Security Review #293

We document an elegant exploit chain involving DOM clobbering, gadgets usage, and a CSP bypass, ultimately achieving XSS execution.

This post demonstrates how LLMs and pyghidra-mcp accelerate reverse engineering by tracing a use-after-free vulnerability in Windows’ Common Log File System (CLFS) through a patch diff, showing how AI maintains momentum in complex analysis.

In this article, we explore how to identify and exploit postMessage vulnerabilities in modern web applications, ranging from basic origin validation bypasses to advanced DOM XSS chains that exploit insecure message handlers.

The Windows Event Logging Service contains a bug (use of uninitialized memory) that sometimes results in recently deleted (cleared) log entries being stored in other (unrelated) *.evtx journal files. This post discusses the necessary conditions and how deleted events logs can be retrieved through this bug.

A deep dive into CVE-2026-25049 in n8n enabling RCE via JavaScript destructuring, public webhooks, PoC, impact, and mitigations.

A technical teardown of a 1-click RCE against OpenClaw. We detail how a settings logic flaw and a WebSocket pivot turn a single webpage visit into token exfiltration, safety-control bypass, and arbitrary command execution.

A local user under the CentOS 9 operating system can trigger an use-after-free, which in turn can be used to elevate to root privileges.

A technical step-by-step writeup about finding CVE-2025-13292, a cross-tenant vulnerability in Google Cloud's Apigee. This vulnerability allowed an attacker to gain read/write access to verbose cross-tenant access logs and analytics data that could contain access tokens of end users.

CrashFix crashes browsers to coerce users into executing commands that deploy a Python RAT, abusing finger.exe and portable Python to evade detection and persist on high-value systems.

Quest KACE Desktop Authority exposes a named pipe running as SYSTEM that accepts connections from any authenticated domain user over the network. Any authenticated user on the network can achieve remote code execution as a local administrator on hosts running the Desktop Authority agent.

We identified a security incident stemming from a sophisticated compromise of the infrastructure hosting Notepad++, which was subsequently used to deliver a previously undocumented custom backdoor, which we have dubbed Chrysalis.

We explain how threat actors could abuse AppLocker to deploy rules that will prevent EDR processes from execution in order to execute arbitrary commands and software on the asset without EDR disruption.

We walk through the ConsentFix (a.k.a. AuthCodeFix) attack mechanics, and learn about mitigations and detections strategies.

We demonstrate how four layers of authentication in a production anti-cheat driver still hand you a complete BYOVD toolkit.

A small investigation on the vulnerability, root cause and exploitation of CVE-2025-49825, an authentication bypass vulnerability in Teleport.

We detail how to prevent IDOR vulnerabilities in Rails applications by changing authorization approach using scoping queries through associations. We explain the security risks of using unscoped vs unscope in ActiveRecord.

A critical vulnerability in Zyxel firewalls, allows remote command execution with root privileges through improper input sanitization in the Dynamic DNS (DDNS) configuration. By injecting shell commands into a user-controlled URL parameter, an authenticated attacker can exploit the internal execution of curl to achieve full system compromise.

A full review of JWT concepts, implementation, attack surface and flaws exploitation.

We found a security flaw in the extremely popular Openclaw AI assistant. The flaw allowed malicious websites to abuse its browser relay server and steal cookies from other tabs open in the same browser.

I stumbled over a malicious driver called Netfilter that somehow ended up legitimately signed by Microsoft. In this aryicle we will reverse it, see how the threat actors slipped through, and learn what Microsoft tightened afterward.

In this blog post, we’ll be covering Microsoft Warbird and how we can abuse it to sneakily load shellcode without being detected by AV or EDR solutions. We’ll show how we can encrypt our shellcode and let the Windows kernel decrypt and load it for us using the Warbird API.