Codean

We looked into Kdenlive and find out that opening someone else's project was not the best idea, since it could lead to Remote Code Execution. The vulnerability (CVE-2026-45184) has been patched in version 26.04.1, make sure to update and remember: do not trust FFmpeg parameters!

We took a good look into GNOME and general Linux desktop security. Our first findings are now public, including a full Flatpak sandbox escape. More coming soon :) github.com/flatpak/flatpa…

Two of our Codean Labs colleagues evaluated OpenPGP.js and identified a signature spoofing vulnerability. Writeup includes a PoC where we demonstrate the vulnerability by spoofing a message by the Dutch government's Cyber Security Center! codeanlabs.com/blog/research/…

It's been four years already! Here’s to four more years of making the world more secure! linkedin.com/feed/update/ur…

At Codean Labs, our mission is to make the world more secure — and what better way than to secure fundamental open source projects? We identified CVE-2025-47934, a critical vulnerability in OpenPGP.js to spoof signatures, see github.com/openpgpjs/open… github.com/openpgpjs/open…

🚨 Advisory Alert!🚨 We've just published our @drw0if's advisory regarding a heap overflow in @HAProxy as part of our coordinated disclosure process. Read all the details here: #haproxy_heap_buffer_overflow_CVE_2025_32464" target="_blank" rel="nofollow noopener">doyensec.com/research.html#… #doyensec #appsec #security #haproxy

Codean Labs' @b0n0b0__ and @Doyensec's @drw0if discovered CVE-2025-32464, a heap-buffer overflow in HAProxy. Read our write-up here: codeanlabs.com/blog/research/…

We discovered CVE-2024-12425 & CVE-2024-12426 which allow attackers to write files & extract sensitive data. Check our blog post for the impact & how to protect yourself. linkedin.com/feed/update/ur…

We spent a lot of effort on improving the security of Ghostscript and this is our third and final blog post about everything we found. Enjoy the read! linkedin.com/feed/update/ur…

We just reached over 1,000 commits on Codean 🎉 Just a few thousand more and I am sure Codean will be done by then 😉

We are finally catching up on some basic capabilities everyone expects, but are still darn hard to get right! Finally, landed on SCIP and SCIP indexers to have code intelligence that also enables us to create unique and cool features in the future. Stay tuned for more!

Another day another high impact #CVE-2024-29511 on #Ghostscript ≤ 10.02.1. it leads to an arbitrary file read/write (under certain conditions) outside of the -dSAFER sandbox. You can find all details about this #vulnerability on our blogpost. codeanlabs.com/blog/research/…

We found #CVE-2024-29510, a format string vulnerability in Ghostscript ≤ 10.03.0. It enables attackers to gain Remote Code Execution (#RCE) while also bypassing all sandbox protections. It has significant impact so please update Ghostscript! codeanlabs.com/blog/research/…

A public service announcement about #CVE-2024-4367 that we found in one of our pentests at Codean Labs. Make sure to update your #Firefox version to 126 and for #developers to update your PDF.js dependency. You can read our blog post for all details. linkedin.com/feed/update/ur…

We found a vulnerability in Mozilla’s PDF.js (CVE-2024-4367 and CVE-2024-34342 via react-pdf) resulting in arbitrary JavaScript execution when opening a malicious PDF. This results in XSS on many web- and even desktop apps. Blog post coming soon! linkedin.com/feed/update/ur…

Our Capture The Flag events are designed around the accessibility to the source code of all vulnerable targets. What's even more fun is that the whole CTF is played from within Codean! I guess we should host another public CTF sometime soon™! linkedin.com/feed/update/ur…

We are looking for design partners! "Yeah, yeah, yeah... just another sales tactic." Well yes, you are not wrong, we obviously do need to make money. That said, we believe we can create a win, win, win! Sounds interesting? Let us know! linkedin.com/feed/update/ur…

Did you know that we publicly discuss features and the architecture of Codean?! Join our Discord at discord.gg/nVDwK8fbH7 and let us know what you want from a tool like Codean!

#pentesting projects we do via Codean Labs relied on an older version of Codean. Today we onboarded a pentest project on the NEW platform at codean.io 🎉 We did find some bugs that we fixed and identified the need for more features... Plenty of work for all of us!