research
Published vulnerabilities and writeups. Newest first.
- writeup · 2026-04-26
Wonder Ad Blocker: Reverse Engineering a Malicious Chrome Extension
A Chrome extension marketed as an ad blocker — with 500,000+ users — was operating as a distributed ad-intelligence scraping platform. Reverse engineering revealed tracking-script injection, browsing-data harvesting, and command infrastructure phone-home.
- writeup · 2026-04-06
48 Hours on a SCADA Honeypot
A SCADA-themed honeypot on Hetzner caught WannaCry samples still propagating in 2026, Outlaw/mdrfckr botnet credential stuffing, Solana validator credential harvesting, and automated Modbus/TCP scanning.
- cve · 2026-04-02 · Envoy · Medium · cvss 6.3
CVE-2026-6994: Envoy Query Parameter Injection via header_mutation
Envoy's header_mutation filter inserts header values into query strings without URL encoding, enabling arbitrary query-parameter injection — auth bypass, SQLi/XSS on upstream services. Affects v1.33.0+.
- cve · 2026-03-18 · Traefik · High · cvss 8.2
CVE-2026-31360: Traefik SPIFFE Trust Domain Bypass
Traefik's verifyServerCertMatchesURI overwrites the expected SPIFFE URI's host with the certificate's actual host before comparison, defeating trust-domain validation.
- cve · 2026-03-18 · Traefik · Medium
CVE-2026-31361: Traefik ACME Private Key Exposure via Logs
GetPrivateKey() in Traefik's ACME path logs the entire DER-encoded private key as decimal bytes when parsing fails. A 5-year regression of a partial v1.7.20 fix that was never ported to v2.x or v3.x.
- cve · 2026-03-04 · etcd · High · cvss 8.8
CVE-2026-33413: etcd Authorization Bypass Across Multiple APIs
Multiple etcd APIs reachable without authorization: MemberList (cluster topology), Alarm, Lease APIs, and compaction. CVSS 8.8.
- cve · 2026-03-04 · etcd · Medium · cvss 6.5
CVE-2026-33343: etcd Nested Transactions Bypass RBAC
An authenticated user with restricted key-range permissions can use nested transactions to access the entire etcd data store, bypassing RBAC entirely.