Hardening Agent Benchmarks with Adversarial Hacker-Fixer Loops

Agent benchmarks score submissions with outcome verifiers that are typically hand-written and brittle, leaving them open to reward hacking. We audit 1,968 tasks across five terminal-agent benchmarks and find 323 16% hackable by frontier models given only the task description. This corrupts both...

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions prior to Concrete CMS 9.5.0 contained security vulnerabilities. These vulnerabilities stemmed from the User Profile Editing controller, which passed the entire original POST array to UserInfo::update...

Hallucination As Exploit: Evidence-Carrying Multimodal Agents

Multimodal agents use screenshots, documents, and webpages to choose tool calls. When a false visual claim triggers a click, email, extraction, or transfer, hallucination becomes an authorization failure rather than an answer-quality error. We formalize this failure mode as hallucination-to-actio...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the logic reversal in the length check for the RESPONSE verifier in the rxgkverifyresponse...

CVE-2026-41213

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid codeverifier values including one-character strings for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the...

CVE-2026-33544

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations GenericOAuthService, GithubOAuthService, GoogleOAuthService store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent...

CVE-2026-33544

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations GenericOAuthService, GithubOAuthService, GoogleOAuthService store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent...

Tinyauth has OAuth account confusion via shared mutable state on singleton service instances

Summary All three OAuth service implementations GenericOAuthService, GithubOAuthService, GoogleOAuthService store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider...

Shrinking the Generation-Verification Gap with Weak Verifiers

Verifiers can improve language model capabilities by scoring and ranking responses from generated candidates. Currently, high-quality verifiers are either unscalable e.g., humans or limited in utility e.g., tools like Lean. While LM judges and reward models have become broadly useful as...

Parallel Repetition for Post-Quantum Arguments

In this work, we show that parallel repetition of public-coin interactive arguments reduces the soundness error at an exponential rate even in the post-quantum setting. Moreover, we generalize this result to hold for threshold verifiers, where the parallel repeated verifier accepts if and only if...

Violin : Magical Bow - Customized SSL, Exported ContentProvider, Redefined SSL Common Names verifier vulnerabilities

HackApp vulnerability scanner discovered that application Violin : Magical Bow published at the 'play' market has multiple vulnerabilities...

FreeBSD : DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust (a537b449-2b19-11e2-b339-90e6ba652cce)

US-CERT reports : DomainKeys Identified Mail DKIM Verifiers may inappropriately convey message trust when messages are signed using test or small bit signing keys. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from the...

DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust

US-CERT reports: DomainKeys Identified Mail DKIM Verifiers may inappropriately convey message trust when messages are signed using test or small bit signing keys...