Cuberk

---

Google Project Zero

• On the Effectiveness of Mutational Grammar Fuzzing - Ivan Fratric explores the flaws of mutational coverage-guided grammar fuzzing and introduces a technique to counter them.

Zero Day Initiative

• CVE-2026-33824: Remote Code Execution in Windows IKEv2 - Analysis of a critical remote code execution vulnerability in the Windows IKEv2 protocol.

Trail of Bits

• C/C++ checklist challenges, solved - Walkthrough of solutions to C/C++ security challenges involving Linux command injection and Windows driver type confusion.

TrustedSec

• GRC in an AI World - Staying in the Fast Lane Without Losing the Race! - Discussion on navigating Governance, Risk, and Compliance challenges in the rapidly evolving landscape of Artificial Intelligence.
• The Defensive Stack is Exposed: LLMs, Reverse Engineering, and the End of Opaque Defense - Exploration of how Large Language Models are being used to reverse engineer and expose vulnerabilities in defensive security tools.

HackerOne Hacktivity

• another liberapay member team twitter account broken Link Hijacking via Expired Twitter Account Link - An expired Twitter account link on a Liberapay team member's profile led to a broken link hijacking vulnerability.
• Liberapay member team twitter account broken Link Hijacking via Expired Twitter Account Link - An expired Twitter account link on a Liberapay team member's profile led to a broken link hijacking vulnerability.
• Private circle can be added to another circle via API despite visibility restriction - A vulnerability was discovered where private circles could be added to other circles via the API despite visibility restrictions.

  Medium.com (BugBounty)

• “5 Beginner Mistakes That Wasted My Time While Choosing Bug Bounty Targets” - Choosing the right target is one of the biggest factors in bug bounty hunting.
• From a Simple CSRF to Full Account Takeover - Security researchers often say that “small bugs become big bugs when chained together.”
• 🧠 Turning Small Clues Into Big Bugs — The Details Most Hunters Ignore - This article is part 2 of a series on turning small clues into big bugs.
• Threat Hunting for Network Based Attacks - LetsDefend [Part 3]🔥 - This write-up is based on a training scenario from LetsDefend and is shared for educational purposes only.
• Understanding BOLA — The #1 API Security Risk You Can’t Ignore - This article dives into BOLA (Broken Object Level Authorization) — the #1 API security risk.

  GitHub: arkadiyt/bounty-targets-data

• bounty-targets committed - Annamite Imdtly (05-10-2026 00:00) committed to bounty-targets.
• bounty-targets committed - Infandous Snickey (05-09-2026 22:30) committed to bounty-targets.
• bounty-targets committed - Amarillo Fixating (05-09-2026 21:30) committed to bounty-targets.
• bounty-targets committed - Reoperate Aulical (05-09-2026 21:00) committed to bounty-targets.
• bounty-targets committed - Drumroll Moral (05-09-2026 20:30) committed to bounty-targets.
• bounty-targets committed - Spraddled Acleidian (05-09-2026 20:00) committed to bounty-targets.
• bounty-targets committed - Polarans Thinclad (05-09-2026 19:30) committed to bounty-targets.
• bounty-targets committed - Wraith Tallyhos (05-09-2026 19:00) committed to bounty-targets.
• bounty-targets committed - Feticidal Saururan (05-09-2026 18:30) committed to bounty-targets.
• bounty-targets committed - Deyship Hairweave (05-09-2026 18:00) committed to bounty-targets.
• bounty-targets committed - Obtainers Relumine (05-09-2026 17:30) committed to bounty-targets.
• bounty-targets committed - Gallonage Acutest (05-09-2026 17:00) committed to bounty-targets.

  Medium.com (InfosecWriteups)

• This Profile Page Gave Me More Power Than It Should Have - Sometimes, you’re not looking for destruction. Sometimes, destruction is waiting for you to look.

  Intigriti 'BugBytes' & YesWeHack Blog Writeups

• No updates found in the last 24 hours.

Pentest-Report.com & getdisclosed.com Aggregators

• No updates found in the last 24 hours.

