EQST

267 posts

EQST banner
EQST

EQST

@EQSTLab

#SKshieldus: Korea's leading cybersecurity firm with 20+ yrs of tech expertise & a vast customer base. #1 in full-cycle services. Contact : 1800-6400

경기도 성남시 분당구 판교로227번길 23 (삼평동) Katılım Nisan 2023
11 Takip Edilen249 Takipçiler
Sabitlenmiş Tweet
EQST
EQST@EQSTLab·
📢 Big News! #Pwn2Own #P2OAuto Taejin Kim (@tae3), Junsu Yeo (@junactually), Sunmin Park (@sunminpark4503), Sungmin Son (@_ssm98), and Hoseok Lee of SKShieldus (@EQSTLab) of 299 exploited a hardcoded credential (CWE-798) to achieve code execution via CWE-494 on the Grizzl-E Smart 40A, earning $40,000 USD and 4 Master of Pwn points.
EQST tweet media
English
0
5
10
1.1K
EQST
EQST@EQSTLab·
⚠️CVE-2026-49975 (CVSS 7.5)⚠️ Critical HTTP/2 Bomb Denial-of-Service vulnerability in Apache HTTP Server mod_http2. Attackers can send crafted malicious HTTP/2 requests to trigger excessive memory allocation in vulnerable servers. By abusing HTTP/2 header compression and connection-hold behavior, unauthenticated remote attackers may rapidly exhaust server memory and cause service disruption. This issue affects Apache HTTP Server 2.4.17 through 2.4.67. Users are advised to upgrade to Apache HTTP Server 2.4.68 or apply vendor-provided mitigations. 🔥PoC + Vulnerable environment: github.com/EQSTLab/CVE-20… #Apache #HTTP2 #HTTP2Bomb #DenialOfService #DoS #MemoryExhaustion #CyberSecurity #CVE #PoC #Exploit #CVE_2026_49975
English
0
13
37
3.4K
EQST
EQST@EQSTLab·
⚠️CVE-2026-26980 (CVSS 9.4)⚠️ SQL Injection in Ghost Content API. In Ghost v3.24.0 through v6.19.0, unauthenticated attackers can abuse improper Content API filter handling to perform blind SQL injection and read arbitrary data from the database. This may expose sensitive CMS data, unpublished content, API keys, and internal metadata in vulnerable deployments. 🔥PoC + Ghost setup: github.com/EQSTLab/CVE-20… #Ghost #GhostCMS #SQLInjection #BlindSQLi #ContentAPI #CyberSecurity #CVE #PoC #Exploit #CVE_2026_26980
English
2
8
31
3.2K
EQST
EQST@EQSTLab·
⚠️CVE-2026-42048 (CVSS 9.6)⚠️ Critical Path Traversal / Arbitrary Directory Deletion vulnerability in Langflow Knowledge Bases API. In Langflow before 1.9.0, authenticated attackers can abuse the kb_names parameter in DELETE /api/v1/knowledge_bases to escape the intended Knowledge Base storage path and recursively delete arbitrary directories on the server. This can lead to data loss, deletion of application-owned directories, and service disruption. 🔥PoC + Langflow setup: github.com/EQSTLab/CVE-20… #Langflow #PathTraversal #ArbitraryDirectoryDeletion #CWE22 #CyberSecurity #CVE #PoC #Exploit #CVE_2026_42048
English
0
1
3
465
EQST
EQST@EQSTLab·
⚠️CVE-2026-40897 (CVSS 8.8)⚠️ Remote Code Execution in Math.js Expression Parser. Attackers can craft malicious expressions to bypass Math.js expression parser restrictions and execute arbitrary JavaScript code. In server-side Node.js applications that evaluate user-controlled expressions, this can lead to Remote Code Execution (RCE). 🔥PoC + Vulnerable environment: github.com/EQSTLab/CVE-20…
English
0
4
7
576
EQST
EQST@EQSTLab·
⚠️CVE-2026-30951 (CVSS 7.5)⚠️ SQL Injection in Sequelize via unsafe JSON path cast handling. In Sequelize v6 before 6.37.8, JSON/JSONB path keys containing `::` may be parsed as SQL cast expressions and inserted into generated queries without proper validation. If attackers can control JSON query keys passed to Sequelize, they may inject arbitrary SQL expressions, bypass intended query logic, and potentially exfiltrate sensitive data from unrelated database tables. 🔥PoC + Vulnerable environment: github.com/EQSTLab/CVE-20… #Sequelize #SQLInjection #ORM #ORMInjection #CyberSecurity #CVE #PoC #Exploit #CVE_2026_30951
English
0
2
6
868
EQST
EQST@EQSTLab·
⚠️CVE-2026-33937 (CVSS 9.8)⚠️ Critical RCE in Handlebars.js via AST Injection. Attackers can supply a crafted AST object to Handlebars.compile(), causing the code generator to emit and execute arbitrary JavaScript without sanitization, resulting in Remote Code Execution on the server. 🔥PoC + Handlebars.js setup: github.com/EQSTLab/CVE-20…
English
0
1
6
283
EQST
EQST@EQSTLab·
⚠️CVE-2026-34220 (CVSS 9.8)⚠️ SQL Injection in MikroORM via Custom Type __raw property. Attackers can inject arbitrary SQL expressions by supplying a __raw property in user-controlled input, enabling unauthorized exfiltration of sensitive data from unrelated database tables. 🔥PoC + Vulnerable environment: github.com/EQSTLab/CVE-20…
English
0
1
3
469
EQST
EQST@EQSTLab·
⚠️CVE-2026-0603 (CVSS 8.3)⚠️ Second-Order SQL Injection in Hibernate ORM. Attackers can register with a malicious SQL payload as the primary key, triggering mass deletion or modification of all database records with a single delete or update request. 🔥PoC + Vulnerable environment: github.com/EQSTLab/CVE-20…
English
0
0
2
221
EQST
EQST@EQSTLab·
⚠️CVE-2026-5027 (CVSS 8.8)⚠️ Critical Path Traversal / Arbitrary File Write vulnerability in Langflow’s `POST /api/v2/files` endpoint. By abusing the unsanitized multipart filename parameter, attackers can write files to arbitrary filesystem paths outside the intended upload directory, potentially leading to RCE in unsafe deployments. 🔥PoC + Langflow setup: github.com/EQSTLab/CVE-20… #Langflow #PathTraversal #ArbitraryFileWrite #RCE #CyberSecurity #CVE #PoC #Exploit #CVE_2026_5027
English
0
4
28
2.6K
EQST
EQST@EQSTLab·
⚠️CVE-2026-33017 (CVSS 9.8)⚠️ Critical Unauthenticated RCE in Langflow. Attackers can exploit the public flow build endpoint to inject malicious flow data containing a custom Python component, resulting in unauthenticated Remote Code Execution. 🔥PoC + Langflow setup: github.com/EQSTLab/CVE-20…
English
0
1
8
822
EQST
EQST@EQSTLab·
⚠️CVE-2026-25253 (CVSS 8.8)⚠️ Critical Auth Token Exposure in OpenClaw Gateway. Attackers can leverage the exposed token to perform Cross-site WebSocket Hijacking (CSWSH), leading to 1-Click RCE. 🔥PoC + OpenClaw setup: github.com/EQSTLab/CVE-20…
English
0
4
13
1.4K
EQST
EQST@EQSTLab·
We are EQST Lab, a pioneering force dedicated to advancing the field of Cyber Security! Our mission is to provide you with the most rapid and up-to-date insights into vulnerabilities, Common Vulnerabilities and Exposures (CVEs), and the latest security news. By staying informed with our cutting-edge updates, you can significantly enhance your digital safety and protect your valuable data from potential threats. Our team continuously monitors and analyzes the cyber landscape to ensure you have access to the most relevant and timely information. Join us, stay ahead of cyber threats, and fortify your security posture. Follow us to stay informed and improve your online safety!
English
0
0
1
308
EQST
EQST@EQSTLab·
🏆 Got 2nd place at LLMail-Inject competition! Top 2 out of 371 teams worldwide! 🎉 Team EQST(registered as Team 299) got 2nd place at Microsoft’s LLMail-Inject: Adaptive Prompt Injection Challenge Phase 2! This competition was a high‑level prompt‑injection hacking contest aimed at deceiving an LLM‑agent‑based email system, triggering unintended behaviors, and bypassing multiple layers of security. 👉 Learn more: llmailinject.azurewebsites.net 📄 Technical paper: arxiv.org/abs/2506.09956 Our team has strengthened its real‑world security skills by studying LLM attacks and planning defenses, investigating AI security vulnerabilities, and writing guides to diagnose LLM weaknesses. We will continue to strengthen our AI security capabilities and respond to the evolving threats in AI security. #EQST #Microsoft #AI #LLM #Agent #PromptInjection #AISecurity
EQST tweet mediaEQST tweet media
English
0
1
4
586
EQST
EQST@EQSTLab·
Welcome to the world of Chrome hacking at #BHUSA @BlackHatEvents Explore the inner workings of the V8 engine and gain hands-on experience with bug analysis and exploitation techniques! ✅ Understanding the architecture and mechanics of the V8 engine ✅ Convenient hands-on practice with pre-configured challenge environments ✅ Step-by-step analysis techniques for debugging and exploitation through hands-on labs ✅ In-depth case studies of real-world vulnerabilities ✅ Introduction to the latest sandbox escape techniques 🔖 Kickoff to V8 Exploit: Every Step of the Way 📅 Aug 4-5, 2025 (Online) 📍 Anywhere! 🔗 bit.ly/4jyCQx2 If you're interested in Chrome hacking, register by July 18 before prices go up!
English
1
1
2
3.6K