Francisco Rosales @0xmagic0 - Twitter Profile

0xmagic0 retweeted

18 days ago

The read-only mode in mcp-server-kubernetes (20,000+ weekly npm downloads) ...doesn't actually restrict anything. Neither do the other two access control modes. CVE-2026-46519, CVSS 8.8 🧵

Ax_Sharma's tweet photo. The read-only mode in mcp-server-kubernetes (20,000+ weekly npm downloads) ...doesn't actually restrict anything.

Neither do the other two access control modes.

CVE-2026-46519, CVSS 8.8 🧵 https://t.co/M6ai5LRBJv

3

42

9

19

63K

0xmagic0 retweeted

Ax Sharma @Ax_Sharma

18 days ago

Francisco Rosales (@0xmagic0) of @Manifold_ai_sec found and reported the vulnerability. Fixed in v3.6.0. The filtering logic already existed. It just wasn't being called in both places. Update now.

1

4

3

0

709

Francisco Rosales @0xmagic0

25 days ago

This was an unauthenticated BAC vulnerability exposing among many things internal data. It was rated 9+ CVSS. Sometimes the most impactful findings aren't the flashiest, just knowing where to look and what to test for. #bugbounty #cybersecurity

0xmagic0's tweet photo. This was an unauthenticated BAC vulnerability exposing among many things internal data. It was rated 9+ CVSS.

Sometimes the most impactful findings aren't the flashiest, just knowing where to look and what to test for.

#bugbounty #cybersecurity https://t.co/BnAJLY28SM

0

1

0

45

Francisco Rosales @0xmagic0

about 1 month ago

This was a massive PII disclosure vulnerability. Records dating years back. A missing access control check sitting in front of the PII of every single customer on the site. This was a huge enterprise. #bugbounty #cybersecurity #appsec #infosec

0xmagic0's tweet photo. This was a massive PII disclosure vulnerability. Records dating years back. A missing access control check sitting in front of the PII of every single customer on the site. This was a huge enterprise.

#bugbounty #cybersecurity #appsec #infosec https://t.co/mxl3wuRra1

0

73

Francisco Rosales @0xmagic0

about 1 month ago

Another platform, another critical. A while ago I did the Android security course by @hextreeio . Great course. I picked a program with a mobile app and started digging. After some testing, I found a Critical. vulnerability #bugbounty #cybersecurity #mobilesecurity

0xmagic0's tweet photo. Another platform, another critical.

A while ago I did the Android security course by @hextreeio . Great course. I picked a program with a mobile app and started digging.

After some testing, I found a Critical. vulnerability

#bugbounty #cybersecurity #mobilesecurity https://t.co/bIls1zj5pH

0

21

Francisco Rosales @0xmagic0

about 1 month ago

Today I'm open-sourcing agent2shell, a single Go binary that bridges reverse shells and AI agents. It catches reverse shells over TCP and exposes them as structured APIs via Unix sockets. Your AI agent just runs CLI commands: ▸ agent2shell run whoami https://t.co/RyypQE6p8O

0

1

0

17

Francisco Rosales @0xmagic0

about 1 month ago

This was a couple of months back. I wanted to test a target running an AI system and find a vulnerability in it. This was a data exfiltration (PII) leveraging prompt injection. #bugbounty

0xmagic0's tweet photo. This was a couple of months back. I wanted to test a target running an AI system and find a vulnerability in it.

This was a data exfiltration (PII) leveraging prompt injection.

#bugbounty https://t.co/Wvb2DuVhS1

0

16

Francisco Rosales @0xmagic0

about 1 month ago

@ctbbpodcast I built a tool for this. Instead of tmux send-keys + capture-pane, the AI agent runs agent2shell run "command" and gets the output back https://t.co/RyypQE6p8O

0

12

Francisco Rosales

@0xmagic0

Last Seen Users on Sotwe

Trends for you

Most Popular Users