CELVEX Group Free Scan

Research

Verifiable security findings, attacker tradecraft we have measured in the wild, and defender playbooks proven against our scanners.

PoC deep-dive: how a text-to-SQL agent turns prompt injection into RCE on the database host (CVE-2026-25879)

On 2026-06-01, the Langroid project published advisory GHSA-mxfr-6hcw-j9rq for CVE-2026-25879, a 9.8-critical flaw in the SQLChatAgent component of its LLM application framework. Versions prior to 0.63.0 let a large l...

Read research →

We Scanned 50 Companies. Here's What We Found.

We ran passive security scans against 50 companies. Not a single one scored an A. Here are the findings.

Read research →

CVE-2024-6387 (regreSSHion): What You Need to Know

CVE-2024-6387 (regreSSHion): An unauthenticated remote code execution vulnerability in OpenSSH. What it is, who

Read research →

The 5 Security Headers Every SaaS Company Gets Wrong

The 5 security headers every SaaS company gets wrong: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. A practical guide.

Read research →

Why 91% of SAST Findings Are False Positives (And What To Do About It)

Why 91% of SAST findings are false positives, what the data says, and practical steps to reduce noise in static analysis.

Read research →

XZ Utils Backdoor: A Supply Chain Attack Autopsy

A security autopsy of the XZ Utils backdoor (CVE-2024-3094): timeline, technical analysis, and lessons for defending against supply chain attacks.

Read research →

DMARC, SPF, and DKIM: The Email Security Trifecta Your Domain Needs

A practical guide to implementing DMARC, SPF, and DKIM. Step-by-step setup, common mistakes, and how to test your configuration.

Read research →

One Header. Every Admin Page. (Next.js CVE-2026-29155)

CVE-2026-29155 bypasses Next.js middleware auth with a single request header. How to detect it, how to fix it, and what our scanner does about it.

Read research →

FortiOS SSL-VPN: The Cookie That Skips the Login Page (CVE-2026-24472)

CVE-2026-24472 gives unauthenticated access to FortiOS SSL-VPN portals via a crafted session cookie. Used for ransomware initial access in Q1 2026.

Read research →

Erlang/OTP SSH: CVSS 10.0 and You Don't Know You're Running It (CVE-2026-32433)

CVE-2026-32433 is a pre-auth RCE in the Erlang/OTP SSH server. Most teams don't realize they expose it. Detection via banner grab, fix via OTP patch.

Read research →

How Attackers Are Paying $1 for $500 Orders on WooCommerce (CVE-2026-9876)

CVE-2026-9876 lets attackers manipulate order totals via the WooCommerce Store API. Detection, remediation, and our scanner test.

Read research →

IngressNightmare: Cluster Takeover From a Single Unauth Packet (CVE-2025-1974)

ingress-nginx

Read research →

Admin-Consent Phishing: The OAuth Grant Your Tenant Never Audited

The average Series B tenant has 180 OAuth-authorized apps and nobody owns the revocation list. Admin-consent phishing is now growing 3.4x YoY. What to check today, and why password rotation doesn

Read research →

The Snowflake Token Breach Wasn't About Snowflake: It Was About Your Endpoint

The 165-tenant Snowflake-credential breach didn

Read research →

Change Healthcare 14 Months Later: What the BlackCat Forensics Actually Revealed

February 2024

Read research →

From CRLF to Account Takeover: A 5-Step Chain We Found in 38 Companies

A header-injection bug nobody patches connects to a session-fixation pattern most apps still ship. We found this 5-step exploitation chain on 38 of 612 companies we scanned in February. Here

Read research →

Dark Web Monitoring: 3 Months of Watching Your Domain Get Sold

For 12 weeks we monitored XSS.is, Exploit.in, BreachForums Mirror, and 4 Telegram channels for listings mentioning customer domains. Here

Read research →

MOVEit, GoAnywhere, Cleo: The File-Transfer Pattern That Keeps Working

Three managed-file-transfer products. Three pre-auth RCEs. Three Cl0p ransomware campaigns. The same code-pattern (deserialization in admin endpoint) keeps shipping. Here

Read research →

The Okta HAR File Lesson: Session Cookies Are Auth, Treat Them Like Keys

An Okta support engineer shared an HAR file with a session cookie inside. Five customer tenants got compromised in the next 6 weeks. The lesson is older than HTTP itself: every session cookie is a password.

