https://www.twitch.tv/curlhacker is live, the presentation starts in a few minutes

all the hackerone reports for the curl 8.21.0 vulnerabilities are now public

Keeping the Web Open and Private in the Bot Era

In which an AI peddler suggests that to solve the bot problem we should perhaps enact some funky workaround that involves such reputable companies and projects like Cloudflare, Mozilla Firefox, Google Chrome, and Microsoft Edge (all of them ran by companies staunchly resisting the root cause of the Crawler problem: AI).

If we'd all just use PACT, we would be able to efficiently block the bots! Except, of course, if you're running an unsupported browser, and have not sent enough signals back home that you're a human.

But sure, sure. Lets use a klunky workaround that doesn't exist, wouldn't work, instead of addressing the problem in the first place.

How utterly predictable, how utterly disappointing nevertheless.

#algernonReviewsHackerNews

Common PKCS#7 / CMS parsing issues in OpenSSL, WolfSSL, Bouncy Castle, & GnuPG

https://blog.calif.io/p/how-to-format-a-ciphertext

From this oss-sec thread:
https://seclists.org/oss-sec/2026/q2/1000

CVE-2026-34182 CVE-2026-5500

This is a fun one :)

[CVE-2026-50160] Hoppscotch: Unauthenticated JWT Secret Overwrite

https://seclists.org/oss-sec/2026/q2/1007

"The POST /v1/onboarding/config endpoint allows an unauthenticated attacker to inject arbitrary InfraConfig keys including JWT_SECRET and SESSION_SECRET"

RE: https://rivals.space/@fedilucie/116795256258407496

I heard Joe Armstrong give a talk for forty minutes once and I walked out permanently converted to this way of thinking. Use queues. Queues only. NULL was not a billion-dollar mistake, NULL can be made sanitary. Memory-sharing multithreading was the billion dollar mistake.

New vulnerability report from Talos:

GeoVision GV-VMS V20 GV-Cloud memory corruption vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2026-2411

CVE-2026-12488

My client is a caregiver to their mother, who has little access to short term memory. My client explains that the tv has just updated and reorganized its Home Screen. She knew how to access her shows on the old Home Screen. Now, every time she powers up the tv, she’s deluged with ads and trending slop and has to relearn how to use the device to find her shows, from scratch, as if starting over again for the first time. This is now a nightly half-hour ordeal. The update was mandatory. They were never given an option to keep the system she knew.

Chopping vegetables has worked the same way for fifty thousand years. Why do these assholes think they have the right to change how a tv works?

#MoveSlowAndFixThings

We updated our public report repository and there is now lots of new material.

Here you are, meanwhile 253 pentest reports, summary reports and papers:

https://github.com/cure53/Publications/tree/master#publications

Microsoft's 6-year-old Zerologon patches use AES-CFB8 incorrectly. The novel Onelogon attack provides two ways to take over a vulnerable AD account in apx 30 minutes. #AESCFB8fail #WONTFIX https://softsec.link/woot26.onelogon @al3x-n3ff.bsky.social @hlt @cao

@opencollective is following @bagder's "summer of bliss" initiative: we are pausing our security bounty program for the summer.

We are also considering adding a rule when we come back to limit the number of paid reports per researcher per week: we'll only pay for the first 3 reports. We hope this will encourage people to prioritize meaningful reports and cut down on the sloppy stuff.

First, cookie banners are not "perceived as excessive EU regulation", but as bad and unenforcable (unenforced?) regulation. There is a difference!

"the tracking industry is so terrified of consumers being able to simply say ‘no’ that, after a bit of lobbying, everyone gives in." -> if you expect the corporations to behave irrationally (i.e. not lobbying for their interests), you are going to have a bad time - as demonstrated by cookie banners. Why not put pressure on those in the EU who were bought by Google and Meta?

@noybeu

RE: https://mastodon.social/@noybeu/116798116428582650

I'm sorry.

With about $180 of off-the-shelf hardware, HotWire https://sickcell6000.github.io/HotWire/ steals charging billed to victims, and drains an EV's batteries until they won't start - demonstrated on production cars and live public charging networks.
Paper and presentation at WOOT'26.
Preprint: https://sickcell6000.github.io/HotWire/2026_WOOT_paper_HotWire.pdf

OpenAI shipped a telemetry system that logs more than the actual work being done. Codex burning through SSDs at a rate of ~640 TB/year – one user hit 37 TB written in 21 days. On a consumer SSD
that’s full drive death in under a year. https://github.com/openai/codex/issues/28224

Every iPhone with an A12 or A13 chip - XS/XR, 11, 2020 SE - has an unpatchable SecureROM exploit. The root bug is in Synopsys’s USB controller, and is exploitable. Requires physical access. Solution: buy a new iPhone. https://ps.tc/pages/blog-usbliter8.html

In the last years, I wrote up some of the advice I often found myself giving to other founders, and a general list of lessons I learnt doing two companies, zynamics and optimyze. The full article - still work-in-progress - is here:

https://thomasdullien.github.io/guides/entrepreneurship/

New Cisco RCE was fixed https://ssd-disclosure.com/cisco-unified-communications-manager-arbitrary-file-write-to-rce/

[RSS] Apple Container Internal[s]

https://u1f383.github.io/container/2026/06/23/Apple-Container-Internal.html