What's coming to our GitHub Actions 2026 security roadmap A look at GitHub Actions’ 2026 roadmap, outlining how secure defaults, policy controls, and CI/CD observability harden the software supply chain end to end.

Software supply chain attacks are on the rise. Learn how open source contributors can use what GitHub Actions is building to help protect projects and the broader software community.

github.blog/news-insight...

HTB: Snapped Snapped is a Linux box hosting a static site behind nginx, with an Nginx UI admin panel. I’ll exploit CVE-2026-27944 to decrypt a backup download from the Nginx UI to find bcrypt password hashes in a SQLite database. I’ll crack one to get SSH access. To escalate to root, I’ll exploit CVE-2026-3888, a recent vulnerability in snapd where systemd-tmpfiles deletes snap-confine’s private temp directory, allowing me to win a race condition and replace the dynamic linker with a malicious payload that runs as root.

Snapped from HackTheBox features CVE-2026-27944 to download and decrypt Nginx UI backups without auth, bcrypt cracking for a shell, and CVE-2026-3888 to exploit a snapd race condition for root.

Argument Injection via Wildcard Expansion | YesWeHack Dojo 49: Secret Manager | CryptoCat's Blog YesWeHack Dojo #49 writeup: exploiting wildcard argument injection in shell cp and grep commands to access internal secrets

My writeup for the "Secret Manager" challenge by zerodaygym (@yeswehack.bsky.social) 🤫

cryptocat.me/blog/ctf/mon...

The CVE Archeologist’s Field Guide is now on Storygraph for tracking and rating/reviews!

I’d definitely recommend it as a read for everyone — honestly such a great read, full of useful info, and the information was packed into 106 pages of need-to-know without too much fluff.

10/10! 🔥

SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL Welcome back! As we near the end of 2025, we are, of course, waiting for the next round of SSLVPN exploitation to occur in January (as it did in 2024 and 2025). Weeeeeeeee. Before then, we want to clear the decks and see how much research we can publish. This

WontFix can be an RCE Goldmine

SOAPwn by chudyPB

#5 in PortSwigger Web Hacking Techniques of 2025

Blog link 👇

How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit As part of our CVE monitoring, we came across GHSA-pcq9-mq6m-mvmp (CVE-2025-68402), an authentication bypass in FreshRSS, a self-hosted RSS aggregator. It ...

A commit meant to "strengthen the crypto" in FreshRSS ended up removing the need for a correct password.

Why?
Longer SHA-256 nonce + bcrypt truncation at 72 bytes.

A nice example of why secure systems are about composition, not just stronger primitives.

pentesterlab.com/blog/freshrs...

CVE-2026-29000: Critical Auth Bypass in pac4j-jwt: Full PoC Using Only a Public Key CodeAnt AI found a critical authentication bypass in pac4j-jwt where an attacker can impersonate any user using only the RSA public key. Full PoC and disclosure.

⛓️‍💥 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗕𝘆𝗽𝗮𝘀𝘀 𝗶𝗻 𝗽𝗮𝗰𝟰𝗷
Another issue with a library leveragining JWT: www.codeant.ai/security-res....

Defuddle now has a website!

This means you can use Defuddle anywhere to get the main content of a page in Markdown format.

You can simply add "defuddle.md" before any URL, use it via curl, Skills, CLI, or add it to your app via NPM.

Cross-Site Scripting (XSS) via Email HTML Rendering ## Impact A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an ali...

XSS on a password manager, about the scariest impact you can have...
github.com/aliasvault/a...
Luckily it was fixed super quick! Here's a simple script you can use to send raw HTML in emails. I think a lot more clients will benifit from sanitizer testing.
gist.github.com/JorianWoltje...

Dropped a piece of command strip tape on the ground and mine gobbled it up 🫠

Luckily after a day or two of random dry coughing all symptoms stopped.

Love these little guys but man do they make you worry sometimes!

The writing was always the cheap part Last December, quite unrealistically, I took a solemn oath: I would not write again about AI for at least another year. I was growing tired with the incessant noise, the lack of stability, and the sel...

Inspired by one of @simonwillison.net 's reflections, I wrote a piece on the real cost of technical writing and documentation.

passo.uno/real-cost-of...

I worked really hard for this meme

GitHub - spaceraccoon/vulnerability-spoiler-alert-action: GitHub Action to alert on security patches before the CVE drops. GitHub Action to alert on security patches before the CVE drops. - spaceraccoon/vulnerability-spoiler-alert-action

Vulnerability Spoiler Alert Action by @spaceraccoonsec

It monitors repositories and uses Claude to detect patching of security vulns. This early warning can give security teams more time to patch before the CVE drops.

