At Pwn2Own Berlin 2026, researchers demonstrated a working VM escape in VMware ESXi. No CVE. No patch. The disclosure clock has started.
On July 16, Joseph Combs of @vali_cyber breaks down what happened, what it means for VMware environments, and the practical steps teams can take while the disclosure process continues.
Register here: https://t.co/3dSssrZizF
Today we're launching https://t.co/7C21vf5hmL
It gives any AI agent ready-to-use security context for thousands of open source projects, built from each project's commit history of security fixes and its disclosed CVEs.
Useful whether your agent is writing code or reviewing it for bugs. Free, no auth, over MCP and API.
Everyone said this was impossible.
ClickHouse is a massive multi-threaded engine. Porting it to WebAssembly — a single-threaded runtime — was supposed to be a non-starter. Every AI we asked told us the same thing: can't be done.
But years of working on this engine gave me a different intuition. From first principles, there was no fundamental barrier. Just a hard problem that everyone had assumed away.
So we pointed AI at it — refactor, regress, repeat — instead of taking "impossible" for an answer.
The result: https://t.co/OgmJ09qJpC
A full ClickHouse OLAP engine, running entirely in your browser tab. No server. Query local files and S3 Parquet in-process.
Huge thanks to @wudidapaopao for the relentless work that made it real.
AI attackers have terrible OPSEC.
Use it against them.
Hallucinate exposed services. Waste their tokens. Seed prompt-injection traps, canaries, and honeytokens where attacker LLM will read them.
Have fun.
.@obsdmd asked us to audit their Sync protocol. Our engineers delivered eleven findings.
Five went above and beyond the original scope and found system-level issues that weren't specific to Sync itself.
We see this pattern often with our clients. We respect scope as a delivery contract, but we have a professional obligation to surface what our engineers see.
Anything they catch is flagged, and the client decides what to do. When a finding warrants it, the report includes an Exploit Scenario, the path from observation to working exploit. We take an attacker's mindset, and exploit scenarios show our clients what a bug costs them.
With security-first teams like Obsidian, that meant five system-level findings that were either patched or explicitly acknowledged:
1. Math.random used for password and salt generation (High severity, medium difficulty)
2. Variable-time comparison of password-reset tokens and MFA recovery codes (High severity, high difficulty)
3. TOTP codes replayable within the validity window (High severity, high difficulty)
4. Plaintext storage of MFA secrets and recovery codes (High severity, medium difficulty)
5. Password reset without MFA (Medium severity, medium difficulty)
Wild to see every VC funded and publicly traded tech company rebrand to being an AI company
Paging company —> the platform for AI-first operations
CDN —> AI Cloud
Helpdesk software —> AI-powered helpdesk platform
o11y —> AI-powered intelligent o11y
Everywhere…
To exploit this to RCE you need:
1. ASLR disabled (or some way to leak info)
2. The nginx server configuration to have a "set" + "rewrite" directives. The rewrite has to have '?' in its replacement rule (second arg)
So the attack surface is probably much less than what it seems.
Nice finding and the part about the exploitation is also great, I recommend reading the blog.
NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at https://t.co/KeoblrGL24
Tomorrow, we’re releasing the full technical walkthrough for CVE-2026-5865, a chrome v8 0-day found by our AI security agent "Vega".
More Linux kernel and Chrome 0-day writeups are coming later this month. Stay tuned, and follow our bug list for updates: https://t.co/LwY1bd6T6P
This is my first Linux kernel exploit for Google kCTF, and the patch commit is now public: https://t.co/PAtEnUXjpF
Actually, this bug was found by AI while analyzing 1-day variants, I'd like to share my approach for these AI things to find bug, and exploitation write-up later.
LLMs have gotten good enough at reverse engineering to recover source code from obfuscated binaries with real accuracy.
So we asked the obvious next question: how fast and cheap is it to use one to build obfuscation specifically designed to beat it?
We benchmarked Claude Opus 4.6 against the Tigress obfuscator across 20 targets first, to map its strengths and failure modes. 40% solve rate. Phase 3 multi-layer combos hit 0%, with cost explosions that killed the runs.
Then we ran a dev/test/refine loop to build 3 purpose-built obfuscation variants targeting the same crackme, iterating directly against the model's known weaknesses.
The finding: LLM-targeted obfuscation is fast and cheap to develop. Context windows, budget caps, and shortcut biases are all exploitable attack surfaces.
The arms race just shifted.
Chinese LLMs can hack better than state-sponsored hackers with properly evolved harness -
Kimi K2.5 managed to find and exploit 6 vulnerabilities in browsers: a single page view or an extension install by victims equal full system hijack.
Check https://t.co/d0SZSf1KqF
Cool exploit with @_0x999:
He found that \x7F breaks Chrome's "Copy as cURL (cmd)" command parsing in Windows Console Host. In combination with a ", it allowed you to add any arguments to curl.
With -o writing files is easy, but we need the username for the startup path... (1/2)
Mozilla says Mythos helped identify 271 vulnerabilities in Firefox 150.
I went through the commits, CVEs, and bug links to see what that number really means.
My takeaway: relax folks.
https://t.co/9LEqL7sXX6
The RCE I've found in LiteLLM (https://t.co/4HusyqaW4E) is a nice example of how AI agents can speed up security research. The issue was found during a project with high time constraints by me manually. So I had a Nemesis (@Persistent_Psi) backed AI agent do auto-triage and find a sandbox escape fully automated. After 20 minutes the job was done including a fully working exploit.
This highlights again that the time to exploit and exploit creation and generation is decreasing dramatically. On the upside, this means that hiding details on advisories or sneakily releasing silent patches for security issues became less effective!