YPYogesh Peelainexploitnotes.hashnode.dev·3d ago · 7 min readHackTheBox: Bamboo WriteupSummary Bamboo is a HackTheBox machine that chains together a Squid proxy pivot, an authentication bypass in PaperCut NG (CVE-2023-27350), and a PATH hijack privilege escalation to reach root. The exp00
JSJacob Strixinegnworks.hashnode.dev·3d ago · 6 min readCVE-2026-33017 Unauthenticated RCE in Langflow and the 20 Hour ExploitOriginally published on Egnworks. Langflow versions before 1.9.0 expose an unauthenticated remote code execution flaw in the public flow build endpoint. An attacker who sends a single crafted POST re00
VNVũ Nhật Lâminblog.fiscybersec.com·Jun 9 · 10 min readCVE-2026-5426 — KnowledgeDeliver Exploited as a Zero-Day via ViewState DeserializationSummary CVE-2026-5426 lets an unauthenticated attacker achieve OS-level remote code execution (RCE) on any internet-facing KnowledgeDeliver instance with a single HTTP request. The root cause is not a00
SGShiva Gaireindev.shivagaire.com.np·May 22 · 12 min readHow a fake client's project tried to hack my machine with RCESomeone messaged me on LinkedIn pitching a project idea. The repo he sent had a remote code execution backdoor in it. This is what it did and how I survived the linkedin lead that turned malicious wit00
TTuannqinblogs.night-wolf.io·May 21 · 11 min readFrom Privilege Escalation to RCE in Wiki.jsI was poking around Wiki.js 2.5.312 one afternoon — as one does — when I found two vulnerabilities that chain together beautifully to turn a wiki moderator into a root shell. One report got accepted. 10
JJebitokinsharonjebitok.com·May 6 · 14 min readPlant Photographer (TryHackMe)Plant Photographer is a TryHackMe challenge built around a botanist's personal portfolio website running on Werkzeug/Python. The box covers three main vulnerability classes: SSRF (Server-Side Request 00
SSl4cK0THinz2r.zor0ark.me·May 5 · 6 min readWebVersePro Labs - Labs: NewsForge Writeup (Command Injection)Challenge Link: https://dashboard.webverselabs-pro.com/labs/newsforge Introduction Welcome back to another CTF writeup, we are tackling NewsForge, an easy-level web challenge from the WebVersePro Lab00
MBMatt Brownincloudsecburrito.com·Apr 20 · 12 min readDistroless Removes the Shell, Not the RiskI've been hearing a fair bit lately about distroless images. As I started digging into them, it became clear the idea is not new. In fact, there is a great talk that covers the concept well, and it is00
AWAlan Westinalan-west.hashnode.dev·Mar 30 · 5 min readCheck Point Found Critical RCE Flaws in Claude Code. Here's What You Need to Know.If you're using Claude Code — and given that it reportedly has over 15 million commits on GitHub, a lot of you are — you need to stop and audit your project configuration files right now. Check Point Research published findings on two critical vulner...00
ASaviral srivastavainaviraxroot.hashnode.dev·Mar 19 · 9 min readCVE-2026-33017: How I Found an Unauthenticated RCE in Langflow by Reading the Code They Already FixedIn early 2025, CISA added CVE-2025-3248 to their Known Exploited Vulnerabilities catalog. It was an unauthenticated remote code execution bug in Langflow, the popular open-source AI workflow builder w00
