CTFs Are Not Dead, They’re Just Growing Up
2026-04-11
Are LLMs killing CTFs? Or are they just forcing them to evolve? Exploring the new landscape of cybersecurity competitions.
888 words
|
4 minutes
CVE-2026-0540: How a CTF Detour Led Us to a DOMPurify mXSS - Daft
2026-03-29
A detailed write-up of the DOMPurify mXSS we found during a CTF detour, affecting 3.1.3 through 3.3.1 and fixed through a small patch series in 3.3.2.
1075 words
|
5 minutes
CVE-2025-15265: Svelte Hydratable Key SSR XSS - Lydian
2026-03-17
A technical write-up of the Svelte async SSR XSS I discovered in hydratable() key serialization, affecting versions 5.46.0 through 5.46.3.
799 words
|
4 minutes
CVE-2025-67635: Unauthenticated DoS in the Jenkins CLI full-duplex endpoint
2025-12-12
[Race conditions](https://db.fluidattacks.com/wek/124/) and missing timeouts in Jenkins' plain CLI endpoint let anyone exhaust servlet threads without Overall/Read.
1150 words
|
6 minutes
CVE-2025-9624: Nested Boolean/Disjunction Asymmetric DoS in Amazon's OpenSearch query_string - Chick
2025-11-25
How I found CVE-2025-9624, an asymmetric Denial of Service in Amazon's OpenSearch's query_string handling, and how it was fixed with search.query.max_query_string_length.
662 words
|
3 minutes
The Obsolescence of SSL Pinning in Mobile App Security
2025-09-01
This blog post is dense and time-consuming to read in full.If you just need the essentials:
4165 words
|
21 minutes
CVE-2025-9375: XML Injection Vulnerability in xmltodict 0.14.2 - Mono
2025-08-25
I discovered an XML Injection vulnerability in xmltodict version 0.14.2, a popular Python library with over 1.5 million weekly downloads on PyPI. This vulnerability allows attackers to inject arbitrary XML markup through crafted dictionary keys, potentially leading to XML structure manipulation, data corruption, and in web contexts, cross-site scripting (XSS) attacks.
691 words
|
3 minutes
CVE-2025-7969: Markdown-it Fence Rendering XSS - Fito
2025-08-20
Markdown-it 14.1.0 contains an XSS vulnerability (CVE-2025-7969) that enables arbitrary JavaScript execution through a fence rendering bypass. This post provides a technical deep dive into the vulnerability, exploitation techniques, and real-world impact scenarios.
1048 words
|
5 minutes
1
2