Forgot your password? No worries, we attackers can reset even the admin's. 🔑

PTT-2025-030: Matei "Mal" Bădănoiu and Raul Bledea from our team found SQL injection hiding inside the password reset flow of FuelCMS v1.5.2.

The parameters meant to verify your reset token and email? Both injectable.

So a valid reset token becomes a master key to:
🗄️ Dump the entire database
🔑 Reset any account's password, not just yours
✍️ Modify or delete content across the site as the admin

CVSS: 7.7 High. No fix is coming, the FuelCMS master branch hasn't seen a commit in ~4 years. We emailed the vendor. They're as quiet as an unmonitored server at 3am.

See the full technical breakdown in the comments. 👇

#offensivesecurity #vulnerabilityresearch #infosec

Needle in the haystack: LLMs for vulnerability research

Research shows LLMs find bugs better with minimal threat-model context and focused code slices instead of broad prompts.

https://devansh.bearblog.dev/needle-in-the-haystack/

#LLM #VulnerabilityResearch

ZAST Agent has identified 14 vulnerabilities in pybbs (tomoya92/pybbs, 2.9k+ GitHub Stars).

The attack surface includes 8 XSS vectors, CSRF on admin endpoints, and CAPTCHA reuse. Traditional SAST, which focuses on pattern matching, does not analyze logic flaws like email bypass or multi-stage flows (Stored XSS via /api/settings).

Our engine verified every attack path—from payload persistence to triggering admin-level execution—via executable PoCs. This minimizes the triage effort required for these validated findings.

Repo: https://github.com/tomoya92/pybbs

Full Technical Details: https://blog.zast.ai/cybersecurity/product%20updates/When-Your-Forum-Has-More-Holes-Than-Swiss-Cheese-A-Case-Study-in-pybbs-Security/

#AppSec #ZAST #VulnerabilityResearch #Java #XSS

Most research write-ups stop at the "what." We’re documenting the "how".

The new Research Hub at Pentest-Tools.com (led by Matei Badanoiu) shares the full discovery path, from initial anomalous behavior to functional exploit chains.

We’re prioritizing technical logic and field constraints over sanitized summaries to help the hacker community sharpen their methodology.

Full path to discovery: https://pentest-tools.com/research

#infosec #vulnerabilityresearch

Anthropic (@AnthropicAI)

최첨단(Frontier) 모델들이 이제 세계적 수준의 취약점 연구자 수준에 도달했으며, 현재는 취약점 발견에는 더 능숙하지만 악용에는 덜 능숙한 상황이라고 평가하면서 개발자들에게 소프트웨어 보안 강화를 위해 노력을 배가할 것을 촉구합니다. 향후 위험 양상이 바뀔 가능성에 대한 경고성 메시지입니다.

https://x.com/AnthropicAI/status/2029978911099244944

#aisecurity #vulnerabilityresearch #modelsafety #security

Seven bugs. One unauthenticated RCE chain. Zero clicks.

This original research by our offensive security team into FuelCMS (v1.5.2) uncovered seven new vulnerabilities. By chaining some of them, we achieved Remote Code Execution (RCE).

The root causes? A *12-year-old Dwoo templating engine* and *outdated CodeIgniter3 code* still lurking in production systems.

The exploit chain combines:

🔓 Account takeover (PTT-2025-025): reset password tokens leaked by sending them to the attacker's inbox

💉 SQL injection (PTT-2025-030): usernames extracted during password reset (optional step)

⚡ PHP code execution (PTT-2025-026): unsanitized backslashes in the Dwoo parser resulting in RAW PHP CODE EXECUTION

Result: full web app compromise.

We published the full exploit chain on our blogpost so practitioners can reproduce and validate the findings. Read the detailed research here: https://pentest-tools.com/blog/throwing-a-spark-in-fuelcms

Many thanks to Matei Badanoiu, Raul Bledea and Eusebiu Boghici for their contributions.

#offensivesecurity #vulnerabilityresearch #pentesting #infosec

Out of curiosity: how often do you still run into 10+ year-old libraries during engagements?

ZAST Agent just verified an Open Redirect in Busy (busy-org/busy, 2.4k+ GitHub Stars).

The vulnerability targets the /callback endpoint where the state parameter is used as a redirect sink. While the code attempts to sanitize input by checking for a leading /, it fails to account for protocol-relative URLs (e.g., //attacker.com).

Our engine verified the full attack chain—generating the access_token bypass and confirming the 302 redirection via an Executable PoC. No grep-based guessing, just verified logic flaws.

Repo: https://github.com/busy-org/busy

Full Technical Details: https://github.com/busyorg/busy/issues/2287

#AppSec #ZAST #VulnerabilityResearch #Phishing #OpenRedirect

We just launched the Offensive Security Research Hub on Pentest-Tools.com!
This isn’t a CVE recap page.

Our #offensivesecurity team - led by Matei Badanoiu (CVE Jesus) - publishes original research: newly discovered vulnerabilities, deep technical write-ups, and full exploit chains built from real-world investigation.

You’ll see:

🛠️ Working PoCs and reproducible exploit paths

🧠 The exact reasoning that turned strange behavior into confirmed impact

⚖️ Field-tested analysis of edge cases, constraints, and trade-offs

No summaries. No recycled advisories.

This is practitioner-grade research from people who _actively_ hunt and validate vulnerabilities.

If you want to understand how experienced attackers approach complex targets, start here.

Bookmark this link, we're going to update it frequently with new learnings: https://pentest-tools.com/research

#vulnerabilityresearch #ethicalhacking #infosec

Just shipped updates for rhabdomancer, haruspex, and augur. Now compatible with @HexRaysSA IDA 9.3 and @xorpse's idalib-rs 8.0.

These headless #IDA plugins are built for #VulnerabilityResearch workflows where you want IDA's power without the GUI. This release brings a bunch of small improvements and bug fixes.

https://hnsecurity.it/blog/streamlining-vulnerability-research-with-the-idalib-rust-bindings-for-ida-9-2/

Our AI Agent recently audited Slider Future (1,000+ active installations) and identified a critical Unauthenticated RCE, now designated as CVE-2026-1405.

While pattern-matching approaches are effective at identifying broad code signatures, this specific vulnerability resides in the logical flow of the REST API.

The endpoint /upload-image/ allows unauthenticated access because the permission_callback is set to __return_true.

Check detail here:https://www.cve.org/CVERecord?id=CVE-2026-1405

@wordpress@lemmy.world @WordPress @wordfence

#AppSec #ZAST #VulnerabilityResearch #WordPress #RCE