One credential has 14 names because three standards bodies and a marketing coalition all held authority to name it and none held authority to stop. The passkey vocabulary mess is a governance problem, not a spelling one.
A ROLE_TEAMLEAD user in Kimai 2.56.0 could set systemAccount:true on their own profile through the user API and disappear from every billing report, every user dropdown, and every teammate's view. One missing permission check. Patched in 2.57.0, credit in the release notes.
CVE-2026-31431 is a logic bug in the Linux kernel's crypto API that gives any local user root through a 732-byte Python script. No race conditions, no kernel offsets, no recompilation. Same script, every distro, every time. It's been sitting there for nine years.
Five CVEs disclosed in Tryton ERP through responsible disclosure -- stored XSS that escalates to unauthenticated via email, access control bypasses on data exports, and stack traces handed to any logged-in user. All patched, all basic, all in production for years.
Anthropic caught three Chinese AI labs running coordinated model distillation attacks at scale—24,000 fraudulent accounts, 16 million stolen exchanges, and capabilities extraction targeting AI safety research and censorship circumvention. The AI cold war just went hot.
CVE-2025-23266 (NVIDIAScape) lets you escape Docker containers and get root on the host with a 3-line Dockerfile. Affects NVIDIA Container Toolkit used by 37% of cloud environments. Plus runc CVEs that break Kubernetes isolation.
Trust Wallet's browser extension got backdoored via supply chain attack on Christmas Eve. Attackers pushed malicious code to production that drained $7M in user funds. Binance-owned wallet, developer negligence, APT-level execution.
A victim loses $50 million USDT to an address poisoning attack because wallet developers can't be bothered to implement basic checksum validation. I demonstrate how trivial it is to generate matching addresses.
React Server Components gets absolutely demolished by CVE-2025-55182. I demonstrate root RCE because apparently Meta's security team forgot about input validation.