Another good week in the world of PHP security!
⏰ Riding The Time Machine: Journey Through An Old vBulletin PHP Object Injection
A great example of a write-up of a N-day (or N-year in this case) vulnerability! We need more of those: Riding The Time Machine: Journey Through An Old vBulletin PHP Object Injection.
✉️ Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization [CVE-2025-49113]
A great and detailed write-up for a great bug in RoundCube: Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization [CVE-2025-49113].
💦 Bypassing Watermark Implementations
The Kulkan team is back with an article on watermarking. A good reminder that FFmpeg can do everything! Bypassing Watermark Implementations.
🛠️ Incalmo: An Autonomous LLM-Based Multi-Stage Attacker
Curious about multi-host attacks and how an LLM handles them, make sure you check lncalmo and the accompanying research paper: Incalmo: An Autonomous LLM-Based Multi-Stage Attacker.
