PentesterLab's Blog: Insights, weekly research highlights, and deep dives into web security, code review, and pentesting.

RSS
Filter: All Research APPSEC AuthZ CAREER Code Review Insight JWT PENTESTING
Weekly Research

Research Worth Reading - Week 14, 2026

✨ ImageMagick: From Arbitrary File Read to File Write In Every Policy β€’ πŸ§‘πŸ»β€πŸ’» Leveling Up Secure Code Reviews with Claude Code β€’ πŸ€– Vulnerability Research Is Cooked

PentesterLab Apr 13, 2026

Defenders Finally Have the Edge

Everyone is panicking about AI-generated zero days. They should be paying attention to the other side of the equation. Anthropic recently ...

Louis Nyffenegger Mar 31, 2026 · 8 min read
Weekly Research

Research Worth Reading - Week 13, 2026

☁️ Remote Command Execution in Google Cloud with Single Directory Deletion

PentesterLab Mar 29, 2026
Weekly Research

Research Worth Reading - Week 12, 2026

πŸ€– Testing AI for Vulnerability Research: 4 Approaches & Where I Failed β€’ πŸ› οΈ Hyoketsu – Solving the Vendor Dependency Problem in RE β€’ 🐧 Sashiko

PentesterLab Mar 22, 2026

How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit

As part of our CVE monitoring, we came across GHSA-pcq9-mq6m-mvmp (CVE-2025-68402), an authentication bypass in FreshRSS, a self-hosted RSS aggregator. It ...

Louis Nyffenegger Mar 10, 2026 · 10 min read
Weekly Research

Research Worth Reading - Week 10, 2026

πŸ”’ IronCurtain: A Personal AI Assistant Built Secure from the Ground Up β€’ πŸš₯ mitmproxy for fun and profit: Interception and Analysis of Application Traffic β€’ ⛓️‍πŸ’₯ Authentication Bypass in pac4j

PentesterLab Mar 8, 2026
Weekly Research

Research Worth Reading - Week 9, 2026

πŸ’» Browser-Based Port Scanning in the Age of LNA β€’ πŸͺŸ 100+ Kernel Bugs in 30 Days β€’ β›ˆοΈ vinext: Vibe-Hacking Cloudflare's Vibe-Coded Next.js Replacement

PentesterLab Mar 1, 2026
Insight

What you don't see

More and more, with the progress of coding agents, people are rewriting software.And honestly, it looks easy. You write a good ...

Louis Nyffenegger Mar 1, 2026 · 9 min read
Weekly Research

Research Worth Reading - Week 8, 2026

🦫 CTFtime.org / justCTF [*] 2020 / Go-fs / Writeup β€’ β˜•οΈ Almost Impossible: Java Deserialization Through Broken Crypto in OpenText Directory Services β€’ 😱 Vulnerability Disclosure: JWT Authentication Bypass in OpenID Connect Authenticator for Tomcat

PentesterLab Feb 22, 2026
Weekly Research

Research Worth Reading - Week 7, 2026

⨐ Breaking Down CVE-2026-25049: How TypeScript Types Failed n8n's Security β€’ βš’οΈ Introducing Augustus: Open Source LLM Prompt Injection Tool β€’ 🀺 When Two Parsers Disagree: Exploiting Query String Differentials for XSS

PentesterLab Feb 16, 2026
APPSEC PENTESTING

Playing Tag with GCM

It all started with a CVE. It feels like it always does πŸ˜‰. CVE-2025-54887 (CVSS 9.1) disclosed a missing GCM authentication ...

Louis Nyffenegger Feb 13, 2026 · 10 min read
Insight

What Dependency Management Can Learn from Certificate Management?

There was a time when certificate management was a constant source of outages. Not because TLS is complicated, and not because ...

Louis Nyffenegger Feb 10, 2026 · 15 min read