10/06/2026Why you should not use JavaScript sandboxThe maintainers of vm2 have been honest about the limitations of vm2. They have been explicit that new bypasses are...
19/05/2026React2Shell (CVE-2025-55182): Exploitation Flow and Secure Coding LessonsWe already discussed the impact of React2Shell in our previous blog post and also created an Incident Response challenge that...
01/04/2026Two Incomplete Fixes for a Path Traversal Vulnerability in ONNX (CVE-2026-27489)Some vulnerabilities are patched once and forgotten. Others keep coming back because each fix only addresses the symptom rather than...
24/03/2026Dangerous by Default: What OpenClaw CVE Record Tells Us About Agentic AIYour AI assistant just received a WhatsApp message. It ran a shell command. Then it wrote new code and executed...
17/02/2026LangChain load() is basically eval()The patch for LangChain vulnerability CVE-2025-68665 disables loading secrets from environment variables by default, and introduces an escape wrapperβ¦
15/01/2026Three Secure Coding Lessons from A Log Injection Bug in DjangoIn June 2025, a vulnerability (CVE-2025-48432) was discovered in Django that allowed remote adversaries to tamper with log output by...
24/10/2025CVE-2025-46417: Bypassing AI Model Scanners and Exfiltrate Sensitive DataIn April 2025, we disclosed a high risk vulnerability in picklescan. The vulnerability, tracked as CVE-2025-46417. It allows attackers to...
04/09/2025AI and Secure Code Learning: An Empirical Analysis of 420 AI-Generated Security FixesA research study comparing click-on (instant lookup) vs key-in (manual typing) digital dictionaries found that easier look up methods reduced...
23/07/2025CVE-2025-29927 - Next.js VulnerabilityOverview In March 2025, security researchers Rachid Allam and Yasser Allam publicly disclosed a critical vulnerability identified as CVE-2025-29927,β¦