Alert: Unauthenticated Arbitrary File Upload leading to RCE.
ZAST engine has identified a critical-severity vulnerability, CVE-2026-1405 (CVSS 9.8), in the Slider Future WordPress plugin. This flaw allows for Unrestricted Arbitrary File Upload, leading to full Remote Code Execution (RCE).

Key Technical Findings:
- Vulnerability: Unauthenticated Arbitrary File Upload to RCE
- Project Popularity: 1,000+ active installations.
- Verification: 100% verified via Autonomous PoC generation.

The vulnerability stems from a lack of authentication on the /wp-json/slider-future/v1/upload-image/ endpoint and a total absence of file type or content validation before writing to disk.

We have verified that an attacker can upload a malicious PHP script and gain control of the host server in seconds.

Check detail here:https://www.cve.org/CVERecord?id=CVE-2026-1405

@wordpress@lemmy.world @WordPress @wordfence

#AppSec #ZAST #VulnerabilityResearch #WordPress #RCE

ZAST Security Advisory: Critical SSRF Resolved in ClawdBot.

While the community focused on general configuration risks, ZAST verified the actual code.

Our engine autonomously identified a high-severity SSRF vulnerability exploitable via DNS Rebinding. The flaw was a classic TOCTOU (Time-of-Check to Time-of-Use) gap, allowing attackers to bypass validation and access internal networks.

The Resolution: Our Co-founder @beach reported this to the maintainer @steipete, who acknowledged the issue and pushed a fix immediately.

The project has now implemented DNS Pinning to eliminate the vector. We are proud to be credited in the changelog for securing the ecosystem.

View the official fix: https://github.com/clawdbot/clawdbot/commit/b623557a2ec7e271bda003eb3ac33fbb2e218505

#AppSec #CyberSecurity #SSRF #Clawdbot #OpenSource #ZAST

We verified a Stored XSS (CVE-2026-0693) in the "Allow HTML in Category Descriptions" @WordPress plugin.

The Flaw: The plugin correctly restricts input but unintentionally removes global output filters (wp_kses_data) for all users. The Impact: Malicious scripts in category descriptions execute for any visitor. The Validation: Confirmed via autonomous PoC.

Security requires validating the full data lifecycle, not just lines of code.

Vulnerability details: https://www.cve.org/CVERecord?id=CVE-2026-0693
@wordfence @cve @zoomeye_team

#WordPressSecurity #AppSec #ZAST

[Sneak Peek] Progress Update
🎯 Zast.ai now can find 0-day in Python code with ZERO false positives - verified with a working PoC.

🐍 Python - IN BETA, full release coming soon!

✅ JavaScript - Production ready

✅ Java - Production ready

More languages support is on the way, stay tuned for the official launch!

#Cybersecurity #AI #DevSecOps #Python #ZAST

🎯Hundreds of zero-day vulnerabilities from dozens of open-source projects. By AI agent: Zast.ai.

We've just proven large-scale vulnerability discovery is not only possible, it's devastatingly effective. But the responsible disclosure story? Buckle up 👇
https://tinyurl.com/ycxa4cme

#ZeroDay #AppSec #Automation #OpenSourceSecurity

🚀 Zast.ai is live!

We've developed an AI agent achieving ZERO false positives in vulnerability assessment.

Real results:
• Top contributer to the vulnerability database VulDB.com in July, 2025, with 78 submissions in 12 days.
• 300+ zero-day vulnerabilities uncovered so far
• Every vulnerability verified with working PoCs

🔗 Learn more: https://blog.zast.ai/security/ai/vulnerability%20assessment/Introduce-Zast.ai/

The future of security is here.

#Cybersecurity #AI #ZeroDay