No patch coming. Project's been dormant for almost 4 years.
Found by Raul Bledea and Matei "Mal" Bădănoiu.

Full PoC: pentest-tools.com/research

"It's just dev mode."

PTT-2025-028 / CVE-2026-30461 disagrees. Any authenticated user on a FuelCMS dev instance can drop a PHP shell via git submodule and call it from the browser. One HTTP request. Full RCE. CVSS 8.8 High.

#offensivesecurity #vulnerabilityresearch

Automated penetration testing Automate recon, validate CVEs, and generate audit-ready reports in minutes. Build custom testing flows and focus on complex security flaws.

Most practitioners don't get enough time there, because the other 80% keeps expanding to fill all hours.
Automation doesn't replace the craft. It stops the repetitive work from crowding it out.
See how we approach this at Pentest-Tools.com: pentest-tools.com/usage/penetr...

Automated penetration testing - Pentest-Tools.com

The interesting part of offensive security is the 20% automation can't touch.
Chaining findings. Uncovering logic flaws. Turning technical output into risk narratives that actually land.

#offensivesecurity #pentesting

Change log for Pentest-Tools.com Consult our changelog to see exactly how our platform is constantly changing, what we're adding to it to make it better and how we're updating vulnerabilities.

Every tool call needs your explicit approval.
Also shipped: AI-enhanced auth in the Website Scanner, tests grouped by port in results, 5 new Sniper exploits, two new API endpoints for scan tests, and refreshed docs.
Full breakdown: pentest-tools.com/change-log
#offensivesecurity #infosec

🌸 March 2026 on Pentest-Tools.com: MCP server, AI-powered auth, and 5 new exploits YouTube video by Pentest-Tools

March was about AI earning its place in the workflow.
You can now connect your AI assistant directly to your Pentest-Tools.com account via MCP server. Run scans, pull findings, manage targets through plain-language prompts in Claude, Cursor, or any MCP-compatible client. youtu.be/7chwBSIKYlw

Online vulnerability scanners Go beyond static alerts with our scanners. Automatically map your attack surface, validate exploits with proof, and cut false positives by 50%.

authenticated scanning, 50% fewer false positives, forensic proof attached to confirmed findings.

pentest-tools.com/usage/online...

Online vulnerability scanners Go beyond static alerts with our scanners. Automatically map your attack surface, validate exploits with proof, and cut false positives by 50%.

Every transition is where context gets lost and findings get missed.
The online vulnerability scanners from @Pentest-Tools.com put web apps, networks, APIs, and cloud in one environment:

Online vulnerability scanners - Pentest-Tools.com

Tool sprawl in vulnerability assessment isn't a tool problem. It's a handoff problem.
Web scan. Network scan. API scan. Three exports. Manual cross-referencing. Report assembly that has nothing to do with actual security work.

#offensivesecurity #infosec

Offensive security research hub Discover original 0-days, detailed advisories, and stories behind the offensive security research team at Pentest-Tools.com. Explore latest findings.

Matei "Mal" Bădănoiu and Raul Bledea found the gap. Full PoC can be found in our Offensive Security Research Hub: pentest-tools.com/research

#offensivesecurity #vulnerabilityresearch #infosec #RCE

CVSSv3 goes from 5.4 to 8.8 faster than you can say "access denied."

No patch. ~4 years of unmaintained software. You know the drill.

FuelCMS access control in a nutshell: zero permissions → full Blocks module access → full RCE. Right? Right.

🏴‍☠️ Least privilege? FuelCMS didn't get the memo.

Any authenticated user (regardless of role) can call the Blocks module endpoint. Pair that with PTT-2025-026 and a low privilege (one could even say zero-permission) account becomes full RCE.

The next generation of security professionals is in good hands. 🔐

#GirlsInCyber #Cybersecurity #EthicalHacking

✔️ And knowing that how you show up - with honesty, generosity, and a real point of view - builds the kind of trust that opens doors no certification ever will.

To everyone at #UNbreakableRomania 2026: thank you for building a community where new voices get a real seat at the table!

