💥 Introducing "Januscape" (CVE-2026-53359)
A Guest-to-Host Escape in KVM/x86 exploiting a UAF in the shadow MMU. Triggerable on both Intel and AMD hosts. Threatens x86 public clouds (GCP, AWS) that expose nested virtualization.
"16 years" latent. Successfully used as a 0-day exploit in "Google kvmCTF".
To the best of public knowledge, the first KVM exploit research triggerable on both Intel and AMD.
Details: https://t.co/df5GPpVfeA
Fun story:
a self-hosted #Docker container manager, official image,standard config, docker.sock mounted exactly like every setup guide tells you to.
Preauth. RCE + confirmed container escape to host on default config... and still currently unpatched !
CVE-2026-58455 / CVSS 9.8.
Two bugs chained as "#0day" exploit:
1 - loader.php keeps processing after an auth redirect, no exit()
2 - ajax/compose.php feeds composePath straight into shell_exec()
RCE in the container -> straight out to the host through the socket the app needs to do its job 👌
"Container escapes are usually bad admin config", they say.
W00T ?
Here we have an official image, default docker-compose, zero tuning => Perfect counterexample !
So why this .gif clip ?
👉because this is genuinely that easy to reach+ it illustrates, one more time, why focusing on patch mgmt is a huge mistake in 2026 !
You said "0-day" exploit ?
Yep: No fix merged yet; the researcher's own patch (PR #135) was closed by the maintainer, folded into unrelated upcoming changes, *no ETA given*.
PoC and full chain withheld until an actual fix ships.
Not every exploited bug is patchable on day one.
> Assume breach is the mindset, not the panic button.
No public exploit does not mean not exploitable 🔥
+ Remember:
#Docker != secure, even with a team actively maintaining the product.
Advisory by @VulnCheckAI : https://t.co/OxEl2IEb4g
Credit: rayyb0t (https://t.co/DCTTkHePR5)
Since V8 had heap sandbox, Chrome renderer RCE usually means chaining 2 bugs
Today we bring the Spear of Longinus
1 bug, 100% success, no heap spray, found in 40+ major versions, arbitrary renderer read/write + V8 sandbox escape
Our CVE-2026-6307 writeup https://t.co/zPnCJ4y0R3
Every iPhone with an A12 or A13 chip - XS/XR, 11, 2020 SE - has an unpatchable SecureROM exploit. The root bug is in Synopsys’s USB controller, and is exploitable. Requires physical access. Solution: buy a new iPhone. https://t.co/xF1JIJrEke
Export controls? What's that?
https://t.co/THEgtkr4Ot
"Intended Use DeepSeek-V4-Fable is developed exclusively for defensive security research, authorized penetration testing, and red-team engagements within strictly defined scopes."
#RedTeamGo
Security auditor-enabling code-agent skill. The six-step pipeline—recon, hunting, validation, reporting, structured output, and independent verification—finds exploitable vulnerabilities with real impact using multiple parallel agents. In Build your own vulnerability harness, this skill seeded Cloudflare's vulnerability discovery harness. From this single-repo skill, the harness became fleet-wide and multi-stage
https://t.co/GxV1vwRwSG
The Squidbleed website is now live.
A dedicated hub for CVE-2026-47729, technical breakdowns, vulnerability research, and future updates.
Explore the story behind the 29-year-old bug.
https://t.co/kZBFm4Qzuf
A Calif Research Project. 🦑
UnCanny - Another new coercion primitive with LPE 0day - machine-account NTLM coercion from a non-admin user via Windows Store InstallService plugin resolution experiments https://t.co/9GaM85hcvs
It kind of got lost in the Claud hacking hubbub but we make a simple agent forensics tool that can assist with compromised AI investigations.
You can supertimeline full agent interaction from logs and add notes etc.
https://t.co/eXZr0iLEdp
Releasing leaklens, https://t.co/60v4hV1718 a secret scanner which combines katana from project discovery, titus from praetorian-inc team and js-leaks for automated secret scan on websites.
We sent Claude Mythos Preview spelunking through Squid’s guts, and it surfaced clutching a 29-year-old bug.
Meet Squidbleed: a Heartbleed-style vulnerability that leaks internal memory from every version of Squid Proxy, in its default configuration.
Full story: https://t.co/xQLKqaSmTn
Here goes nginx-quicburst (CVE-2026-42530), a new RCE in Nginx discovered by our security agent VEGA and demonstrated by Nebula Security.
This is only the third NGINX vulnerability since 2014 to receive NGINX’s “major” severity rating. If you use Nginx 1.31 with QUIC enabled, we recommend upgrading to the latest version.
This bug has been patched in the latest Nginx release. We will publish the technical writeup, including the ASLR bypass, on July 18 together with the previous nginx-poolslip writeup.
BYOVD technique for obtaining Ring 0 privileges on Windows
Security researcher Rossario Matteo Grammatico (zer0matt) presented at Milan0day 2026 a practical use case of the BYOVD (Bring Your Own Vulnerable Driver) technique to invoke arbitrary Windows kernel functions with Ring 0 privileges.
At the core of the technique is the signed driver "ThrottleStop.sys" (CVE-2025-7771 -> (https://t.co/6dLcISH51w)). The driver calls "MmMapIoSpace" without validating the provided addresses, allowing any Ring 3 (user-mode) process to access physical kernel memory.
PT ID: PT-2025-32145
💣 What the PoC does:
🎯 Locates the virtual address of the "NtAddAtom" function in the kernel, which is directly accessible from user mode via "ntdll.dll"
🎯 Translates the virtual address to a physical address
🎯 Use IOCTL "0x8000649C" to overwrite the first instructions of "NtAddAtom" with shellcode
🔗 Article: https://t.co/F5YRzNGwKu
⚙️PoC: https://t.co/RmseVEKI0s
#dbugs_attacks