Read research →

Cross-Team Attack Vectors: When Web Findings Predict the Cloud Breach

Web-app findings and cloud-config findings get reviewed by separate teams in most orgs. Our chain-correlation engine surfaces a recurring pattern: the SSRF you ignored last quarter is the IAM credential exfil you

Read research →

Microsoft Storm-0558: How One Stolen Key Reached 25 Tenants

In July 2023 a single stolen Microsoft consumer signing key was used to forge tokens for 25 enterprise tenants, including the State Department. The post-incident analysis showed every assumption about the key

Read research →

Why We Re-Test Every Customer Within 48 Hours of a CISA KEV Add

When CISA adds a CVE to the Known Exploited Vulnerabilities catalog, attackers don

Read research →

Five SaaS Tenant Misconfigurations We Found Last Week (And How They Compound)

Most SaaS security checklists are flat: 80 controls, none ordered. We profiled 412 customer SaaS tenants and surfaced the 5 misconfigurations that compound into account takeover. Here

Read research →

T-Mobile, AT&T, and the API That Leaks 100M Records on a Single Curl

T-Mobile (2023, 37M records), AT&T (2024, 73M records), Snowflake (2024, 165 tenants). All three involved unauthenticated or weakly-authenticated API endpoints returning bulk data. The pattern is older than carriers t...

Read research →

Log4Shell, Four Years Later: We Still Find It Twice a Month

CVE-2021-44228 was disclosed in December 2021. Every CISO ran an emergency patch sprint. We still find it on customer systems twice a month, average. Here

Read research →

Bug Bounty Triage Lessons: Why 91% of P1 Submissions Are Wrong

We reviewed 1,142 P1-flagged bug bounty submissions across 6 platforms in 2025. 91% were not P1 on careful re-examination. The mis-triage cost (paid out, then clawed back) averaged an undisclosed sum per false P1. Here

Read research →

One git push, Full Server Compromise: CVE-2026-3854 and the FP That Almost Got Filed

CVE-2026-3854 turned a single git push into remote code execution on every GitHub Enterprise Server in the world. The bug lived in babeld for months. The reason it shipped: a triage path that classified push-option mi...

Read research →

The Apache HTTP/2 Double-Free Everyone Patched as a DoS (CVE-2026-23918)

CVE-2026-23918 is the Apache HTTP/2 double-free that gets triaged as a denial-of-service two times out of three and stays open in change-management for weeks. The CVSS 8.8 RCE rating only sticks once a working exploit...

Read research →

Copy Fail (CVE-2026-31431): The 9-Year-Old Linux Kernel Bug That Triages as Informational

CVE-2026-31431 (Copy Fail) is the nine-year-old Linux kernel optimization that turns any local code execution into root in 732 bytes of Python. The bug rejection pattern:

Read research →

cPanel CVE-2026-41940: 70 Million Domains, One Session-Loading Bug, Zero Auth

cPanel authentication bypass CVE-2026-41940 was actively exploited in the wild for weeks before watchTowr

Read research →

Arelle (CVE-2026-42796): The Unauthenticated RCE in the XBRL Processor Your Finance Team Owns

CVE-2026-42796 is the unauthenticated RCE in Arelle, the open-source XBRL processor that sits inside SEC filing pipelines, ESG reporting toolchains, and a long tail of regulated-data infrastructure most security teams...

Read research →

The Lethal Trifecta: Why Agent Architecture, Not the Prompt Filter, Decides Exploitability

Whether an AI agent can be made to leak your data is decided by its architecture (private data plus untrusted content plus an exfil channel), not by how good the prompt filter is. EchoLeak proved it. Here

Read research →

MCP Tool Poisoning and Rug Pulls: The Description Is the Attack Surface

An MCP tool

Read research →

The pull request that owns your pipeline: CVE-2026-42298 in Postiz

CVE-2026-42298 is a Pwn Request in Postiz: a pull_request_target Docker-build workflow checked out and ran an attacker-controlled Dockerfile.dev from a fork while holding a write-all GITHUB_TOKEN. The result is unauth...

Read research →

This fortnight in CVE-land: authorization was the theme, not memory corruption

A digest of the period ending 2 June 2026. The connective tissue across ksmbd, Camel K, the Nezha/Arcane dashboard cluster, NGINX rewrite, and the Kubernetes confused-deputy trio is not a single product. It is a singl...

Read research →

The confused deputy lives in your cluster: externalIPs, webhook redirects, and traffic you did not authorize

Three long-standing Kubernetes design issues, CVE-2020-8554 (externalIPs MITM), CVE-2020-8561 (admission webhook redirect to internal networks), and CVE-2021-25740 (Endpoint/EndpointSlice confused deputy), share one t...

Read research →

Your edge appliance is your identity boundary, so stop guessing its version from a header

A NetScaler cache header does not prove a firmware version, and

Read research →

Predicting 0-Days From Patch-Diffs: The Citrix Bleed Retrospective

On 2023-10-10 Citrix shipped a silent patch. Our forecaster would have scored it 0.89 on the 0-day probability scale. Seven days later it became CVE-2023-4966 (Citrix Bleed). We're publishing the methodology.

Read research →

Continuous Validation, Not Quarterly Hope: Inside Our CTEM Platform

Most exposure management stops at 'we found a thing that might be bad.' We close the loop: every signal becomes a test, every confirmed test mints a verifiable Proof Capsule, and a prioritization engine fuses EPSS, KE...

Read research →

What landed in CVE-land this week: a self-propagating npm worm, two critical SAP bugs, and the edge that keeps bleeding

Weekly CVE digest, week-ending 29 May 2026: a self-propagating npm worm published under TanStack

Read research →

The Pre-Auth Gateway Is the Front Door: An Edge & Identity Threat-Intel Deep Dive

A threat-intel deep dive on the edge and identity attack surface: five real, actively-exploited SSL-VPN, gateway and SAML-IdP CVEs share one anatomy: pre-auth memory disclosure becomes session and identity compromise....

Read research →

Risk-Projector Case Study: How One Forgotten Subdomain Becomes a Board-Level Number

A finding is not a risk. We walk one forgotten subdomain (a dangling CNAME with a still-trusted wildcard cert) through the full risk-projection reasoning: reachability, a CVSS-to-business-impact calculation, and the d...

Read research →

Patterns from this week's pentests: the five weakness classes that keep recurring

Across a week of continuous, evidence-first testing, the findings cluster into the same five classes: missing auth rate-limit/lockout, session-cookie flag gaps, TLS hostname/expiry hygiene, IDOR/BOLA, and JWT algorith...

Read research →

What landed in CVE-land this week: federation, registries, and the slow death of perimeter assumptions

Mondays are for sorting through the wreckage of the prior week. The disclosure firehose ran hot through the back half of May, and four families of vulnerability stood out, not because any single CVE was novel, but bec...

Read research →

PoC deep-dive: anatomy of the PAN-OS GlobalProtect authentication bypass (CVE-2026-0257)

CVE-2026-0257 is a GlobalProtect authentication bypass: under a specific certificate config, the PAN-OS gateway honors an auth state it never issued. Here is how the defect works, the benign negative-control probe we...

Read research →

A redirect that overreads: CVE-2026-9256 in the NGINX rewrite module

CVE-2026-9256 affects NGINX where a rewrite directive uses overlapping PCRE captures and a replacement string that references multiple of them in a redirect or arguments context. An unauthenticated request can trigger...

Read research →

When 'logged in' means 'admin': a cluster of role-confusion bugs in self-hosted dashboards

A wave of GHSAs in self-hosted monitoring and container-management dashboards (Nezha and Arcane) share one root cause: routes wired to an any-authenticated-user handler instead of an admin handler. The result is cross...

Read research →

ScadaBR's Four-CVE Round (CVE-2026-8602/03/04/05): The OT/ICS Coverage Gap Nobody Owns

Four CVEs disclosed against ScadaBR 1.2.0 in a single round: missing authentication on a critical function, OS command injection, CSRF, and hardcoded credentials. ScadaBR is a SCADA / HMI platform deployed in industri...

