpad 1.8.13 - Code Execution Vulnerabilities

Etherpad is one of the most popular online text editors that allows collaborating on documents in real-time. It is customizable with more than 250 plugins available and features a version history as well as a chat functionality. There are thousands of instances deployed worldwide with millions of...