PentesterLab's Blog: Insights, weekly research highlights, and deep dives into web security, code review, and pentesting.

How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit

As part of our CVE monitoring, we came across GHSA-pcq9-mq6m-mvmp (CVE-2025-68402), an authentication bypass in FreshRSS, a self-hosted RSS aggregator. It ...

By Louis Nyffenegger March 10, 2026 · 10 min read

Filter: All Research APPSEC AuthZ CAREER Code Review Insight JWT PENTESTING

Insight

What you don't see

More and more, with the progress of coding agents, people are rewriting software.And honestly, it looks easy. You write a good ...

Louis Nyffenegger Mar 1, 2026 · 9 min read

Insight

What Dependency Management Can Learn from Certificate Management?

There was a time when certificate management was a constant source of outages. Not because TLS is complicated, and not because ...

Louis Nyffenegger Feb 10, 2026 · 15 min read

Insight

When Code Is Cheap, What Happens to AppSec?

With Anthropic's Opus 4.5, Ralph Wiggum Loop and GastOwn, a few people on the bleeding edge of AI-based software development are ...

Louis Nyffenegger Feb 10, 2026 · 6 min read

Insight

Need for Speed: AI, Security, and Productivity

Security and privacy have always been about doing the right thing while balancing it with staying productive. People do not work ...

Louis Nyffenegger Feb 3, 2026 · 5 min read