New directory traversal CVE!
CVE-2026-52752
nationalsecurityagency - ghidra
Ghidra before 12.0.2 contains a path traversal vulnerability in the extension installer that fails to validate ZIP entry names during extraction. Attackers can craft malicious extensions with traversal sequences like ../ in filenames to write arbitrary files outside the intended directory, enabling code execution.

RE: https://mastodon.social/@fj/116696838766743727

Anthropic Fable won't answer some prompts about cybersecurity or cryptography (falling back to Opus instead) but they will send engineers to the NSA to help them with offensive operations.

My biggest concern right now is that I only have 6 years to figure out how to use the three shells

You can care about nutrition and still eat cake at a birthday party.

You can be disciplined and still be fun.

Don’t confuse self-improvement with self-surveillance.

Don’t confuse certainty with wisdom.

And don’t confuse being a dick with courage.

https://www.joanwestenberg.com/p/just-be-normal-about-st

The simplest of all possible modifications to the original RoguePlanet.cpp (literally interchanging two letters in the source code) defeats the detection and re-enables the exploit in current, fully patched Windows 11 with Definition Update 1.453.20.0 installed.

New OpenSSL advisory:
https://openssl-library.org/news/secadv/20260609.txt

1 high, 5 medium, 12 low severity

The high (CVE-2026-45447) was explicitly noted as discovered with help from Claude.

What's more interesting is again the confirmation that vulnerabilities are increasingly identified independently by multiple people:

CVE-2026-34182 (independently found by 4 different people), CVE-2026-35188 (2), CVE-2026-9076 (2), CVE-2026-34181 (2), CVE-2026-42766 (4).

Critical vulnerabilities in Ivanti Sentry (CERT-EU Security Advisory 2026-008)

On 9 June 2026, Ivanti released a security advisory addressing two critical vulnerabilities in their Sentry products[1]. An attacker could exploit those flaws to achieve unauthenticated remote code execution on the vulnerable device.

https://www.cert.europa.eu/publications/security-advisories/2026-008/

Holy collisions batman:

@harrysintonen
> any competing AI assistant would have to be granted the same deep system reach as Siri AI, including the ability to read and send messages, make purchases and act across apps.

wouldn't it be great to have that kind of API accessible from a scripting language, or from some GUI "connect the blocks" automation engine?

Typed `id` on a stock Ubuntu Server. Default user already in the `lxd` group, which is root-equivalent.

Host root on every LTS from 20.04 to 26.04, sudo never entered. Bonus: a free AppArmor hardening downgrade for the whole box.

Vendor: won't-fix.

https://starlabs.sg/blog/2026/06-old-wine-in-a-new-bottle-a-decade-old-lxd-group-root-re-armed/

Our intern Tevel Sho and his mentor @cursered spent some time poking at Cisco ISE. 40+ bugs reported. 4 dupes. This dupe is RCE as root:
https://starlabs.sg/advisories/26/26-20147/

I employ a two-pronged defence against phishing:

First, I am so behind on reading my email that, by the time a phishing message actually gets read, the original scammers have probably had their site taken down, or maybe died of old age.

Second, I don’t know any of my passwords and, if your domain doesn’t match, my password manager won’t fill them, and I’m much too lazy to fill them manually, so will probably just close the window. If it looks important, I’ll flag the email and come back to it eventually. Maybe.

I'm really curious what the CVE graphs will look like once companies have to start paying to secure their own software. I find it hard to believe that companies with 10-20 people looking for 0day will spend $1M+/mo on Claude once they stop getting low hanging fruit?

Like I kinda thought Mythos was gonna include a suite of tools to help find security bugs, and the model would be to sell that tooling + mythos to companies? But instead it's just another chat bot lmao. People are going to get wildly different results based on their tooling