Broken Cloud Portal
Cloud Security
Apr 2, 2026
Another day, another dependency betrayal. 🔐 AVideo CSRF Blob admin/save.json.php lacks CSRF. Logged‑in admin visits evil site → S3 keys, PayPal mail, plugin config overwritten. SameSite=None cookie makes it trivial. GHSA-4wwr-7h7c-chqr.
Apr 2, 2026
Another day, another dependency that decided to betray us. 🔑 Cloudreve's Predictable Secrets Cloudreve versions before v4.10.0 used a weak PRNG seeded with time to generate APP_KEY. Attackers can brute‑
Apr 2, 2026
Hey team, another round of avoidable holes. Here’s what’s actually breaking things. ⚠️ Juju Dqlite TLS slip Juju controller’s Dqlite cluster skips TLS cert checks on port 17666, letting network-adjacent attackers join
Mar 28, 2026
Default configurations and blind trust in user input remain a fantastic way to get your environment flattened. Whether it is your edge appliances or your internal build pipelines, your infrastructure is actively fighting against
Mar 26, 2026
Parsing obscure HTTP features and building untrusted containers remains a reliable way to get your infrastructure owned. 📦 Netty Chunk Smuggling Nobody actually uses HTTP/1.1 chunk extensions in the real world, but your
Mar 26, 2026
Your automation tools are functioning as highly efficient backdoors. 🤖 Drive-By Sandbox RCE The OpenHands agent has a nasty CSRF vulnerability hiding inside its Git diff handler. A local GET endpoint passes unsanitized input directly
Mar 25, 2026
Nothing quite like watching your cluster burn because an engine forgot how subtraction works. 🧮 LiquidJS Math Nightmare If your Node apps render untrusted LiquidJS templates, your memory limits are useless. Attackers can bypass `memoryLimit`
Mar 25, 2026
It turns out you don't need a complex exploit chain when you can just ask the server to eat a gigabyte of RAM or panic on the first packet. 💥 39 Bytes to
Mar 24, 2026
The rush to deploy multi-agent infrastructure has turned basic AI dependencies into primary targets for supply chain compromise and protocol-layer abuse. 🐍 Tainted AI Dependencies Attackers leveraged a stolen PyPI token to backdoor litellm version
Mar 24, 2026
Trust is a liability, whether you're handing cross-account IAM roles to a shiny new SaaS or just letting your backends parse a few bytes of authentication data. 💸 Supply Chain Suicide A YC-backed
Mar 23, 2026
Supply chain attackers are hiding payload decoders in plain sight using invisible Unicode. Text-based detection won't save you. 🐛 Hidden Payload Decoders The GlassWorm campaign has spiked over 400 components since October 2025.
Mar 22, 2026
Exposing unauthenticated Docker daemon sockets directly to the internet remains a guaranteed method for losing a cluster. 🧯 CanisterWorm Wiper Escalation While previous TeamPCP campaigns focused on routine persistence, their toolset now features a strictly