Patrik Grobshäuser

I finally let Claude do my pentest this week. Full 5-day engagement, zero human input. Here's what the client got: 😏 clawd.it/posts/10-repla… #bugbounty #pentesting #AI #cybersecurity #infosec #claudeai

Stop blaming AI slop for what bug bounty platforms did to themselves. 👇 wrote down some thoughts about the state of triage clawd.it/posts/14-to-ka…

Our team at @SLCyberSec / @assetnote just shipped a same-day breakdown of CVE-2026-9082: critical anonymous SQLi in Drupal core, no auth needed. 👀 lots of bug bounty targets in scope. Technical details 👇

@emgeekboy ❣️

@ITSecurityguard thanks for reporting sir!

gg

@JamGee39212 These are the patched versions afaik

@ITSecurityguard 11.124.0.40 and higher 11.126.0.61 and higher 11.130.0.25 and higher 11.132.0.34 and higher 11.134.0.28 and higher 11.136.0.12 and higher these are affected or patched versions

We had a look at cPanel recently and found an attack chain that allowed us to read files as root pre-auth on cPanel version👇 11.124.0.40 and higher 11.126.0.61 and higher 11.130.0.25 and higher 11.132.0.34 and higher 11.134.0.28 and higher 11.136.0.12 and higher Patch now!

cPanel's latest patch (11.134.0.26) for the pre-auth arbitrary file read issue (CVE-2026-29205) is incomplete. We made the call to not publish our research until a working patch is released. We are in touch with WebPro's security team.

How we read all your emails in Salesforce Marketing Cloud. AMPScript injection in subject lines, padding oracle on a static AES key shared across every tenant. CVE-2026-22585/22586/22582/22583/2298 🔥 😏 slcyber.io/research-cente…

Watching a lot of people in my replies treat this like a blueprint. It isn’t. Researchers have been raided, charged, and sued for far less than what’s being celebrated here right now 🦆

@taviso @lolzareverser @weezerOSINT @rez0__ The “someone” is going to be a judge in court

@lolzareverser @weezerOSINT @rez0__ Just do what you believe is right, you'll always have someone calling you irresponsible. If you sat on this people who signed up while you knew it was exposed would be complaining. I personally believe full disclosure is responsible disclosure.

this man called me blackhat on his timeline to 71k people. in the dms he told me he's "not claiming i released some secret technique" so which is it? he had the platform to help get this fixed. contact the company, escalate the report, connect me with the right people. instead he chose to start a public fight over disclosure timelines and guess what? the company rotated the key. 25 days of private emails got nothing. one public tweet got it fixed. Joseph Thacker you know what you was doing when you made this post, you are a grown man instigating tl wars isn't there anything else you could be doing with your time right now?

We've just released a high fidelity scanner for CVE-2026-41940 (cPanel/WHM authentication bypass). All public PoCs so far lead to false negatives, and are not reliable. @SLCyberSec's research team's notes on this here: slcyber.io/research-cente… & tool here: github.com/assetnote/cpan…

ai is great at "finding" bugs the same way a metal detector is great at finding metal: it beeps at everything - Patrik G.

I got this.

I am a Vulnerability Analyst at the National Institute of Standards and Technology (NIST). There were 28,961 new CVEs published last year. I processed eleven per week. I need to explain what enrichment is because, without it, the rest of this does not matter. A CVE is a numeric identifier that catalogs a new software vulnerability. A CVE without enrichment is a number. CVE-2026-XXXXX. The number tells you a vulnerability exists. It does not tell you the severity. It does not tell you which products are affected. It does not tell you the attack vector. It doesn't indicate whether to patch on Tuesday or now. Every CISO in the country builds their patch-priority list using our enrichment data. We are the triage. Without us, the number is a fire alarm with no address. 28,961 alarms. I got to 572. Every morning I open the queue. The queue is a spreadsheet. It was a spreadsheet when I started, and it is a spreadsheet now. Monday's queue has between 70 and 130 new entries, depending on whether someone found a batch of WordPress plugins over the weekend. I scroll to the top. I pick two. Sometimes three, if one is straightforward. I assign them to myself. I open the enrichment template. I begin. The other 70 stay in the queue. Tuesday, they will be joined by 70 more. I will pick two. The page looks the same. I want to say that clearly. The NVD website, the one bookmarked on every security team's browser in every hospital and bank and water treatment plant and power utility in the country, loads the same way it loaded in 2023. Same interface. Same search. Same logo. There is no banner that says "this data is no longer current." There is no warning. There is no asterisk. The security team at a hospital in Ohio who checks NVD at 7 AM to decide which of their 340 unpatched systems to prioritize today is making life-and-death triage decisions using a database that stopped being maintained. They do not know it stopped being maintained. The page looks the same. We have not been defunded. I want to be precise about that. We have been "deprioritized." Our headcount has been "reallocated to other initiatives." Four analysts were moved to the AI Safety Measurement Initiative in January. AI safety measurement is the initiative that has funding. CVE enrichment is the initiative that protects the hospitals. The hospitals do not have an initiative. My manager told me in February that we are "transitioning to a community-driven enrichment model." Community-driven means that vendors whose products have vulnerabilities will self-report the severity of those vulnerabilities. I sat in that meeting. I wrote it down. Oracle will now assess the criticality of its vulnerabilities. Microsoft will now assess how urgent it is to patch Microsoft. The fox will now audit the henhouse and submit the findings in JSON. I still have my badge. I still have my login. I still open the spreadsheet. I still pick two. The queue has 9,247 unenriched CVEs as of this morning. Some of them are critical. I do not know which ones because they have not been enriched. That is what unenriched means. It means we do not know how dangerous they are because we stopped analyzing how dangerous they are. The page looks the same. The system that catalogs broken systems is itself broken. I catalog the brokenness. I have been cataloging it at a rate of two per day. At this rate, I will finish the current backlog in twelve years and seven months, not accounting for the 80 new entries that will arrive tomorrow, and the 80 after that, and the 80 after that. I am a Vulnerability Analyst at the National Institute of Standards and Technology. The page looks the same. The data doesn't. Nobody told the hospitals. That is my job. I am also not doing that.

@mschoening impulsive is a fitting handle

First: This is documented and we also warn users when they publish a page. But, that’s not good enough! Second: We don’t like this and are looking at ways to fix this either by removing the PII from the public endpoints or by replacing it with an email proxy similar to GitHub’s equivalent functionality for public commits. Thanks for keeping us honest.

⎿  Hmm…

@tjbecker forgive my ignorance, will "Xint Code" find these without Anthropic Models?

Our AI code scanner, Xint Code, finds all 4 featured Mythos vulnerabilities (OpenBSD, FreeBSD, firecracker, FFmpeg) using its default pipeline (no custom prompts or configuration). These same scans found over 10 new vulnerabilities in OpenBSD, FFmpeg, and FreeBSD.

@harshdeep0x01 @intigriti investors.coca-colacompany.com/about/segments

Another one for the books 🥤 Just had a vulnerability report accepted by The Coca-Cola Company on their Vulnerability Disclosure Program via @intigriti - and unlocked the "Impact Maker" badge for a valid medium-severity submission along the way. Every accepted report is a small reminder of why I do this: finding the gaps before someone with bad intent does, and making the internet a slightly safer place in the process. Grateful to the Coca-Cola security team for the quick triage and to Intigriti for running a tight platform. On to the next one. #BugBounty #CyberSecurity #Intigriti #EthicalHacking #AppSec #VDP