GitHub repo👇

The Missing Semester of your CS education [MIT IAP 2026] - https://missing.csail.mit.edu

In January, @anishathalye.bsky.social, @josejg.bsky.social, and I returned to @csail.mit.edu to teach Missing Semester, a class on topics we miss from most CS programs—tools and techniques that everyone should know, like Bash, Git, CI, and AI tools. Today, we’re releasing the course for free online!

Paged Out! #8 is out! pagedout.institute @pagedout.bsky.social

In "An AWKward Modem" (p. 28), I show how to write a tiny modem in 5 lines of AWK and shift it into the near-ultrasonic range. 🔊

Cline CLI npm Package Compromised via Suspected Cache Poison... A compromised npm publish token was used to push a malicious postinstall script in cline@2.3.0, affecting the popular AI coding agent CLI with 90k wee...

A compromised npm token was used to push an unauthorized postinstall script in cline@2.3.0, a popular AI coding agent CLI with 90k weekly downloads.

Big shoutout to @adnanthekhan.bsky.social whose research sniffed out the cache poisoning vulnerability! 💪

Details → socket.dev/blog/cline-c...

“I want it to just work” is the main requirement for 99% of people.

I totally get why too.

The Discord situation is going to produce a lot more people that hate Matrix.
They will still use Discord but they will now also hate Matrix

Go 1.26 has a lot to love, including significant performance improvements that are completely transparent to Go developers. Just upgrade and your Go programs run faster -- no other changes required!

OpenClaw Skill Marketplace Emerges as Active Malware Vector ... Security researchers report widespread abuse of OpenClaw skills to deliver info-stealing malware, exposing a new supply chain risk as agent ecosystems...

☠️🤖 We’re entering a new era of malicious workflows.

OpenClaw skills show how easily agent workflows can be abused once they’re trusted to execute.

A closer look at this emerging class of supply chain attack:
socket.dev/blog/opencla...

Security - OpenClaw

Openclaw (Clawdbot) is cool and all but it’s also risky.

Make sure you get your bot audited with some better security practices 👇 

auth0.com/blog/five-step-guide-sec...

The Scam Ad Machine Nearly one in three Meta ads found to point to a scam, phishing or malware

Dear f***ing lord!

Nearly one every three Meta ads showed in the EU and UK over 23 days pointed to online scams

This should be the easiest layup for govt agencies in the history of enforcements

www.gendigital.com/blog/insight...

HTB: Bamboo Bamboo offers a Squid HTTP proxy through which I’ll access a PaperCut NG instance. I’ll use Spose to scan through the proxy and discover the print management application. I’ll exploit an authentication bypass vulnerability in PaperCut and use application access to enabling print scripting to get code execution. For privilege escalation, I’ll abuse a root process that runs a script from the papercut user’s home directory.

Bamboo from HackTheBox and VulnLab features Squid proxy enumeration, CVE-2023-27350 authentication bypass to RCE in PaperCut NG, and binary hijacking of a root-executed script for privilege escalation.

Our pentesting agent found a 1-click ATO to RCE in @moltbot Gateway Control UI in under 2 hours.

Local instances can also be exploited with one click.

Patched in main, update now.

Watch the exploit 👇

What Developers Need to Know About JWTs Dan Moore will show you what JWTs are, how they work and everything you need to know to use them properly in your applications

I've given this talk 20+ times, but still enjoy the topic. What developers need to know about JWTs

HTB: Imagery Imagery hosts a Flask-based image gallery application. I’ll exploit a stored XSS vulnerability in the bug report feature to steal an admin cookie. From the admin panel, I’ll use directory traversal to read the application source code, finding a command injection vulnerability in the image crop feature that requires access as a test user. After reading the database and cracking the test user’s password hash, I’ll exploit the command injection to get a shell. I’ll find an encrypted backup file and brute-force the pyAesCrypt password, getting access to an older backup with additional hashes. After cracking another user’s hash, I’ll pivot to a user that can run a custom backup utility as root via sudo. I’ll show two ways to abuse this. In Beyond Root, I’ll show why SSH is broken and how to get around it.

Imagery from HackTheBox features XSS to steal cookies, directory traversal for source code access, and command injection for rce. Pivots include pyAesCrypt brute-forcing and abusing a sudo backup utility exploited multiple ways.

Got the final piece beautifully rendered and ready to be sent off for the 10qty SLM print…

But then I ran across the mass-market cut ones from China for $1.00/pc 😭 Why do they have to be so insanely cheap.