Twitter/X

• ShinyHunters Ransomware Group Breaches Instructure/Canvas - ShinyHunters reportedly breached Canvas infrastructure, obtaining student data and defacing login pages after claims that security teams ignored initial contact.
• Microsoft Edge Password Security Flaw - Researchers reveal Microsoft Edge may load saved passwords into system plain text upon browser startup.

Reddit r/netsec

• Getting LLMs Drunk to Find Remote Linux Kernel OOB Writes - A novel approach using LLMs to identify out-of-bounds write vulnerabilities in the Linux kernel.
• Technical Analysis of EagleSpy V6.0 (CraxsRAT Rebrand) - Detailed breakdown of the EagleSpy RAT distributed via Odysee and Telegram.
• Memory Poisoning AI Agents via ChromaDB - Demonstration of how AI agents can be compromised through malicious data injection in vector databases.

Lobste.rs

• Where Have All the Complex Windows Malware and Their Analyses Gone? - Discussion on the perceived decline in public deep-dive analyses of sophisticated Windows malware.
• ACME CA Comparison - A comparative study of various Automated Certificate Management Environment (ACME) Certificate Authorities.
• Laptops with Built-in Security Tokens - Analysis of the prevalence and security implications of hardware-backed security tokens in modern laptops.

Mastodon Infosec.exchange

• Instructure Security Incident Update - Edtech giant Instructure published a security incident page for the Canvas breach, notably using "noindex" tags to hide it from search engines.

The Hacker News

• cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now - cPanel addressed three flaws that could lead to privilege escalation, code execution, and denial-of-service.
• TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms - A new Brazilian banking trojan uses WhatsApp and Outlook worms to target 59 financial and crypto platforms.
• Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads - Fraudulent Android apps claiming to provide call histories tricked millions into paid subscriptions before being removed.

BleepingComputer

• JDownloader site hacked to replace installers with Python RAT malware - The JDownloader website was compromised to distribute malicious installers containing a Python-based remote access trojan.
• Fake OpenAI repository on Hugging Face pushes infostealer malware - A trending malicious Hugging Face repository impersonated OpenAI to deliver information-stealing malware to Windows users.
• Canvas login portals hacked in mass ShinyHunters extortion campaign - ShinyHunters defaced Canvas login pages with ransom demands, disrupting educational institutions nationwide.

SecurityWeek

• In Other News: Train Hacker Arrested, PamDOORa Linux Backdoor, New CISA Director Frontrunner - Weekly roundup includes a student hacking Taiwan's high-speed rail and a new Linux backdoor named PamDOORa.
• Polish Security Agency Reports ICS Breaches at Five Water Treatment Plants - Hackers gained unauthorized access to modify operational parameters at five Polish water treatment facilities.
• AI Firm Braintrust Prompts API Key Rotation After Data Breach - Braintrust initiated API key rotations after attackers compromised an AWS account and accessed AI provider secrets.

DataBreaches.net

• One size does not fit all — sometimes, victims probably should pay ransom - Analysis of the Canvas restoration suggests a potential negotiation or payment following the ShinyHunters extortion.

Hacker News (yc)

• Instagram DMs Lose End-to-End Encryption Starting Today - Meta has reportedly begun removing end-to-end encryption for Instagram direct messages.
• User just tricked Grok and Bankrbot to send tokens with Morse code - A security researcher successfully bypassed AI safety filters using Morse code to extract sensitive tokens.

Krebs on Security

• Canvas Breach Disrupts Schools & Colleges Nationwide - Detailed report on the ShinyHunters extortion attack that forced the Canvas education platform offline.

CIO ET

• Japanese tech firm GNA to offer secure public wi-fi, signs up Harbajan Singh - GNA India aims to provide secure public internet access across rural and remote regions in India.

NIST NVD & CVE Mitre

• CVE-2026-31431 (Copy Fail) - Critical nine-year-old Linux kernel flaw "Copy Fail" disclosed today by Theori.
• CVE-2026-23918 - Critical double-free vulnerability in Apache HTTP Server 2.4.66 leading to RCE.
• CVE-2026-43401 - Linux kernel intel_pstate flaw affecting systems booted with "nosmt".
• CVE-2026-0300 - Critical vulnerability added to CISA's Known Exploited Vulnerabilities catalog today.
• CVE-2026-41238 - XSS vulnerability in @carbon/ai-chat due to Object.prototype compromise.

