//nefariousplan

field log · research archive

The gap between what systems claim to do and what they actually do.

Field research on vulnerability classes, broken trust models, supply chain betrayals, and cryptographic assumptions that turned out to be wrong. By Kevlar — in the hash-and-trust business since before most CVE programs existed.

52 entries/2026/pgp-signed/rss

2026
  1. CVE-2026-21877: The Helper That Stops This Bug Was Already in n8n

    ▸ latestCVE-2026-21877: The Helper That Stops This Bug Was Already in n8n

    The patch for CVE-2026-21877 adds eight lines to n8n's Git node and one line to a helper interface. The eight lines are a single if statement: ask whether the path is blocked, throw if it is.

  2. CVE-2025-27407: graphql-ruby Loaded the Schema by Compiling It

    CVE-2025-27407: graphql-ruby Loaded the Schema by Compiling It

    The graphql-ruby fix for CVE-2025-27407 ships in three pieces. It validates field and argument names against /^[a-zA-Z][a-zA-Z0-9]$/, so a name with a newline raises InvalidNameError before reaching anything else.

  3. CVE-2026-33937: Handlebars Trusts Its Own AST

    CVE-2026-33937: Handlebars Trusts Its Own AST

    The PoC for CVE-2026-33937 is a JSON file. The application's HTTP handler deserializes the body, hands the resulting object to Handlebars.compile, and gets back a function. When the function is called, it stringifies process.env into the rendered email.

  4. CVE-2026-20182: The PoC Is the README. The Exploit Is a Bitcoin Address.

    CVE-2026-20182: The PoC Is the README. The Exploit Is a Bitcoin Address.

    CVE-2026-20182 was published by Cisco on May 14, 2026. CISA added it to the Known Exploited Vulnerabilities Catalog the same week with a federal civilian remediation deadline of May 17.

  5. CVE-2026-42897: EOMT Deploys to Outbound Rules. Health Checker Reads Inbound.

    CVE-2026-42897: EOMT Deploys to Outbound Rules. Health Checker Reads Inbound.

    CVE-2026-42897 is a cross-site scripting bug in Outlook Web Access. Microsoft published it on May 15. CISA added it to KEV the same week with a remediation deadline of May 29.

  6. CVE-2026-42945: The Other Half of the 2012 Patch

    CVE-2026-42945: The Other Half of the 2012 Patch

    On 22 April 2026, Roman Arutyunyan committed one line to ngxhttpscript.c. The line was e->isargs = 0;. It went directly above an existing line, e->quote = 0;, that had been sitting in the same function since May 2005.

  7. CVE-2026-0740: Ninja Forms Shipped the Patch on February 10. The Bug Shipped Until March 19.

    CVE-2026-0740: Ninja Forms Shipped the Patch on February 10. The Bug Shipped Until March 19.

    Ninja Forms File Uploads 3.3.25 shipped on February 10, 2026 as a security fix for CVE-2026-0740. Ninja Forms File Uploads 3.3.27 shipped on March 19, 2026 as a security fix for CVE-2026-0740. The first one did not fix it. The second one did.

  8. CVE-2026-34159: The Deserializer Three CVEs Have Not Patched

    CVE-2026-34159: The Deserializer Three CVEs Have Not Patched

    The patch is three lines. The bug is in the function none of the three patches changed.

  9. CVE-2024-22120: Zabbix's Audit Log Is the Read Primitive

    CVE-2024-22120: Zabbix's Audit Log Is the Read Primitive

    Zabbix Server's trapper port accepts a command request from authenticated users who have permission to execute a global script on a host they can see. When the request lands, the server runs the script and inserts a row into the auditlog table recording who, w…

  10. CVE-2026-25604: The PoC Tests /login. The Bug Is on /login_callback.

    CVE-2026-25604: The PoC Tests /login. The Bug Is on /login_callback.

    The PoC for CVE-2026-25604 runs a Flask mock. The mock builds the SAML AssertionConsumerService URL from the Host request header and shows an AuthnRequest that instructs AWS IAM Identity Center to redirect the SAML response to attacker.com:9090.

  11. CVE-2026-42238: Nginx-UI's Backup Signature Is Signed By Whoever Sends the Backup

    CVE-2026-42238: Nginx-UI's Backup Signature Is Signed By Whoever Sends the Backup

    Nginx-UI v2.3.7 ships a backup-restore endpoint at POST /api/restore whose authentication gate is a clock. The gate checks two booleans: InstallLockStatus() returns true if the JWT secret is set or if SkipInstallation is true, and IsInstallTimeoutExceeded() re…

  12. CVE-2026-23918: m->spurge Was an h2_ihash. The Array That Replaced It Kept the Assertion, Not the Dedup.

    CVE-2026-23918: m->spurge Was an h2_ihash. The Array That Replaced It Kept the Assertion, Not the Dedup.

