Предраг Цујановић � P𝗿𝐞ⅆr𝚊ⓖ Ⅽ𝗎𝐉an𝚘𝕧ⓘć @cujanovic
Follows you Life is like spaghetti It's hard until you make it No stresso, no stresso It's gonna be espresso github.com/cujanovic http://𝟭²⑦。𝟘.𝟬。1 Joined February 2010-
Tweets14K
-
Followers2K
-
Following100
-
Likes10K
Introducing HTTP/2 Bomb: a remote DoS in nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. A single client pins 32GB of server memory in 10s. Found by Codex. Blog post: blog.calif.io/p/codex-discov… PoCs: github.com/califio/public…
It has been straight exploit after exploit, Meta has given AI so much power to take over any account & claim any possible username We still have not received any public announcement in regards to these exploits and breaches. @instagram @Meta Please stop relying on AI for this
🚨 Possible new Instagram exploit is currently making its rounds, separate from the one yesterday. h/t: TG Feds
Here's the PoC for Nginx CVE-2026-42945 which works against vanilla Ubuntu (and any other distro?) + Nginx with ASLR enabled. I have included all iterations of the PoC the LLM was kicked to improve.
TL;DR: We can use an LFI/file-read primitive to leak enough details from /proc/
Our security research team discovered a pre-authentication arbitrary file read as root in cPanel (CVE-2026-29205) — a path traversal in cpdavd that we made exploitable by abusing Dovecot's + alias handling to create attacker-controlled directory names on disk. We've updated cpanel2shell-scanner to cover both issues. Writeup and tool in replies. 👇
🚨 CVE-2026-44578 — Next.js WebSocket SSRF Built a scanner + interactive exploit shell. AWS credentials exfiltrated in 3 steps: [1/3] Cloud auto-detect → AWS confirmed [2/3] IAM role found: profile [3/3] 🎯 AccessKeyId + SecretKey + Token ✅ Pipeline ready: subfinder | httpx | nextssrf ✅ Zero dependencies (stdlib only) ✅ Interactive shell with auto IAM chain Affected: Next.js 13.4.13 → 15.5.15 Fixed: 15.5.16 / 16.2.5 (self-hosted only) 🔗 github.com/ynsmroztas/nex… #BugBounty #infosec #RedTeam #AppSec #BugBountytip #BugBountytips #infosec #recon
cPanel's latest patch (11.134.0.26) for the pre-auth arbitrary file read issue (CVE-2026-29205) is incomplete. We made the call to not publish our research until a working patch is released. We are in touch with WebPro's security team.
NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at depthfirst.com/nginx-rift
Reported another cPanel critical pre-authentication vuln. Our research dates back to early April, but this exploit chain does not seem to be exploited in the wild, unlike our collision with a threat actor for the auth bypass. We'll publish details once a patch is avail.
💥 Introducing "Dirty Frag" A universal Linux LPE chaining two vulns in xfrm-ESP and RxRPC. A successor class to Dirty Pipe & Copy Fail. No race, no panic on failure, fully deterministic. ~9 years latent. Ubuntu / RHEL / Fedora / openSUSE / CentOS / AlmaLinux, and more. Even if you've applied the "Copy Fail" mitigation, your Linux is still vulnerable to "Dirty Frag". Apply the Dirty Frag mitigation. Details: dirtyfrag.io
Same script. Ubuntu, Amazon Linux, RHEL, SUSE — four root shells, side by side. No per-distro tuning. No race window. No kernel offsets to leak. Most Linux LPEs need at least one of those. This one needs none.
> be two researchers at wiz > download github enterprise server (same code as github but runs locally) > reverse-engineer the binaries with ai > find that git push -o strings go straight into an internal header > type a semicolon > inject a fake git hook > rce as the git service user > find an enterprise-mode flag gating hooks on github. it's also injectable > type another semicolon > rce on github itself > land on a shared node holding millions of private repos > read someone else's repo > get access to millions of private repos belonging to other users and orgs > github patches the same day, en urgence
🚨 According to sample data we received from the Vercel breach, Vercel's CEO Guillermo Rauch was last seen on March 3, 2026. Who is running the company? The threat actor told us Vercel's security was poor, and consistent with Vercel's own disclosure, a senior engineer authenticated with a fake third-party AI tool via its Google Workspace OAuth app. - The breach appears to have started or ended on April 12, 2026 - We were sent records of all employees...
