Earlier this month, we reported a zero-day auth. bypass in the SmarterTools SmarterMail email solution.

Someone has reversed the patch (released on 15th Jan) and begun exploiting it in the wild.

Read our analysis and please, ASSUME BREACH + PATCH NOW.

https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/

#curl is RFC 9116 compliant

https://curl.se/.well-known/security.txt

https :// curl.se / .well-known / security.txt

[RSS] [reddit] Do any security researchers use Anki or spaced repetition in their workflow?

https://old.reddit.com/r/ExploitDev/comments/1qjjn3q/do_any_security_researchers_use_anki_or_spaced/

[RSS] Attackers With Decompilers Strike Again (SmarterTools SmarterMail WT-2026-0001 Auth Bypass) - watchTowr Labs

https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/

[RSS] Pwn2Own Automotive 2026 - Day Two Results

https://www.thezdi.com/blog/2026/1/22/pwn2own-automotive-2026-day-two-results

getting things merged into Ghidra

RE: https://chaos.social/@weirdunits/115937461017927780

Whew! They had to swap out the master control board during the attempt, but Hank Chen of InnoEdge Labs successfully demoed their exploit of the Alpitronic HYC50 in Lab Mode. Using screwdrivers during a #Pwn2Own attempt is always crazy to see. He's off to disclose what occurred.

@mttaggart @gdupont This whole thing reminds of kids playing war games on the playground. they are playing "revolution" now. they heard revolutions need constitutions, and they happen to have these text writing toys and potato stamps so they worked *really* hard to produce a "constitution" that they can show their shareho^W parents and the enemy kids over at the sandbox.

New #OpenBSD story, on kernel stacks.

http://miod.online.fr/software/openbsd/stories/stack.html

@lazyb0y ...until you try to touch it :)

Remember "don't print this email" in signatures that was a bit cringe? It doesn't feel that cringe anymore in retrospect. I'm doing an experiment now with this new email signature :D Anyone doing something similar? Could it catch on?

Today's threads (a thread)

Inside: Google's AI pricing plan; and more!

Archived at: https://pluralistic.net/2026/01/21/cod-marxism/

#Pluralistic

1/

After auditing the @mullvadnet client applications in 2024, we have recently audited Mullvad VPN's API.
The API is used by clients, partners, and internal services to manage user accounts and parts of the VPN infrastructure.
Five issues were identified, of which only one had a very limited impact on users of the service.

The technical details may be found in our report. https://www.x41-dsec.de/security/research/news/2026/01/20/mullvad/

Last December I solved Synacktiv's 2025 Winter Challenge: Quinindrome https://www.synacktiv.com/en/publications/2025-winter-challenge-quinindrome . Here is a 81-byte Linux program which is both a quine (it prints itself when executed) and a palindrome (it is symmetrical)! To learn how I achieved it: https://github.com/fishilico/synacktiv-winter-chall-2025-quinindrome/blob/main/writeup.md

@raptor This guy is out of this world

[RSS] X41 Audited Mullvad VPN AB API

https://x41-dsec.de/security/research/news/2026/01/20/mullvad/

[RSS] Windows Internals: Check Your Privilege - The Curious Case of ETW's SecurityTrace Flag

https://connormcgarr.github.io/securitytrace-etw-ppl/

[reddit] Possible new SSO Exploit (CVE-2025-59718) on 7.4.9?

https://www.reddit.com/r/fortinet/comments/1qibdcb/possible_new_sso_exploit_cve202559718_on_749/

/via @Hetti

#Fortinet

I feel I have this instinct to feed programs data that they won't be able to handle.

Unfortunately this is mostly true for tools I'd like to use, not targets I review.

Humble request for vibe-coders: report your runtime errors!

LLM tends to insert Pokémon exception handlers everywhere, making problems (of which vide-code has a *lot*) hard to even notice.

Slightly related illustration: