Anatomy of a GHSA Collaboration: Fixing Filament's MFA Race TogetherI. Introduction Filament is an open-source full-stack UI framework for Laravel built on top of Livewire. It lets developers compose admin panels, forms, tables, infolists, actions, and notifications aMay 29, 2026·11 min read
Reasoning-First vulnerability research: How I built an AI Agent that found multiples bugs in Open Source project May 27, 2026·11 min read
AI-Powered Vulnerability Hunting in WordPress Plugins/Themes<7 days spare time 100 plugins scanned 524 candidate findings 16 confirmed vulns 5 scanner patches This is not a vulnerability disclosure. It's a methodology. I want to share how to build an AI pipMay 26, 2026·17 min read
Firmware Emulation With an Automated Skill SetFirmware Emulation With an Automated Skill Set tags: firmware, emulation, qemu, reverse-engineering, cybersecurity Khoa Hoang Anh, May 25, 2026 Link repo: https://github.com/9wteam/firmware-emulation-May 26, 2026·20 min read
From Privilege Escalation to RCE in Wiki.jsA tale of privilege escalation, command injection, and the humbling art of responsible disclosureMay 21, 2026·11 min read
AI-Assisted Discovery of SQL Injection & Stored XSS in Cacti Network MonitorDisclosure status: Both vulnerabilities reported to vendor on 2026-05-13 via GitHub Pull Request. Author: Nguyen Cong Tu (iaohkut) Published: May 2026 I. Introduction This post is about a methodologMay 21, 2026·13 min read
Two Access-Control Failures in SiYuan: Unauthenticated SQL Read and a Read-Only Role That Can Rewrite Server ConfigI. Introduction SiYuan is an open-source, privacy-first personal knowledge management tool. It lets users write in Markdown with block-level references, store everything in a local SQLite block dataMay 19, 2026·6 min read
JSON-Path Traversal Injection in Kysely A Case Study Powered by ClaudeCodeI. Introduction Kysely is an open-source TypeScript SQL query builder. It lets developers build type-safe SQL queries SELECT, INSERT, UPDATE, DELETE, joins, JSON traversal directly in TypeScript, withMay 19, 2026·6 min read
