hackerman70000

A foreign government shouldn't be able to switch off your access to critical capabilities. It's a matter of national and business security. On Friday we saw a preview of how our reliance on a US ally could play out if we keep stagnating on building our own compute and technology. We've seen this before. The most relevant example is the UK, which banned the export of textile machinery during the industrial revolution to protect its technological lead. In Europe, we need to build our own technology, so Uncle Sam (or others) can't tell us what we can and can't do. I'm talking about technology, but the same probably applies to other areas of the economy too. My team and I are building @striga_ai to avoid that dependence. It's a project that audits source code with AI, and has already produced 20+ CVEs this year. We're in contact with several AI labs about partnerships to keep building Europe's digital sovereignty. Security capabilities are something we critically need to build ourselves. If there's a partnership to be had here, my DMs are open.

A proud moment for me. @striga_ai has been accepted into the NVIDIA Inception program, NVIDIA's global startup ecosystem. Past the resources, it is a moment of validation. Everything we have been building for over a year is starting to gain traction. Cheers.

Found another CVE in Apache software using striga.ai. We have a dozen more reported though I assume the queue is long these days. Let me know which open-source project I should point striga at next

@XorNinja I agree with you on that. I think we made it clear and were honest in our article. Anyway - we are open for strategic partnerships. If interested in joint research - let me know

Thanks. We have the same goal: highlighting the most relevant part and making it clear that, in real-world httpd deployments, this is a DoS rather than an RCE. Also worth noting: this bug appears to affect only a single version, httpd 2.4.66. No older versions are vulnerable. So the info leak must be in this exact version, or some other common modules. I'd be very happy if someone can find such a bug. Having said that, this is still a pretty powerful DoS. The bug crashes the child process along with all of its worker threads. Apache will respawn a new child, but if requests triggering the crash are sent quickly enough, it might absolutely prevent legitimate users from accessing the server.

Except that this httpd pre-auth “RCE” exploit does not work. A real exploit requires an infoleak, and the author conveniently supplied a “helper” that reads addresses directly from /proc//mem. We also found this bug in early April, submitted it, and were told it's a dup. Then we burned to develop an exploit, to no avail. Need an infoleak. It's interesting that AI struggles exactly where humans struggle too.

@Dinosn @XorNinja @daveaitel You argued that this is CVE pollution - I showed you that it is honest assessment. EPSS is something that you are looking for, not a CVE.

@hackerman_70000 @XorNinja @daveaitel What will make it possible, is it any realistic scenario? DoS cases are plenty and many. This got more media coverage than deserved.

@Dinosn @XorNinja @daveaitel The CVE was assigned by Apache and scored by CISA-ADP. The official title is "double free and possible RCE on early reset" - exactly what the writeup demonstrates. The DoS needs zero preconditions. The RCE chain shows where the bug leads. That's not pollution.

@XorNinja @daveaitel Assisted exploitation. Many cases as such and a lot of cve pollution

PoCs for Apache Tomcat Unauth RCE (CVE-2026-34486) and Apache httpd Pre-auth RCE (CVE-2026-23918) are now public on our Github. Tomcat exploit is fully reliable. httpd chain works in a controlled lab setup with a known info leak. github.com/striga-ai/CVE-… github.com/striga-ai/CVE-…

@Dinosn Regarding Ollama, here is our article in which we explain our findings covered in THN article (CVE-2026-42248, CVE-2026-42249). We reported those in Jan, 2026, and the newest release is still unpatched. striga.ai/research/ollam…

Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak thehackernews.com/2026/05/ollama…

@TheHackersNews Write-up on our findings -> striga.ai/research/ollam…

🚨 CVE-2026-7482 in Ollama could let remote attackers leak process memory from more than 300,000 exposed servers using crafted GGUF files. Separate unpatched Windows flaws enable persistent code execution through Ollama’s update mechanism. Full details and mitigations: thehackernews.com/2026/05/ollama…

Mythos: “too dangerous to release.” Reality: 1 low severity bug in 178k lines of curl. Marketing keeps outrunning engineering.​​​​​​​​​​​​​​​​ daniel.haxx.se/blog/2026/05/1…

@_xeloxa Yeah we done that in original article. There is a zip with PoC that presents not only the DoS but also the RCE possibility. striga.ai/research/apach…

Wrote a PoC exploit for CVE-2026-23918, a recently patched double-free bug in Apache's mod_http2. Send a HEADERS frame followed by RST_STREAM, and the server tries to free the same pointer twice. Result: SIGSEGV. 🧵

@Netlas_io We have just published write-up on this: striga.ai/research/apach…. You should probably note that this heatmap reflects all of the Apache httpd servers and this vulnerability affects only those with HTTP/2 enabled

CVE-2026-23918 and other: Several vulnerabilities in Apache HTTP Server, up to 8.8 rating 🔥 Several vulnerabilities in Apache HTTP Server allow attacker to achieve RCE on the server, to bypass authentication, or escalate privileges. 👉 nt.ls/I4fYP

@sw0nt @h4x0r_dz striga.ai is our tool for vuln discovery

@hackerman_70000 @h4x0r_dz What models did you guys try? Any specific harness or orchestration tool?

Apache HTTP Server version 2.4.66 double free and possible RCE httpd.apache.org/security/vulne…

Probably our biggest find so far. Whole thing on open-weights, under $100 in compute

@The_Cyber_News striga.ai/research/apach…

@The_Cyber_News This vulnerability was found with striga.ai and whole audit costed less than $100 by the way. We used open-source models for audit. Is Mythos still relevant?

⚠️ Critical Apache HTTP Server Flaw Exposes Millions of Servers to RCE Attacks Source: cybersecuritynews.com/apache-http-se… The Apache Software Foundation has released a critical security update for Apache HTTP Server, patching five vulnerabilities, including a dangerous double-free flaw capable of enabling Remote Code Execution (RCE) in version 2.4.67, released on May 4, 2026. All users running version 2.4.66 or earlier are strongly urged to upgrade immediately. The most severe of the five vulnerabilities is CVE-2026-23918, rated High with a CVSS base score of 8.8. The flaw is a double-free memory corruption bug triggered within Apache's HTTP/2 protocol implementation during an "early stream reset" sequence. #cybersecuritynews #vulnerability

@sw0nt @striga_ai @TheHackersNews Write-up ready: striga.ai/research/apach…

@hackerman_70000 @striga_ai @TheHackersNews should be fun to read the write-up

🚨 Apache patches CVE-2026-23918 (CVSS 8.8) in HTTP Server 2.4.66. The HTTP/2 double-free flaw can trigger DoS and potentially enable remote code execution via crafted requests. Fixed in 2.4.67. Details here: thehackernews.com/2026/05/critic…

@h4x0r_dz This vulnerability was found with striga.ai and whole audit costed less than $100 by the way