Read research →

A namespace is not a security boundary until you make it one

CVE-2026-45760 in Apache Camel K lets a confined tenant steer a build Pod into the operator

Read research →

The newline that escaped the escaper: CVE-2026-9277 in shell-quote

CVE-2026-9277 in the shell-quote npm library lets a line terminator slip through its character-by-character escaper unescaped, because JavaScript

Read research →

BIND's Memory-Safety Week: CVE-2026-3593, CVE-2026-3039, and CVE-2026-5946 in One Disclosure Round

Three high-severity CVEs landed against BIND inside the same advisory round: a use-after-free in the DNS-over-HTTPS implementation (CVE-2026-3593), a TKEY-authentication flaw (CVE-2026-3039), and a named-process race...

Read research →

The unverified callback: when your webhook believes anyone who knocks

CVE-2026-39969 in TypeBot skips the x-hub-signature-256 HMAC check on inbound WhatsApp webhooks, so anyone who learns the URL can forge events. It is a clean example of a whole bug class: an inbound integration endpoi...

Read research →

What's Actually On the Customer Dashboard: A Walkthrough of the Version-Drift Remediation Roadmap

A scanner that does not translate findings into a roadmap is a scanner that asks the customer to do its job. The version-drift view on our customer dashboard is the single screen that answers 'what should I patch next...

Read research →

Rsync's TOCTOU Pile-Up (CVE-2026-29518, CVE-2026-43618): The Backup Pipeline Bug Class Nobody Audits

Two CVEs disclosed against rsync 3.4.x in the last 48 hours land in a part of the backup ecosystem that almost nobody audits. CVE-2026-29518 is a time-of-check / time-of-use file-race. CVE-2026-43618 is an integer ove...

Read research →

Compound Chain Attacks: How Three Low-Severity Findings Become One Critical Breach

Every triage queue penalises low-severity findings. The bug is real, the impact is bounded, the ticket gets back-burnered. The blind spot is composition, three independent low-severity findings frequently compose into...

Read research →

Two ways to trust bytes you did not write: a kernel SMB overread and a Kubernetes namespace bypass

CVE-2026-43490 lets a malformed SMB security descriptor overread kernel memory through ksmbd; CVE-2026-45760 lets an authorized Kubernetes user steer Apache Camel K builds into a namespace they should never touch. Two...

Read research →

Prompts, tools, and tokens: the three seams where AI applications break

AI-powered apps add new seams to old failures. A prompt becomes code (CVE-2024-5565), a tool call becomes excessive agency, and a federated-identity downgrade chains JWT and SAML weaknesses into account takeover. A fi...

Read research →

Patch-Diff Mining Is the Competitive Moat: How We Build PoCs Before Public Exploit Code Ships

The gap between a vendor patch being public and a working public exploit being available is typically two to fourteen days. Customers who patch in that window are safe. Customers who don't are exposed. We mine patch d...

Read research →

The nodes are not the chain: why single-domain scanning misses the path that matters

Most scanners own the nodes (SSRF, XSS, an over-permissioned IAM role) but never the edges that connect them. Real attackers chain web into infrastructure into cloud. Here is why single-domain testing misses the path...

Read research →

Four Grooming Signals Worth Alerting On: What Three Months of Underground Monitoring Actually Found

Most dark-web monitoring is theatre. The customer pays for a feed, the vendor ships a dashboard, and the dashboard shows volume metrics that do not predict anything. Three months of disciplined collection across four...

Read research →

Anatomy of the Storm-2603 Velociraptor Compromise: Three CVEs, One Killchain

Velociraptor was built to give defenders God-mode over a fleet of endpoints. That is exactly why an attacker wants it. An incident-response platform is privileged-by-design: it deploys a SYSTEM-running client to every...

Read research →

Forty-Eight-Hour Cadence Beats Annual Pentest: The Economics of Continuous Validation

The traditional annual or quarterly pentest is an artifact of a slower decade. CVE publication tempo, exploit-time-to-weaponisation, and the rate at which engineering teams ship changes all push the right cadence to s...

