# You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701) If you squint and look at the CISA KEV list, you might think it’s made up exclusively of vulnerabilities in file transfer solutions. While this would be wrong (and you shouldn’t squint, it’s bad […]

# BitLocker’s Little Secrets: The Undocumented FVE API The purpose of the BitLocker check I implemented in PrivescCheck is to determine whether the system drive is protected, and if so, whether two-factor authentication is configured (typically TPM+PIN). You’d think that it’s a simple thing to do, but it is not, […]

Recent attacks on open source focus on exfiltrating secrets; here are the prevention steps you can take today, plus a look at the security capabilities GitHub is working on. Over the past year, a new pattern has emerged in attacks on the open source supply chain. Attackers are focusing on […]

## TL;DR In January 2026, the Chrome Releases blog announced several security fixes across different Chrome components. One entry caught our attention: **CVE-2026-0899**, an Out-of-Bounds memory access in V8 discovered by @p1nky4745. Vulnerabilities in V8, especially OOB and Type Confusions are always interesting from a security research perspective. We decided […]

At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment. The investigation led to the discovery of a zero-day vulnerability in the TrueConf client, tracked as **CVE-2026-3502** with a **CVSS score […]

# InfinitySix Stale TWAP Price Exploitation (BSC) Two compounding flaws in InfinitySix’s ( `$i6`) BSC staking contract were chained to extract **273,802 USDT** in block 89,703,286. The contract credits referral bonuses to a sponsor’s withdrawable balance immediately upon the referral’s `invest()` call; separately, its TWAP oracle enforces a 1-minute hard […]

# LML / APower Reward-Claim Price Manipulation On March 31, 2026 at 20:39:02 UTC, the attacker used flash-loaned capital on BNB Chain to manipulate the LML/USDT market, then batch-triggered reward claims for pre-seeded accounts through APower and immediately sold the resulting LML back into the distorted pool. The primary issue […]

# WhaleBit CES / IGT Staking Spot-Oracle Manipulation On March 31, 2026 at 22:56:21 UTC (Polygon block `84938872`), an attacker exploited WhaleBit’s unverified staking system through a **same-transaction spot-oracle manipulation** funded by a flash loan. The attacker EOA `0xe66b37de57b65691b9f4ac48de2c2b7be53c5c6f` used helper contract `0xb5a8d7a37d60aa662f4dc9b3ef4c32a3fe21fadf` to borrow `51,024.905390945780848543 CES`, run three batches […]

CVE-2026-3779 A use-after-free vulnerability exists in the way Foxit Reader handles an Array object. A specially crafted JavaScript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the […]

AI assistants now handle some of the most sensitive data people own. Users discuss symptoms and medical history. They ask questions about taxes, debts, and personal finances, upload PDFs, contracts, lab results, and identity-rich documents that contain names, addresses, account details, and private records. That trust depends on a simple […]