Did you also notice a repeating pattern with AI security reports lately? The attack chain just assumes a pre-existing breach, then continues to frame normal and expectable behavior as a security issue.
Some examples that were actually reported to me in the past:
The 'multipart' python library got an independent security audit and I only know about that because they found something -> CVE-2026-28356
This is great, actually! Someone looked into it so thoroughly that they found an obscure single-character issue in a regular expression ... and didn't find anything else! Which means I can …
A while ago I found CVE-2024-47874 in starlette (and FastAPI). The same issue is also present in litestar and I repotted that as CVE-2024-52581 (CVSSv4 8.7). The reaction time from the team was very quick this time and a fix was published in less than a week. A new …
Werkzeug is a Web Server Gateway Interface (WSGI)
library used to develop python web applications or frameworks. Applications using
werkzeug.formparser.MultiPartParser to parse multipart/form-data requests (e.g. all
flask and quart applications) were vulnerable to resource exhaustion (denial of
service) attacks. A specifically crafted form submission request could …
I'm finally allowed to speak about this nice little DoS vulnerability I found in starlette (and FastAPI).
The FastAPI devs published an update 3 days before the security release of Starlette that widened …
Digging through the most popular password 'leak' compilations for a side project and it's >90% fake.
Only a tiny fraction of those passwords may have been used by a human at some point, the rest is computer-generated junk. Even the real passwords are probably stolen from other leaks.
The reason …