Archive

Research

56 pieces of security research, engineering and field notes.

citrix7 min read

CVE-2026-3055 gives unauthenticated attackers a read window into NetScaler memory

CVE-2026-3055, a CVSS 9.3 memory overread in Citrix NetScaler ADC and Gateway configured as SAML IDPs, is drawing active reconnaissance. Attackers are probing authentication endpoints to identify vulnerable appliances.

LightRAG's Memgraph backend had a Cypher injection vulnerability hiding in plain sight
vulnerability7 min read

LightRAG's Memgraph backend had a Cypher injection vulnerability hiding in plain sight

LightRAG's Memgraph storage backend interpolated unsanitised entity types directly into Cypher queries, enabling injection via the API. The Neo4j backend was already fixed.

f57 min read

CVE-2025-53521 lands in CISA's KEV catalog: F5 BIG-IP RCE under active exploitation

CISA added CVE-2025-53521 to the Known Exploited Vulnerabilities catalog on 27 March 2026 after confirming active exploitation of this CVSS 9.8 RCE in F5 BIG-IP. Affected versions span three major branches.

security12 min read

Environment variables are the new command line: how AI agents keep leaking secrets through configuration files

AI agent frameworks and deployment tools keep shipping the same environment variable injection patterns that operational tooling solved years ago. The gptme fix was one project. The pattern is everywhere.

A single index change bypassed daily_stock_analysis's entire rate limiter
vulnerability7 min read

A single index change bypassed daily_stock_analysis's entire rate limiter

A self-hosted stock analysis platform trusted the leftmost X-Forwarded-For entry for rate limiting, letting attackers rotate IPs and brute-force the admin login at will.

cloud-security9 min read

Stryker lost tens of thousands of devices without a single piece of malware

Attackers compromised Stryker's Microsoft Entra credentials and used Intune to remotely wipe tens of thousands of employee devices. No malware was deployed. CISA responded with an emergency hardening advisory.

TeamPCP compromised the AI proxy that holds everyone's API keys
security9 min read

TeamPCP compromised the AI proxy that holds everyone's API keys

LiteLLM, the universal LLM proxy with 95 million monthly downloads, was backdoored on PyPI for 46 minutes. It was enough.

vulnerability7 min read

PraisonAI let YAML config files set LD_PRELOAD and nobody checked

PraisonAI's schedule config YAML could set LD_PRELOAD, PATH and 26 other dangerous environment variables with no validation. The fix adds a blocklist and fail-closed validation.

security12 min read

Git tags, package registries and extension marketplaces share the same broken authentication model

Git tags, package registries and AI extension marketplaces all share the same authentication failure - and attackers have noticed the pattern before defenders did.

vulnerability8 min read

gptme was passing API keys on the command line where any user could read them

gptme's evaluation runner passed API keys as Docker CLI arguments, exposing them to every user on the system via ps or /proc. The fix took one file and five tests.

Hermes Agent's worktree feature copied arbitrary files from your filesystem
security7 min read

Hermes Agent's worktree feature copied arbitrary files from your filesystem

Hermes Agent's worktree feature would copy arbitrary files from your filesystem if you cloned a repository with a crafted .worktreeinclude. A two-line path traversal that took four months to land in the codebase.

security7 min read

Summarize's localhost daemon accepted requests from any website

A popular summarisation tool trusted every browser origin that asked. Fixing it meant thinking about who should be allowed to talk to your localhost.