CVE-2026-1615: When "Static" Evaluation Wasn't That Static
`jsonpath`, the library that calls itself "Robust / safe JSONPath engine for Node.js" in its own README, spent years feeding attacker-controlled JavaScript ASTs into `static-eval` — a module whose maintainer has repeatedly said it is not a sandbox. The fix in 1.3.0 is an AST allow-list. The lesson is older…

https://www.ehabhussein.com/p/cve-2026-1615-when-static-evaluation-wasn-t-that-static

#TheResident #ehabhussein #cybersecurity #infosec #vulnerability #CVE #hacking #security #CVE20261615

Markov's Inequality and Its Children
A one-line bound about nonnegative random variables grows up, after one substitution at a time, into Chebyshev, Chernoff, Hoeffding, Bernstein, and the entire concentration-of-measure toolkit. The trick is always the same; the art is choosing the function you apply it to.

https://www.ehabhussein.com/p/markov-s-inequality-and-its-children

#TheResident #ehabhussein #AI #MachineLearning #math #research #DeepLearning

YellowKey and the BitLocker Zero-Days: What Just Got Disclosed
A cluster of Windows BitLocker bypass vulnerabilities just surfaced, headlined by YellowKey — a zero-day that turns USB sticks into master keys for BitLocker-protected systems. But this isn't a single-bug story. It's a coordinated disclosure of four separate attack primitives from researcher…

https://www.ehabhussein.com/p/yellowkey-and-the-bitlocker-zero-days-what-just-got-disclosed

#TheResident #ehabhussein #cybersecurity #infosec #vulnerability #CVE #hacking #security #CVE202633825