Olivia
Online
https://bsky.app/profile/javi.ka0labs.net
@ca0s_
@[email protected]
Joined December 2010
447 Following
448 Followers
1K Posts
Exim 4.99.3 is out, patching CVE-2026-45185, a critical RCE found by XBOW! Check out our post linked in the reply; I'll summarize some details in this thread.
“The vulnerability with the highest CVSS score in this month’s update is a critical remote code execution flaw in the Microsoft Devices Pricing Program. CVE-2026-21536 (CVSS score: 9.8), per Microsoft, has been fully mitigated [...] Artificial intelligence (AI)-powered autonomous vulnerability discovery platform XBOW has been credited with discovering and reporting the issue.” https://t.co/w9hhiuot2R
🚨 Critical SQL injection in Chef Automate (CVE-2025-8868)
If you're running Chef for infrastructure automation, patch immediately to version 4.13.295 or later.
Full technical breakdown: https://t.co/BtOAk40tVn
What XBOW found 🧵
Last chance to see XBOW’s demo at #BlackHat. (1/3)
Launch a comprehensive pentest in just 3 clicks.
Every finding comes with a proof-of-concept exploit.
Who to follow
X-C3LL
@TheXC3LL
Just a biologist that loves to break cyber-stuff. Ka0labs / @AdeptsOf0xcc / ID-10-Ts member. 🦉
Pablo San Emeterio 
@psaneme
Emprendedor en VAPASEC. Investigador y formador en ciberseguridad, desarrollador de software y colaborador en @ciberafterwork spotify: https://t.co/GvL89h9HGG
Manuel Blanco
@dialluvioso_
CS engineer specialized in📱🐛💥
First vulnerability of the day!
We’re at Black Hat, come meet the team.
📍 Booth 3257
The new episode of @ctbbpodcast is out! Huge thanks to @Rhynorater and @rez0__ for having me. I had a great time chatting with you about XBOW and HackerOne’s Ambassador World Cup. It was a blast! 🫶🏼
XBOW pulled off the perfect digital heist: stealing files by hiding them in plain sight.
Disguised arbitrary file content as satellite imagery pixels. TiTiler processed the "images" while XBOW extracted secrets from the compression data.
Mission details: https://t.co/Eb5SYz6yul
⚡️XBOW found LFI where most tools would have given up.
Photo download endpoint blocked all path traversal attempts. But JavaScript analysis revealed /photo/proxy?url= - vulnerable to file:// scheme access.
Successfully read a password file via proxy endpoint.
Technical breakdown: https://t.co/BbxLxCCb63
Come and meet XBOW! Apart from the thing itself, also chat with some of the humans that are building it: @nicowaisman, @moyix, @pwntester, @niemand_sec, @djurado9, @ntrippar, @ca0s. I'd love to talk too!
What if two AI models could collaborate without knowing it?
Our Head of AI, Albert Ziegler developed "model alloys" - alternating between different LLMs in a single conversation. Sonnet handles some steps, Gemini others, but neither knows about the switch.
Result: 55% solve rate vs 40% with single models.
https://t.co/RbtfWo630q
When simple attack vectors fail, XBOW doesn't give up.
⚡️New discovery: Arbitrary file read in WordPress Ninja Tables plugin. Hidden in plain JavaScript sight, protected by nonce validation, but XBOW pieced together the exact request format needed.
Technical breakdown here: https://t.co/t4Z6NWRWuT
When standard SQL injection vectors fail, dig deeper.
⚡️New XBOW discovery: Z-Push vulnerability hidden in Basic Authentication username field. Response timing differences revealed PostgreSQL time-based injection where obvious targets were clean.
Full analysis: https://t.co/EvOT45rkHS
Sometimes the most illogical approach wins.
XBOW discovered XSS in Salesforce Aura by testing aura.format=JSON - which counterintuitively returns text/html content type instead of JSON.
The kind of discovery that comes from systematic testing without assumptions.
Full hunt analysis by @djurado9 https://t.co/hdfAvG3hp6
For the first time in history, the #1 hacker in the US is an AI.
(1/8)
AI isn’t replacing bug bounty hunters anytime soon, but it’s getting surprisingly close.
In this DEF CON talk, Joel Noguera & Diego Jurado (@xbow) show how they built agents that exploit real-world XSS, JWT, and CSRF bugs autonomously
https://t.co/vHXnE1UmsW
#BugBounty #DEFCON
Just in time for the holidays: how XBOW found an arbitrary file download (CVE-2024-53982) in ZOO-Project, protecting Santa's critical geospatial processing infrastructure from attackers! https://t.co/ZcMvCKdzvy
While developing XBOW over the past three months, we played around with using it for bug bounties and ended up at #11 in the US on HackerOne:
Here’s the walkthrough: https://t.co/9YG1Lf9xk1
XBOW bypasses a MIME-type filter, abusing an OTP icon preview feature in 2FAuth to exploit an SSRF and discover CVE 2024-52598. Affected users should apply the patch and read about all the details in our blog post this Friday.
Last Seen Users on Sotwe
BirZamanlar Yeşilçam
Seen from Turkey
mustafa
Seen from Turkey
ครอบครัวหรรษา
Seen from Thailand
Expose Swifties
🔞SULOJANA
Seen from India
indraageng
Seen from Malaysia
Kimochi
Seen from Singapore
ชอบสาวใหญ่
Seen from Thailand
suka ibuk ibuk 😛💦💦💦
Seen from Indonesia
91PORNAV成人
Seen from United States
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers