Skip to main content

Research Blog

Vulnerability analysis, proof of concepts, and code reviews

Why Can't We Agree on What a Passkey Is?

One credential has 14 names because three standards bodies and a marketing coalition all held authority to name it and none held authority to stop. The passkey vocabulary mess is a governance problem, not a spelling one.

passkeyswebauthnfido2authenticationidentitystandards

One Boolean and You Vanish: A Mass Assignment Fix in Kimai

A ROLE_TEAMLEAD user in Kimai 2.56.0 could set systemAccount:true on their own profile through the user API and disappear from every billing report, every user dropdown, and every teammate's view. One missing permission check. Patched in 2.57.0, credit in the release notes.

kimaimass-assignmentcwe-915access-controlresponsible-disclosureweb-security

732 Bytes to Root: Copy Fail Just Broke Every Linux Distro Since 2017

CVE-2026-31431 is a logic bug in the Linux kernel's crypto API that gives any local user root through a 732-byte Python script. No race conditions, no kernel offsets, no recompilation. Same script, every distro, every time. It's been sitting there for nine years.

linuxkernellpeprivilege-escalationaf-algcve-2026-31431page-cachecontainer-escape

Five CVEs in Tryton ERP: Stored XSS, Broken Access Controls, and Server Info Leaks

Five CVEs disclosed in Tryton ERP through responsible disclosure -- stored XSS that escalates to unauthenticated via email, access control bypasses on data exports, and stack traces handed to any logged-in user. All patched, all basic, all in production for years.

xsserptrytoncve-2025-66420cve-2025-66421cve-2025-66422access-control

Trust Wallet's $7M Christmas Gift to Hackers: A Supply Chain Masterclass

Trust Wallet's browser extension got backdoored via supply chain attack on Christmas Eve. Attackers pushed malicious code to production that drained $7M in user funds. Binance-owned wallet, developer negligence, APT-level execution.

supply-chaintrust-walletaptcryptocurrencybrowser-extension