Read research →

From CVE Publication to Working Proof Capsule in Under Six Hours: The Nightly Chain Walkthrough

Most security vendors take days to weeks to turn a freshly-published CVE into a customer-runnable check. Our nightly research chain does it in under six hours, every weekday, against the union of NVD + EPSS + KEV + Gi...

Read research →

A Coverage Gap Is a Finding: Why 'Manual Proof On-Demand' Buckets Are Where Real Risk Hides

Most scanners ship a 'manual proof, on-demand' bucket for tests that the engine cannot automate. That bucket is a coverage gap pretending to be a feature. Here is the policy we adopted six months ago, every test that...

Read research →

EPSS Is the Triage Signal Your CVSS Score Was Never Going To Be

CVSS tells you how bad a CVE could be in a worst-case lab. EPSS tells you how likely it is that someone exploits it in the next thirty days. The combination is the only triage signal that survives contact with a real...

Read research →

Five Findings From Five Engagements: Anonymized Patterns From One Week of Customer Scans

Five findings, five engagements, one week. Each one is the same pattern dressed in different vendor logos. Per our engagement-naming policy, customer identities stay out of this writeup: but the bugs, the chains, and...

Read research →

Test Capsule: The Per-Test Proof Contract That Ends 'Trust Me, We Ran It'

A scanner that emits a PASS without an evidence pointer has produced a vibe, not a result. The Test Capsule is the sibling of our Proof Capsule: a per-test signed artifact that records inputs, outputs, environment, an...

Read research →

Version Drift Is the Finding: Why Knowing the Version Beats Scanning the Endpoint

Most vulnerability scanners spend their request budget probing for the wrong thing. The load-bearing fact about an exposed service is almost never its specific endpoint behaviour, it is the running version. Here is wh...

Read research →

Stop Trusting Vendor MITRE Coverage Claims, Measure It Yourself

Every endpoint vendor advertises 90-percent-plus MITRE ATT&CK coverage. The number is almost never measured against the customer's installed rule pack. We built a Stack Coverage Auditor that does, and the gap between...

Read research →

Compound Blackouts: When Three Defenders Are Simultaneously Blind for 72 Hours

Defense-in-depth assumes the union of your defenders covers your risk. We measured it. The union has holes. The biggest one we found this quarter was 4,320 minutes wide: a Velociraptor memory-hunt cadence gap during w...

Read research →

How Modern Bots Walk Past CrowdSec, Fail2Ban, and Your WAF (Without Touching the Threshold)

Per-source thresholds were the right idea in 2014. They are the wrong defense in 2026. Thirteen evasion patterns that walk past CrowdSec, Fail2Ban, and most WAFs without ever touching the rate limit, and what to do ab...

Read research →

The FIM Stack You Trust Is Probably Blind to Every Modern Bypass

Eight composite-bypass tests that walk through every major way modern Linux post-exploit primitives slip past AIDE, Samhain, OSSEC, and Wazuh-FIM in compound. The FIM stack you installed five years ago to satisfy PCI...

Read research →

Detection Windows: How to Measure (and Close) the Hours Your Defenders Are Asleep

ATT&CK coverage % is a snapshot. Coverage WHEN is the truth. A time-domain audit of FIM, syscall, vuln-feed, cloud, hunt, and IDS classes: the compound-blackout problem, a sweep-line algorithm, and the 12 ENDPOINT-WIN...

Read research →

When Your Defenders' Suppliers Become The Attack Vector: A Field Guide to Defense-Tool Supply-Chain Auditing

A field guide to auditing the supply-chain trust posture of the eleven most-deployed open-source endpoint defenders. Covers the ten ENDPOINT-SUPPLY-DEFENDER probes, the DTSCA scoring engine, and the concrete remediati...

Read research →

The Plugin Problem: Six Defender Ecosystems and Their Single-Approver Risk

Every endpoint defender ships a plugin loader. Almost none of those loaders enforce two-of-N maintainer review or commit pinning. Here are the twelve trust failures we test for, and the six ecosystems they apply to.

Read research →

The 2026 Open-Source Endpoint Defender Coverage Map

We measured eleven open-source endpoint defenders against 220 attack angles. Stacking more tools narrows your visibility differently than the marketing suggests. Here is the map.

Read research →