To check if your Google Workspace has been compromised by the same tool that compromised Vercel: 1. Go to admin.google.com/ac/owl/list?ta… - This is Google Admin Console > Security > Access and Data Control > API Controls > Manage app access > Accessed Apps 2. Filter by ID = …v79i7bbvqj.apps.googleusercontent.com - This is the ID of the compromised OAuth app If you see an app after filtering, you have potentially been compromised
There is now a write-up on infostealers.com, apparently based on Hudson Rock data, that adds more detail to the #Vercel breach Many will focus on the Lumma stealer infection and the Roblox download. Okay. That matters too. But for me, the bigger failure came after that … Infections happen - always. The real question is what one infected machine can reach afterwards. If one compromised path was enough to expose access to Google Workspace, Supabase, Datadog, Authkit and Vercel-related admin resources, then the problem was not just the infostealer. The problem was too much access, weak separation, missing limits and security monitoring that failed to highlight highly suspicious activity on that account The mantra should be: “assume compromise” infostealers.com/article/breaki…
Technical report released: The AI-Assisted Breach of Mexico’s Government Infrastructure gambit.security/blog-post/a-si…
Everyone is looking for XSS in PDF generators and SSR bots, but they are missing the actual architectural nightmare: Headless Context Bleed (HCB). Opening a new "incognito" tab in Puppeteer doesn't isolate everything. A thread on how shared state in backend browsers is the next massive attack surface. 🧵👇
This week in security: - LiteLLM, backdoored release exfiltrating secrets - Axios, supply chain malware via dependency - Railway, CDN caching leaked user data - OpenAI Codex, command injection via GitHub branch names - Mercor 1TB data leak - Delve, data leak + compliance risk infra is the attack surface now
Filip Dragovic @filip_dragovic
7K Followers 1K Following My research unless stated otherwise. My opinions are my own and do not represent the views of my employer. Red Team @MDSecLabs
Ivan Marković 🌎 �... @ivanmarkovicsec
3K Followers 2K Following Never apologize for being correct, or for being ahead of time. If you’re right, speak your mind. Even if you're a minority of one, the truth is still the truth.
Nikola Jovanović @PeckoPivo
20K Followers 4K Following HR Consulting & Research, Digital Learning, Social Entrepreneurship | Denuncijant, zaverenik, sramotna hijena, protuva, mrzi i nije neki čovek, latentni četnik
Ivanhoe @ivanhoe011
2K Followers 1K Following web dev at day, jack(ass) of all trades the rest of the time - hammering on the ones and zeros back since Netscape was still a thing... @[email protected]
overused @bashgrylls
828 Followers 1K Following Security guy with SysAdmin & DevOps background; MTB enthusiast @Ciklogen; Activist @cryptopartyrs, @hklbgd, @LiBRE_magazin, https://t.co/BChyfjy6qQ, https://t.co/lTIsiRXNZf
Blokader iz Srema @pera_vampir
101K Followers 2K Following Ovde sam samo zezanja radi, ovaj profil nikako ne shvatati ozbiljno. (!) Medij koji sarađuje sa onim ko više plati PR brigadnog generala Mojte Gadjoa
Miloš @milos_rs_
2K Followers 283 Following Informaciona bezbednost, privatnost i srodne teme iz sveta informacionih tehnologija, sa fokusom na Ex-YU region // Ex-YU infosec topics, mostly in Serbian
Pethuraj M @Pethuraj
5K Followers 208 Following Cyber Security Specialist | eWPTXv2 | Security Researcher 👁️⃤ 👨🏻💻 Connect with me on LinkedIn: https://t.co/vnFipcURMo
AgapeDork @agapedork
34 Followers 295 Following Christian. Security Researcher trying to perform novel research. My other computer is your computer
casandra wolldab @wolldab32279
0 Followers 1 Following
Ismail Arabi @IsmailArabi18
73 Followers 2K Following
Froehverl @froehverl
3 Followers 249 Following
Jelena Babic @JelenaBabi93851
895 Followers 2K Following
Bozidar @BozidarCojbasic
0 Followers 71 Following
Raj @rajmridha72
0 Followers 39 Following Security researcher | Bug Bounty hunter Hacker in ❤️, Admin of Indian Black-hat hacker at ... @Hacker0x01 @intigriti @bugcrowd