PoC-in-GitHub (motikan2010.net) & GitHub Advisories List

• cyberguardsec101-sketch/ghostcat - Exploit for Apache Tomcat AJP Connector vulnerability (CVE-2020-1938).
• 0xkr3pt0n/CVE-2017-14980 - Python exploit for Sync Breeze Enterprise 10.0.28 buffer overflow.
• 0x0d3ad/CVE-2020-14008 - RCE exploit for Zoho ManageEngine Applications Manager.
• SreejaPuthan/cpanel-control-plane-exposure-check - Exposure assessment tool for cPanel/WHM auth bypass (CVE-2026-41940).
• haydenjames/CVE-2026-31431-check - Read-only checker for Linux kernel "Copy Fail" vulnerability.
• haydenjames/dirty-frag-check - Mitigation and detection tool for Linux kernel "Dirty Frag" vulnerabilities.

GitHub Search: 'CVE-2026' OR 'CVE-2025' created:today

• Percivalll/Copy-Fail-CVE-2026-31431-Kubernetes-PoC - Unprivileged container escape to node-level execution on Kubernetes via page-cache corruption.
• 0xShe/CVE-2026-31431 - New repository created today for the Linux kernel Copy Fail vulnerability.
• XsanFlip/poc-cpanel-cve-2026-41940 - Proof-of-concept for cPanel & WHM Authentication Bypass via Session-File CRLF Injection.

Exploit-DB & Packet Storm Security

• Rocky Linux RLSA-2026-3343 - Security update for containernetworking-plugins addressing DoS and memory issues.

GitHub: GhostTroops/TOP (Trending Offensive Projects)

• oxfemale/CVE-2026-20817 - Windows Error Reporting ALPC Elevation of Privilege exploit.
• painoob/Copy-Fail-Exploit-CVE-2026-31431 - Straight-line logic flaw exploit rooting every Linux distribution since 2017.
• iss4cf0ng/CVE-2026-31431-Linux-Copy-Fail - Rust implementation of the Copy Fail exploit for shellcode execution.
• casp3r0x0/CVE-2026-34159 - Zero-click RCE exploit for Lama.cpp RPC server.

GitHub Trending (Security Topic)

• enfein / mieru - A socks5 / HTTP / HTTPS proxy designed to bypass censorship, trending today with 35 new stars.
• Mbed-TLS / mbedtls - An open source, portable TLS library and reference implementation of the PSA Cryptography API with recent activity.

CTFtime.org (Active/Upcoming)

• Azure Assassin Alliance CTF 2026 - Jeopardy-style online CTF starting May 10, 2026, at 01:00 UTC.
• RAMunchers CTF - Jeopardy-style online CTF starting May 10, 2026, at 08:00 UTC.
• Midnight Sun CTF 2026 Quals - High-weight Jeopardy-style online qualifier starting May 10, 2026, at 12:00 UTC.

Infosec-Conferences.com

• CISO6 Cyber Security Summit: Pune 2026 - Leading event for security leaders focused on countering evolving threats, held on May 9, 2026.

LinkedIn: 'Penetration Tester' or 'Security Analyst' Jobs

• Junior Cyber Security Analyst at Haystack - Entry-level security analyst position in Manchester, UK, posted 22 hours ago.
• PENETRATION TEST ANALYST at QatarEnergy - Penetration testing role in Doha, Qatar, posted 2 hours ago.
• Cybersecurity Analyst at Remote Recruitment - Security analyst role based in South Africa, posted 12 minutes ago.
• Information Security Analyst at Mercor - Security analyst position in Auckland, New Zealand, posted 22 hours ago.
• Penetration Tester at CoDev - Penetration testing opportunity in the Philippines, posted 20 hours ago.
• Cybersecurity Analyst at Schonfeld - Security analyst role in New York, NY, posted 12 hours ago.
• Security Analyst at MINDTEL - Security analyst position in Dubai, UAE, posted 14 hours ago.

---