Daniel Púa

JDownloader installers compromised 👇

References: - github.com/vercel/next.js… - github.com/dwisiswant0/ne…

Important: don't rely only on WAF coverage here. Some providers say a safe generic WAF rule for this SSRF class may break legitimate application behavior. Patch first, then use edge filtering and egress controls as defense-in-depth.

🚨 New Next.js CVE: CVE-2026-44578. High-severity SSRF via WebSocket Upgrade handling in self-hosted Next.js apps using the built-in Node.js server. Unauthenticated. Network-reachable. CVSS 8.6 High. Vercel-hosted deployments are not affected. If you run Next.js on your own infra, read on 🧵

Mitigation if you can't patch yet: switch unnamed captures ($1) to named ones (?<name>...). Sidesteps the buggy path entirely. Quick audit: grep -RnE 'rewrite[[:space:]].*\$[0-9].*\?' /etc/nginx github.com/DepthFirstDisc… nvd.nist.gov/vuln/detail/CV…

Chars like +, %, & expand during re-escape → the write runs past the heap allocation, and the overflowing bytes come from the attacker's URI. Worker-crash DoS reproduces on every nginx 0.6.27 → 1.30.0 (+ Plus R32–R36). RCE is harder with ASLR, but it's not impossible.

🚨 New nginx CVE: CVE-2026-42945, aka "NGINX Rift." Heap buffer overflow in ngx_http_rewrite_module. ~18-year-old bug. Unauthenticated. One crafted HTTP request. CVSS 9.2 Critical. If you run nginx in front of PHP / WordPress / API gateways, read on 🧵

Unless I see something to change my mind, I still think the same.

Automates 403 and 40X access-control bypass testing github.com/devploit/nomor…

🚫 NoMore403 — HTTP 401/403 Bypass Testing Tool A powerful CLI tool for finding access-control bypasses, parser inconsistencies & proxy/WAF misconfigurations. ⚡ Tests 403/401 bypass techniques automatically ⚡ Header, path, method & raw HTTP mutations ⚡ Detects frontend/backend parsing differences ⚡ Auto-calibration to reduce false positives ⚡ Replayable curl evidence for findings ⚡ JSON/JSONL support for pipelines Built for bug bounty hunters, pentesters & web security researchers. github.com/devploit/nomor… #BugBounty #Pentesting #WebSecurity #CyberSecurity #AppSec

Just got a CVE assigned: CVE-2026-6379 Found an unauthenticated SQL injection in WP Photo Album Plus (< 9.1.11.001). CVSS 8.6 Pre-auth, no creds needed. Verified by @_WPScan_. Patch is out, update now. wpscan.com/vulnerability/…

HackerOne just got a company breached. ClickUp's April 27th data leak? Directly caused by HackerOne's triage failure. They closed a critical report (893 exposed emails + a live API token) as a "duplicate" twice. Their AI or analysts auto-close valid findings as "informative" while real vulnerabilities fester. This wasn't a one-off. HackerOne did it to ClickUp at least three times. If you run a bug bounty on HackerOne, your security is in the hands of broken triage. Don't wait for a public shaming to find out they buried your next breach. Ditch HackerOne. clickup.com/blog/april-27t…

Learning to hack in 2026 has never been easier. You literally have an all-knowing, ever-patient tutor that you can ask any questions to, free of charge. It's so outrageous.

⚠️ El "313 Team" tiene Ubuntu.com fuera de servicio con un DDoS y un intento de extorsión a Canonical. A la vez, circula un exploit público de Copy Fail: 732 bytes de Python para conseguir root en casi cualquier Linux. Sin repos no hay parche. Y el reloj corre.

Freepik is now @Magnific Walking away from a name millions trust is not something you do lightly I wrote about why we did it