Francisco Rosales

The read-only mode in mcp-server-kubernetes (20,000+ weekly npm downloads) ...doesn't actually restrict anything. Neither do the other two access control modes. CVE-2026-46519, CVSS 8.8 🧵

Francisco Rosales (@0xmagic0) of @Manifold_ai_sec found and reported the vulnerability. Fixed in v3.6.0. The filtering logic already existed. It just wasn't being called in both places. Update now.

This was an unauthenticated BAC vulnerability exposing among many things internal data. It was rated 9+ CVSS. Sometimes the most impactful findings aren't the flashiest, just knowing where to look and what to test for. #bugbounty #cybersecurity

This was a massive PII disclosure vulnerability. Records dating years back. A missing access control check sitting in front of the PII of every single customer on the site. This was a huge enterprise. #bugbounty #cybersecurity #appsec #infosec

Another platform, another critical. A while ago I did the Android security course by @hextreeio . Great course. I picked a program with a mobile app and started digging. After some testing, I found a Critical. vulnerability #bugbounty #cybersecurity #mobilesecurity

Today I'm open-sourcing agent2shell, a single Go binary that bridges reverse shells and AI agents. It catches reverse shells over TCP and exposes them as structured APIs via Unix sockets. Your AI agent just runs CLI commands: ▸ agent2shell run whoami github.com/0xmagic0/agent…

This was a couple of months back. I wanted to test a target running an AI system and find a vulnerability in it. This was a data exfiltration (PII) leveraging prompt injection. #bugbounty

@ctbbpodcast I built a tool for this. Instead of tmux send-keys + capture-pane, the AI agent runs agent2shell run "command" and gets the output back github.com/0xmagic0/agent…

Reverse shells feel slow to type into when Claude Code has been doing multi-step work everywhere else. A good fix is to catch the shell in a T-mux pane (ncat -lvnp 4444 into a listening pane) and tell Claude Code to use that pane. Under the hood it drives the pane with tmux send-keys, commands land in the shell directly without any issues Webhook scopes are in the same bucket, the usual reason to skip them is the signature layer, HMAC or JWT, having to resign every tampered payload used to really suck and was a pain to test. Revisiting these techniques that required a lot of painful manual steps is a great idea because a ton of attack surface is probably still left untouched.