    The Apache HTTP Server 2.4.67 release notes credit r1930444 and r1930796 for closing CVE-2026-23918. Both backport one upstream commit, [icing/modh2#312](https://github.com/icing/modh2/commit/b18fc7d2f8f5efe1336ba05ef25ada52fdaf3967), titled "stream purge." Th…

  13. Dirty Frag: the patched half is the half Ubuntu already mitigated

    Dirty Frag: the patched half is the half Ubuntu already mitigated

    CVE-2026-43284 patches a branch added to espinput in January 2017. The branch was correct in 2017. It was correct again in 2018. It was correct in 2020 and in 2022.

  14. CVE-2026-43284 + CVE-2026-43500: The Flag Was on TCP. UDP Did Not Set It.

    CVE-2026-43284 + CVE-2026-43500: The Flag Was on TCP. UDP Did Not Set It.

    On May 5, 2026, commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4 landed in the upstream Linux kernel. Author Kuan-Ting Chen, committer Steffen Klassert. Title: xfrm: esp: avoid in-place decrypt on shared skb frags.

  15. CVE-2023-50094: The CVE Number Is a Drawer, and reNgine Put Seven Bugs In It

    CVE-2023-50094: The CVE Number Is a Drawer, and reNgine Put Seven Bugs In It

    The Nuclei template CVE-2023-50094.yaml authenticates to reNgine, sends POST /scan-engine/update with JSON {"nmapcmd": "curl {{interactsh-url}}"}, and treats a DNS callback as confirmation.

  16. CVE-2026-39987: The Only WebSocket in Marimo Without an Auth Check Was the One That Forks a Shell

    CVE-2026-39987: The Only WebSocket in Marimo Without an Auth Check Was the One That Forks a Shell

    Marimo is a Python notebook server. Started with marimo edit, it binds HTTP and WebSocket routes for the editor, the kernel, LSP proxying, and, as of a feature added in July 2024, an in-browser terminal. The terminal endpoint lives at /terminal/ws.

  17. CVE-2017-9822: The Patch Encrypted the Cookie. The Deserializer Is Still Public.

    CVE-2017-9822: The Patch Encrypted the Cookie. The Deserializer Is Still Public.

    CVE-2017-9822 was assigned in 2017. The fix shipped in fifteen lines touching one method. CISA later added the entry to the KEV catalog. EPSS percentile sits at 99.94, the top hundredth of CVEs by predicted exploitation, and that percentile has not moved.

  18. CVE-2025-23211: bleach Is An HTML Sanitizer. Jinja2 Does Not Read HTML.

    CVE-2025-23211: bleach Is An HTML Sanitizer. Jinja2 Does Not Read HTML.

    Tandoor Recipes renders every recipe step through jinja2.Template(). The template engine is not sandboxed, has full access to Python builtins, and has been configured that way since January 5, 2021.

  19. CVE-2025-9209: The RestroPress JWT Is Not Forged. The Plugin Signs It For You.

    CVE-2025-9209: The RestroPress JWT Is Not Forged. The Plugin Signs It For You.

    The RestroPress WordPress plugin registers a REST route at /wp-json/rp/v1/auth and calls it authentication. The handler reads the Authorization header, stashes whatever value is there, and uses it as the HMAC key to sign a JWT.

  20. CVE-2026-41940: cPanel's Session File Is a Bus. The Basic Auth Password Wrote a Line to It.

    CVE-2026-41940: cPanel's Session File Is a Bus. The Basic Auth Password Wrote a Line to It.

    cPanel's session state for an in-flight login lives in a file at /var/cpanel/sessions/raw/:<id>. The file is a flat key=value list, one record per line. The internal-auth handler sets successfulinternalauthwithtimestamp by appending a line to it.

  21. CVE-2026-31431: authencesn Has Been Writing Those Four Bytes for Nine Years. The Patch Is Not in authencesn.

    CVE-2026-31431: authencesn Has Been Writing Those Four Bytes for Nine Years. The Patch Is Not in authencesn.

    AFALG is the Linux kernel's userspace door into its in-tree crypto API. An unprivileged process opens a socket, names an algorithm, sends bytes through, gets ciphertext or plaintext back.

  22. CVE-2026-3854: rails_env Is a Header Field. The Header Took User Input.

    CVE-2026-3854: rails_env Is a Header Field. The Header Took User Input.

    babeld is the proxy at the front of GitHub Enterprise Server's git push pipeline. gitrpcd is the RPC server downstream. Between them, babeld writes a single header named X-Stat that gitrpcd parses as the source of truth for what code to run and whether to sand…

  23. CVE-2024-47575: FortiManager's get auth Command Does Not Authenticate

    CVE-2024-47575: FortiManager's get auth Command Does Not Authenticate

    FortiManager's fgfm protocol listens on TCP port 541. A FortiGate registers itself by opening a TLS connection and sending a command named get auth. The command does not authenticate. It is a question the server answers, not a challenge it issues.

