striga

For a Fistful of Dollars: Less than $100 of Compute Surfaces Pre-auth RCE in Apache httpd Write-up: striga.ai/research/apach…

A double-free in Apache httpd: striga.ai/research/apach…

PoCs for Apache Tomcat Unauth RCE (CVE-2026-34486) and Apache httpd Pre-auth RCE (CVE-2026-23918) are now public on our Github. Tomcat exploit is fully reliable. httpd chain works in a controlled lab setup with a known info leak. github.com/striga-ai/CVE-… github.com/striga-ai/CVE-…

Unauth Apache Tomcat RCE: striga.ai/research/tomca…

We reported CVE-2026-42248 and CVE-2026-42249 to @ollama on January 27. It is still unpatched. Read write-up on our findings here -> striga.ai/research/ollam…

The 90-day framework assumes the vendor engages, the embargo chain holds, and no one else finds the bug. Dirty Frag failed the middle one, our own backlog regularly fails the first, and in both cases the only people protected by the wait are the attackers who already have it. Shortening the timeline is the easy half. The harder question is whether the embargo concept survives at all: a vendor who hasn't acknowledged by day 14 or 30 will not acknowledge by day 90, and every extra week only widens the window for a leak or an independent rediscovery.

responsible disclosure is dead🤦

@TheHackersNews Full details and PoC: striga.ai/research/apach…

How easy is CVE-2026-23918 to trigger? 🔸 One TCP connection. 🔸 Two frames. 🔸 HEADERS + immediate RST_STREAM (non-zero error code). That’s it → double-free in mod_http2, worker crashes. Researchers built a working RCE PoC using Apache’s fixed scoreboard + mmap allocator (default on Debian & official Docker). If you’re on 2.4.66 with mod_http2 + threaded MPM: patch to 2.4.67 now. (prefork MPM is safe)

CVE-2026-23918 - a pre-auth RCE in Apache httpd's mod_http2, found by Striga during our open-source research. The bug triggers on a single HTTP/2 connection sending HEADERS followed by RST_STREAM with a non-zero error code. Two nghttp2 callbacks both push the same stream pointer onto the cleanup array, and the second pool_destroy hits already-freed memory. We built a working RCE on x86_64 using mmap reuse and Apache's scoreboard memory as a stable container for fake cleanup structures. Affects Apache httpd 2.4.66 with mod_http2 and a multi-threaded MPM. Full technical writeup coming soon. cve.org/CVERecord?id=C… httpd.apache.org/security/vulne…

@TheHackersNews This vulnerability was found with striga.ai and whole audit costed less than $100. Write-up coming soon.

@ollama v0.23.0 still unpatched. Security posture of this project is below baseline. Two CVEs assigned, vendor not responding, and the latest release ships the same vulnerable code paths

Persistent RCE in @ollama's Windows auto-updater. An HTTP header decides where the downloaded file lands on disk. The signature check that would catch this is one line: return nil. Windows runs the dropped binary every login. CVE-2026-42248 + CVE-2026-42249. Affected: 0.12.10 - 0.22.0. Still unpatched after the 90-day disclosure window. Thanks to @CERT_Polska for picking up coordination with the vendor unresponsive. striga.ai/research/ollam…

@halvarflake There you go - full Apache Tomcat scan cost (3 x CVE including one RCE in final results) - around $80.

Proposal: if you publish about an LLM finding vulns, please publish precise costs. Given the different levels of competence, verbosity etc per model, knowing token counts and cost per token is essential.

@julianor @XorNinja For everyone wondering how the RCE is achieved: striga.ai/research/tomca…. We found this vuln and built working exploit

CVE-2026-34486: A one-line fix for a padding oracle in Apache Tomcat quietly disabled cluster encryption, enabling unauthenticated RCE. 16 years later, they've finally discovered our strategy @XorNinja 🤫

Unauthenticated RCE in Apache Tomcat (CVE-2026-34486) The EncryptInterceptor was supposed to protect cluster communication. A fix for a padding oracle vulnerability moved one line outside a try block, and the encryption layer silently started forwarding every failed decryption straight into unfiltered Java deserialization. We found it with Striga, built the exploit, and reported it to The Apache Software Foundation. striga.ai/research/tomca…

Startup miesiąca na SWM 04.2026? Bartłomiej Dmitruk ze @striga_ai o audycie kodu i podatnościach z użyciem AI. 🗓️ Kiedy: wtorek, 21.04.2026 💡 Temat: Security as a code 🎟️ Bilety: app.evenea.pl/event/securewa… 🍺 Partnerzy: DC9 Cyber, ISEC 📍 Gdzie: Rotunda PKO Bank Polski

We recently audited pac4j, a widely used Java security framework for authentication and authorization. We found several high-severity vulnerabilities in the LDAP and CSRF modules. All were responsibly disclosed to the maintainers and have been fixed in pac4j 6.4.1, 5.7.10, and 4.5.10. If you use pac4j in your stack, update your dependencies. Full advisory: pac4j.org/blog/security-…

A buffer overflow in GNU inetutils telnetd has been sitting in the codebase since 1994. Pre-auth, no credentials needed, just a TCP connection to port 23. The vulnerability was reported by Adiel Sol from Dream Security (CVE-2026-32746, CVSS 9.8). We used Striga to analyze the byte constraints, demonstrate a GOT hijack on 32-bit targets, and build a hybrid RCE proof-of-concept for 64-bit systems. striga.ai/research/pre-a…