✔️ Understanding that in cybersecurity, success is silent. A breach that didn't happen doesn't celebrate itself. You have to learn to translate invisible outcomes into language that the business can feel: time saved, risk reduced, money protected.

✔️ Learning to ask ""what problem are we actually solving?"" - before building, before presenting, before proposing anything. It sounds obvious. Almost no one does it consistently.

Why? Because technical skill and business impact are not the same thing. Most of us are trained in one and left to figure out the other on our own.

What bridges them?

Last weekend, Andra Zaharia, our Head of Marketing & Community, spoke to 20 young women at the Girls in Cyber Bootcamp about exactly *that gap*, and how to close it.

The topic? Value engineering: how to turn your technical expertize into business outcomes that grow your career.

There's a version of a cybersecurity career where you're exceptionally good at your job - and almost invisible to the people who could grow it.

AI-enhanced offensive security testing See how Pentest-Tools.com uses AI to reduce FPs, expand attack surface discovery, and deliver rich and accurate vulnerability context.

✅ 92% success rate for AI-assisted authentication
✅ More efficient scan orchestration with the MCP server (and more!).
Validation and reporting stay deterministic - and auditable. You keep full control.
See how AI works in Pentest-Tools.com - pentest-tools.com/features/ai

That’s why we introduced AI in Pentest-Tools.com only where it *improves precision* or *reduces friction*.

This translates to:
✅ 50% fewer FPs in fuzzing & web app scanning
✅ Deeper crawling coverage

How we use AI in Pentest-Tools.com

Skeptical of AI in #offensivesecurity tools? Good. You should be.

The last thing you need is for AI to:
❌ Generate synthetic or "hallucinated" vulnerabilities
❌ Bypass authorization boundaries, or
❌ Autonomously control scanning engines

How attackers think Join our webinar to learn how human pentesters uncover AI app flaws that tools miss, and how to balance automation with real attacker insight.

The venue was a nice touch too - the Computer History Museum in Ljubljana. Very hackerish energy for a security talk.

Curious how Razvan works in practice? Watch him run a full pentest workflow here: pentest-tools.com/webinars/how...

#offensivesecurity #infosec #cybersecurity #BSides

The 3 things he wants you to remember are:

🧠 Be curious, creative, and open-minded

🚀 Embrace challenges that push your limits

🤝 Grow your network and learn from trustworthy sources

Razvan Ionescu, our Head of #OffensiveSecurity Services recently gave a heartfelt talk at #BSidesLjubljana. 🇸🇮

He shared the steps, mindset, and what actually worked for him in becoming the penetration tester he is today.

2.7 million hit in workplace benefits data breach exposing SSNs, dates of birth and health account data Nearly 2.7 million Americans are being notified that their personal data may have been compromised following a cyberattack on Navia Benefit Solutions, a backend

Daniel Bechenea from Pentest-Tools.com breaks down why 3 weeks of read-only access is often more damaging than ransomware, and why SSNs from 2018 are just as useful to attackers today.

Read Daniel's full take here: www.itsecurityguru.org/2026/03/20/2...

#cybersecurity #infosec #dataprotection

2.7 million hit in workplace benefits data breach exposing SSNs, dates of birth and health account data Nearly 2.7 million Americans are being notified that their personal data may have been compromised following a cyberattack on Navia Benefit Solutions, a backend

2.7M people got breach notifications from a company most of them never heard of.

Silent access. No ransomware. Just data walking out the door.

That’s how strong security communities grow: through practice, support, and a room for new people to welcome and nurture them.
Good luck to all finalists and bootcamp participants! Make the best of it! 👊
Learn more about UNbreakable România: unbreakable.ro
#offensivesecurity #infosec

Along with the in-person CTF final, 20 young women will join the Girls in Cyber Bootcamp for hands-on labs, mentorship, and a real path into #cybersecurity.

UNbreakable Romania 2026 - proudly supported by Pentest-Tools.com

🇷🇴 The cyber-edu.co #UNbreakableRomania 2026 final is happening *this week* - and we're excited to support the top 16 teams competing!