[RSS] RCE and arbitrary file write in Vitess vtbackup via untrusted MANIFEST fields

https://neurowinter.com/security/2026/05/18/RCE-and-arbitrary-file-write-in-Vitess-vtbackup-via-untrusted-MANIFEST-fields/

Did you hear about Optical Line Terminals? ISPs rely on them to build their service networks, but what if they are vulnerable?
Here @coiffeur0x90 shows how attackers could compromise entire ISPs by exploiting them and cloud-based fleet management software
https://blog.quarkslab.com/how-olts-may-have-exposed-entire-isp-networks.html

There's another LInux LPE (of course):
pintheft

Sadly, the RDS kernel module this requires is only default on Arch Linux among the common distributions we tested.

CVE unknown.

New blog post on "Proofs and Intuitions": On the Unreasonable Effectiveness of Property-Based Testing for Validating Formal Specifications.

https://proofsandintuitions.net/2026/05/18/property-based-testing-specifications/

The gist: randomised testing can validate formal specs. It's very cheap and powerful: we found bugs in specs of VERINA and CLEVER benchmarks.

Today is L0pht Day. In 1998 7 hackers in suits told the US Senate the internet was a house of cards. We said we could take it down in 30 minutes. They looked at us like we'd landed from another planet.

28 yrs later, the gap between what the security community knows and what decision-makers act on remains a fundamental problem.

Miss you, Peter Neumann. He testified that day too, with decades of hard-earned wisdom. We owe him.

The work isn't done. It never was.

#L0phtDay #InfoSec

You probably not gonna like this, yet somewhat might have anticipated...

We are seeing a stark influx in requests to audit vibe-coded cryptography.

So, vibe-crypto is a thing and will be one for a while.

Do what now?

As promised - full blog post is live for CVE-2026-40369
Covers everything: initial research, methodology, the exploitation path, caveats, cleanups, etc. The whole journey from finding it to production-grade exploit:

https://pwn2nimron.com/blog
https://bird.makeup/users/orinimron123/statuses/2054672170068918348

@algernon wow, this is unusually stupid, esp. if we consider: https://www.schneier.com/blog/archives/2026/02/llms-generate-predictable-passwords.html

Count Dracula was 412 when he moved to England in search of new blood.

Sauron was 54,000 years old when he forged The One Ring.

Cthulhu had seen galaxies flare
into life and fade to darkness before he put madness in the minds of men.

It's never too late to follow your dreams!

New blog post: Vulnerability Spotlight - CVE-2023-32692.

Learn about the remote code execution vulnerability in CodeIgniter4 and try out our Dev-Container based test environment to follow along!

#cve #vulnerability

https://mogwailabs.de/en/blog/2026/05/vulnerability-spotlight-cve-2023-32692/

DOMPurify XSS via `selectedcontent` re-clone

https://github.com/cure53/DOMPurify/security/advisories/GHSA-87xg-pxx2-7hvx

This is one of the most interesting bypasses we have seen in a long time, and it feels that this new HTML element will cause lots of trouble in the future.

[RSS] Pen & paper quantum computing

https://bfswa.substack.com/p/pen-and-paper-quantum-computing

[RSS] SeppMail Secure E-Mail Gateway: Critical RCE and LFI Vulnerabilities

https://labs.infoguard.ch/posts/seppmail_secure_e-mail_gateway_rce_vulnerabilities_cve-2026-2743_cve-2026-7864_cve-2026-44127_cve-2026-44128/

[RSS] The Biometric AuthToken Heist: Cracking PINs and Bypassing CE via a Long-Ignored Attack Surface

https://www.darknavy.org/blog/the_biometric_authtoken_heist/

[RSS] Instrumenting QT6 desktop apps with Frida - Part 1

https://blog.samanl33t.com/writings/0x0003-frida-on-qt6-part-1/

[RSS] Hack the Elephant One Bite at a Time: JPEG-Related Memory-Safety Bugs in PHP

https://swarm.ptsecurity.com/hack-the-elephant-one-bite-at-a-time-jpeg-related-memory-safety-bugs-in-php/

Deep dive into the Object creation flow in Windows

Part 1 - Allocation & Pre-Initialization
https://winware31.blogspot.com/2026/04/deep-dive-into-object-creation-flow-in.html

Part 2 - Access check internals
https://winware31.blogspot.com/2026/05/deep-dive-into-object-creation-flow-in.html

Part 3 - Post-Initialization & Name Lookup
https://winware31.blogspot.com/2026/05/deep-dive-into-object-creation-flow-in_0798478475.html

[RSS] HDD Firmware Hacking Part 1

https://icode4.coffee/?p=1465

[RSS] Exploiting Toshiba Qiomem.sys vulnerable driver

https://valium007.github.io/posts/toshiba-vuln/

The Nightmare-Eclipse repo clearly credits James Forshaw with the CVE-2020-17103 vulnerability that MiniPlasma is based off of.

Did Nightmare-Eclipse modify MiniPlasma to use a variant of CVE-2020-17103 that still works on modern Windows, which surely contains the fix?

NO. MiniPlasma IS the poc from the GPZ write-up, but with a minor tweak to do something (LPE).

Why does it work on current Windows?
Well, instead of fixing CVE-2020-17103, they decided to break the PoC instead. And yeah, with Win10 Dec 2020 and Win11 RTM, the GPZ PoC doesn't work.

But somewhere between Win11 RTM and 22H2 (I have neither the VM snapshots nor the patience to determine when exactly), whatever thing Microsoft did to break the CVE-2020-17103 PoC regressed. An because it wasn't a fix, then surely Microsoft had no regression test to detect that the fix was no longer present.

So here we are. MiniPlasma is the GPZ PoC, but modified slightly to achieve LPE by way of Volatile Environment and wermgr.exe instead of creating DEMODEMO in the registry.

Since Microsoft didn't bother fixing CVE-2020-17103, will CVE-2020-17103 simply be updated with the MiniPlasma recognition that it wasn't actually fixed in December 2020? Get real. This will surely get a new CVE, as CVEs are for Microsoft updates, not vulnerabilities. 😂