  24. CVE-2026-33634: The Scanner Ran. So Did Their Code.

    CVE-2026-33634: The Scanner Ran. So Did Their Code.

    The security scanner that tells you what is wrong with your infrastructure needs access to your infrastructure. That is the product working as designed. TeamPCP read the job description.

  25. CVE-2024-45409: The SignatureValue Verified. The DigestValue Compared Was Not in the Signature.

    CVE-2024-45409: The SignatureValue Verified. The DigestValue Compared Was Not in the Signature.

    Ruby-SAML verified the SignatureValue. The cryptographic operation over SignedInfo was correct, the certificate chained to the IdP, the XMLDSig was real. The problem was not there.

  26. CVE-2026-0827: LdeApi.Server.exe Assumes It Creates the Directory First

    CVE-2026-0827: LdeApi.Server.exe Assumes It Creates the Directory First

    LdeApi.Server.exe runs as SYSTEM and writes MP27AM7Westimation.json to C:\ProgramData\Lenovo\LDE\SYSTEM. On a fresh Lenovo install, that directory does not exist.

  27. CVE-2026-3844: The Gravatar Fetcher Fetched Anything

    CVE-2026-3844: The Gravatar Fetcher Fetched Anything

    The CVE description names one missing check: file type validation. The patch added four. It now refuses any URL whose host is not gravatar.com, refuses any filename whose extension is not in an image allowlist, refuses any HTTP response whose detected content-…

  28. CVE-2026-41651: Polkit Authorized the Slot, Not the Value

    CVE-2026-41651: Polkit Authorized the Slot, Not the Value

    I cloned both public PoCs of CVE-2026-41651 yesterday morning. They are byte-for-byte identical except for the ASCII banner. One README ends with "This repository is for educational and defensive security purposes only.

  29. Seventeen Green Checkmarks

    Seventeen Green Checkmarks

    I was scouting CVEs for this site when I read the description.

  30. CVE-2026-40261: The Injection Is in syncCodeBase, Not generateP4Command

    CVE-2026-40261: The Injection Is in syncCodeBase, Not generateP4Command

    The PoC repository's package description says it demonstrates "shell injection in Perforce generateP4Command." The two payload files agree: vector 1 injects through the port flag, vector 2 through the user flag. Those are CVE-2026-40176.

  31. CVE-2026-34621 Revisited: The 136-Day Detection Lie

    CVE-2026-34621 Revisited: The 136-Day Detection Lie

    On November 28, 2025, someone uploaded a PDF to VirusTotal. The filename was Invoice540.pdf. Thirteen of sixty-four antivirus engines flagged it. The other fifty-one saw a document.

  32. CVE-2026-3891: The Capability Check Is Missing Because the Nonce Check Was Never a Capability Check

    CVE-2026-3891: The Capability Check Is Missing Because the Nonce Check Was Never a Capability Check

    The C6 Bank integration for Pix for WooCommerce 1.5.0 exposes two AJAX endpoints. The first generates a WordPress nonce for the C6 settings context. The second accepts certificate file uploads and verifies that nonce before writing to disk.

  33. CVE-2026-34486: EncryptInterceptor Only Encrypts Messages That Survive Decryption

    CVE-2026-34486: EncryptInterceptor Only Encrypts Messages That Survive Decryption

    The Tomcat cluster port at TCP 4000 has one access control mechanism when EncryptInterceptor is configured: if your message cannot be decrypted with the cluster's AES key, it gets dropped. That is the contract the configuration implies.

  34. CVE-2026-39808: One curl to Root on the Box That's Supposed to Catch Malware

    CVE-2026-39808: One curl to Root on the Box That's Supposed to Catch Malware

    The device that receives your suspicious files, detonates them in an isolated VM, and tells your SOC whether they're malicious, that device is running an unauthenticated root shell endpoint.

  35. CVE-2026-34621: Adobe Acrobat's Privilege Gate Inherits What It Checks

    CVE-2026-34621: Adobe Acrobat's Privilege Gate Inherits What It Checks

    The PDF arrives as an invoice. It runs its JavaScript before you see the first page. The first thing it does is tell Object.prototype what to say when asked whether it's trusted.

