QM

NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at depthfirst.com/nginx-rift

Every 3rd website you visit runs Nginx. 18,959,833 of them can be hijacked right now. A bug from 2008 just got a working exploit. CVE-2026-42945 (CVSS 9.2) No login. No access. Just one HTTP request. → Heap overflow → Worker process → RCE Patch ASAP to Nginx 1.31.0 or 1.30.1 PoC is already out: github.com/DepthFirstDisc…

Today we're launching the Open Defense Initiative: up to $5 million in @depthfirstlabs credits for critical open source projects to find and fix real, exploitable vulnerabilities. The timing matters: frontier models can autonomously discover and exploit vulnerabilities in widely-reviewed codebases. Open source models will catch up soon, and when they do, bad actors will have unfiltered access to these capabilities. We have a narrow window to harden critical software before that happens. This is the time to act, but until today frontier-level security, like what Mythos offers, has been reserved for a handful of large companies who are required to pay a lot for access. depthfirst is not only comparable in performance but also goes significantly beyond surface level findings, highlighting real, exploitable vulnerabilities due to its understanding of the system’s context and ability to verify like an attacker would. depthfirst found vulnerabilities in FFmpeg that Mythos missed, at a tenth of Anthropic's self reported spend. We want every defender to have these capabilities, starting with the open source projects the world runs on. If you maintain a critical open source project, apply for Open Defense credits through the form in the comments.

NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at depthfirst.com/nginx-rift

NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at depthfirst.com/nginx-rift

Today we're launching the Open Defense Initiative: up to $5 million in @depthfirstlabs credits for critical open source projects to find and fix real, exploitable vulnerabilities. The timing matters: frontier models can autonomously discover and exploit vulnerabilities in widely-reviewed codebases. Open source models will catch up soon, and when they do, bad actors will have unfiltered access to these capabilities. We have a narrow window to harden critical software before that happens. This is the time to act, but until today frontier-level security, like what Mythos offers, has been reserved for a handful of large companies who are required to pay a lot for access. depthfirst is not only comparable in performance but also goes significantly beyond surface level findings, highlighting real, exploitable vulnerabilities due to its understanding of the system’s context and ability to verify like an attacker would. depthfirst found vulnerabilities in FFmpeg that Mythos missed, at a tenth of Anthropic's self reported spend. We want every defender to have these capabilities, starting with the open source projects the world runs on. If you maintain a critical open source project, apply for Open Defense credits through the form in the comments.