CVE-2025-56005 - If you pass untrusted data in the `run_this_code` parameter of bar() of library foo then untrusted code gets executed. This is a vulnerability, because it's not documented that `run_this_code` will run code.

Developer resigned:
https://github.com/dabeaz/ply/commit/9d7c40099e23ff78f9d86ef69a26c1e8a83e706a

#cve #slop #FOSS

I took a slip from my tea mug. It wasn't the rum I expected.

I'm deeply disappointed.

Have we considered suggesting DNS-over-ChatGPT yet?

With TikTok now going to be owned by Larry Ellison and Emerati MGX/G42, the concerns about it being used as a government propaganda machine really are totally put to rest. Phew!

(My hope remains that this move will ruin the product and the kids will move on.)

Microsoft is handing over Bitlocker keys to law enforcement. https://www.forbes.com/sites/thomasbrewster/2026/01/22/microsoft-gave-fbi-keys-to-unlock-bitlocker-encrypted-data/

🚩✊ Friday is Dependency Deletion Day! Today on the chopping block: whatever library you use to encode and decode Base64. Nowadays Uint8Array has built-in toBase64() and fromBase64() methods that support all the flavors you can think of: with or without padding, with or without URL safety… no more need for that crusty old dependency! Free your node_modules, use native Base64 APIs!

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Uint8Array/toBase64

[RSS] Firefox / WebRTC Encoded Transforms: UAF via undetached ArrayBuffer / CVE-2025-1432

https://aisle.com/blog/firefox-webrtc-encoded-transforms-uaf-via-undetached-arraybuffer-cve-2025-14321

Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!

https://apply.workable.com/portswigger/j/FC27ED6166/

@singe Right? I'm also glad we have oss-sec where these discussions can actually happen! I always recover some of my hope for humanity when Solar Designer enters even the most ridiculous thread in the most polite and level-headed way.

[RSS] Dead Ends, Red Herrings, and Failures In Our Time

https://www.hoyahaxa.com/2026/01/dead-ends-red-herrings-and-failures-in.html

(ColdFusion research #fail)

[RSS] Pwn2Own Automotive 2026 - Day Three Results and the Master of Pwn

https://www.thezdi.com/blog/2026/1/23/pwn2own-automotive-2026-day-three-results-and-the-master-of-pwn

90% of the time you don’t need a DevOps guy.

You need a C++ guy, a SQL guy, and one fat server with a lot of ram.

StackOverflow used to run on *one* SQL Server with a hot spare.

Peaked Alexa Rank #36, 10+ Million visits a day.

@mousey @jpm @Viss

@adamshostack This is the same "smell" I mention: it's likely not just Telnet, meaning that sniffing (which can absolutely happen, just not as often as e.g. admin:admin) is probably pretty low on the priority list. I've also seen higher prio bugs like this finally pushing teams to get rid of the nasty stuff altogether, but that's not always possible (vendor lock-in on critical systems yaay).

@adamshostack I've been hunting for unencrypted services (among other things) on LANs for 15+ years and Telnet is still there. Yet the only real-world incident involving network interception I can recall post-2010 is "SSL added and removed here" of Snowden fame (happy to hear about more!), while auth bypasses/RCEs are common culprits in breaches.

Telnet has an awful smell for sure, but when you sit on a smelly network, it's reasonable to ask: "would attackers actually exploit this?" A bypass like this changes the answer.

[LWN] Responses to gpg.fail

https://lwn.net/SubscriberLink/1054220/c6f98b90a009fca2/

Rust 1.93.0 now provides much more helpful error messages when associated types miss lifetimes:

Thanks again to @ekuber for picking up my original report:

https://github.com/mainmatter/100-exercises-to-learn-rust/issues/245

[RSS] Ticket to Shell: Exploiting PHP Filters and CNEXT in osTicket (CVE-2026-22200)

https://horizon3.ai/attack-research/attack-blogs/ticket-to-shell-exploiting-php-filters-and-cnext-in-osticket-cve-2026-22200/

@codewhitesec @mwulftange Thanks for the clarification, nice work!

@buherator Our @mwulftange found the two vulns (auth bypass and rce) weeks ago and we informed the vendor. Build 9511 on 2026-01-15 patched those vulns. We updated our vuln list today after all our clients had patched their systems. Anything else happened independently.