  36. BlueHammer: What the Researcher Commented Out

    BlueHammer: What the Researcher Commented Out

    cfreg.ProviderName = L"IHATEMICROSOFT";

  37. UnDefend: What Chaotic Eclipse Held Back This Time

    UnDefend: What Chaotic Eclipse Held Back This Time

    Line 209 of UnDefend.cpp, inside WDKillerCallback, reads:

  38. The Trust Inversion

    The Trust Inversion

    A researcher called Chaotic Eclipse tried to do the right thing. They found a zero-day in Windows Defender, a SYSTEM write through the antivirus's own remediation engine. They reported it. Someone violated the disclosure agreement. So they published.

  39. RedSun: How Windows Defender's Remediation Became a SYSTEM File Write

    RedSun: How Windows Defender's Remediation Became a SYSTEM File Write

    The comment is on the line where the Cloud Files provider name is set.

  40. SAP NetWeaver CVE-2025-31324: When CVSS 10.0 Means What It Says

    SAP NetWeaver CVE-2025-31324: When CVSS 10.0 Means What It Says

    CVSS 10.0 is supposed to be a number that appears rarely enough to mean something. The scoring rubric requires everything to go wrong simultaneously: the vulnerability must be network-reachable, require no authentication, require no user interaction, and produ…

  41. Axios, Sapphire Sleet, and 70 Million Weekly Installs

    Axios, Sapphire Sleet, and 70 Million Weekly Installs

    On March 31, 2026, the axios npm package was compromised. Two malicious versions, 1.14.1 and 0.30.4, were published through the primary maintainer account, "jasonsaayman." Both looked like routine version bumps.

  42. TeamPCP Came for the Scanners

    TeamPCP Came for the Scanners

    Your CI pipeline runs Trivy. It scans containers, scans IaC, flags vulnerable dependencies. It's the canary. It's trusted. It runs early in the pipeline with elevated access to secrets because that's what security tooling needs to function.

  43. Oracle Cloud: The Breach They Technically Didn't Deny

    Oracle Cloud: The Breach They Technically Didn't Deny

    "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."

  44. Prompt Injection Is a Supply Chain Attack

    Prompt Injection Is a Supply Chain Attack

    The security community is debating prompt injection as an AI safety problem. Some frame it as an alignment failure, the model is doing something it shouldn't. Neither framing is right, and the wrong frame means the wrong fix.

  45. MCP Servers: The New npm Left-Pad

    MCP Servers: The New npm Left-Pad

    In March 2016, Azer Koçulu unpublished 273 npm packages. One of them, left-pad, was eleven lines of string-padding utility. It brought down React, Babel, and the builds of thousands of projects that had never heard of it.

  46. Shai-Hulud: The First npm Worm

    Shai-Hulud: The First npm Worm

    September 14, 2025. Researchers named it Shai-Hulud, after the sandworm in Dune. By the time npm's incident team finished revoking tokens and yanking versions, 500+ package releases had been compromised, some of them carrying millions of weekly downloads.

  47. xrpl.js: The Official Package Was the Threat

    xrpl.js: The Official Package Was the Threat

    The XRP Ledger's official JavaScript SDK, xrpl on npm, published by the XRPL Foundation, 4.2 million weekly downloads, shipped a backdoor in late April 2025. Versions 4.2.1 through 4.2.4, plus 2.14.2 on the legacy branch.

  48. CLFS: Ransomware's Favorite Kernel Driver

    CLFS: Ransomware's Favorite Kernel Driver

    Five exploited-in-wild local privilege escalation vulnerabilities from a single kernel driver in three years. That's not a run of bad luck. That's a structural condition Microsoft keeps patching at the wrong scope.

  49. CrushFTP CVE-2025-31161: MFT Is the Target Now

    CrushFTP CVE-2025-31161: MFT Is the Target Now

    CrushFTP just shipped a patch for CVE-2025-31161: authentication bypass in the WebInterface component, CVSS 9.8, unauthenticated, network-accessible, low complexity.

  50. tj-actions: Mutable Tags Were Always a Lie

    tj-actions: Mutable Tags Were Always a Lie

    When you write uses: tj-actions/changed-files@v45 in a workflow, you're not pinning to a version. You're trusting that a stranger won't move the tag. That's not a pin. That's a prayer.

  51. Bybit: $1.5B via a JavaScript Injection Nobody Was Looking For

    Bybit: $1.5B via a JavaScript Injection Nobody Was Looking For

    On February 21, 2025, Bybit lost 401,347 ETH, approximately $1.46 billion at execution price, in a single transaction. Not a smart contract exploit. Not a bridge attack. Not a flash loan cascade.

  52. Ivanti: The Vulnerability Subscription

    Ivanti: The Vulnerability Subscription

    Ivanti disclosed CVE-2025-0282 on January 8, 2025. Mandiant's retrospective analysis placed active exploitation in December 2024, at least 12 days prior. During that window, organizations running Ivanti Connect Secure had no patch to apply, no advisory to act…