Милош Довед... @dovedan94
0 Followers 333 Following
@404TamimNotFound @mansuri_tamim
13 Followers 330 Following 👾 Bug Bounty | Cybersecurity | Web App Exploiter ❄️ Also known as 0xFrostSyn
A Link between Nets @linkbetweennets
28 Followers 1K Following Student of the dark arts, mapping malware's malicious magic, connecting to your subnet and interested in all things Cyber
Agent @Agen7t
39 Followers 1K Following
Nemanja @nemanjan00
1K Followers 986 Following YT7OP - Electronics,RF and drones enthusiast Software development, DevOps and Security professional
Haany @haanynooh
9 Followers 767 Following
Ahmed Zerroud @AhmedZerroud
7 Followers 498 Following
Nikdonttweet @nikdonttweet
6 Followers 397 Following
rainy @rainy9784
3 Followers 148 Following
mango 🥭 @Jaljeera_Paani
12 Followers 271 Following
0xPalik @0xPalik
7 Followers 184 Following
M.Farhan Awan @mrfarhanawan
75 Followers 774 Following
youssef @genieyou
595 Followers 1K Following all i know is i don't know anything | can do ping command ;)
Zan Nitx @Thet808181
18 Followers 1K Following
Spare Khatu @accou49431
11 Followers 265 Following Coding aficionado and tech enthusiast. Passionate about creating software solutions that drive innovation. Let’s dive into the world of coding and explore
Samuel dun @Dunkk007
4 Followers 152 Following
John Doe @DoeJohndoe99991
0 Followers 149 Following
beekeeper @milos_beekeeper
2 Followers 21 Following
Sadik Mahmud @sadik0x01
59 Followers 2K Following Kill me or love me it's your choice but I'll shine again
SanDra @sandraket23231
46 Followers 2K Following
v1nd1c7 @v1nd1c7
81 Followers 541 Following Red Team | Security Researcher | Bug Bounty Hunter | Captain @ layer9 ctf team
travica.curvy.name @lazartravica
921 Followers 1K Following The only thing I love more than privacy and protocols are privacy protocols. Technical co-founder @0xcurvy
doxx @cikadoxon
1 Followers 53 Following
James krauss @jimmy77alexis
0 Followers 15 Following
BugzBunny666 @BugzBunny_666
0 Followers 105 Following
vx-underground @vxunderground
439K Followers 361 Following The largest collection of malware source code, samples, and papers on the internet. Password: infected
Filip Dragovic @filip_dragovic
7K Followers 1K Following My research unless stated otherwise. My opinions are my own and do not represent the views of my employer. Red Team @MDSecLabs
Ivan Marković 🌎 �... @ivanmarkovicsec
3K Followers 2K Following Never apologize for being correct, or for being ahead of time. If you’re right, speak your mind. Even if you're a minority of one, the truth is still the truth.
Nikola Jovanović @PeckoPivo
20K Followers 4K Following HR Consulting & Research, Digital Learning, Social Entrepreneurship | Denuncijant, zaverenik, sramotna hijena, protuva, mrzi i nije neki čovek, latentni četnik
Ivanhoe @ivanhoe011
2K Followers 1K Following web dev at day, jack(ass) of all trades the rest of the time - hammering on the ones and zeros back since Netscape was still a thing... @[email protected]
overused @bashgrylls
828 Followers 1K Following Security guy with SysAdmin & DevOps background; MTB enthusiast @Ciklogen; Activist @cryptopartyrs, @hklbgd, @LiBRE_magazin, https://t.co/BChyfjy6qQ, https://t.co/lTIsiRXNZf
Blokader iz Srema @pera_vampir
101K Followers 2K Following Ovde sam samo zezanja radi, ovaj profil nikako ne shvatati ozbiljno. (!) Medij koji sarađuje sa onim ko više plati PR brigadnog generala Mojte Gadjoa
Miloš @milos_rs_
2K Followers 283 Following Informaciona bezbednost, privatnost i srodne teme iz sveta informacionih tehnologija, sa fokusom na Ex-YU region // Ex-YU infosec topics, mostly in Serbian
chompie @chompie1337
89K Followers 1K Following hacker, exploit developer/weird machine mechanic head of X-Force Offensive Research (XOR) @IBM
Leandro Barragan @lean0x2f
3K Followers 393 Following Offensive Security Researcher @XBOW | A.K.A. none_of_the_above | https://t.co/zhzGBvicK7 | https://t.co/XyZBK7PHlW
XBOW @Xbow
12K Followers 13 Following Bringing AI to offensive security by autonomously finding and exploiting web vulnerabilities. https://t.co/D5Mco1tAKe
Hisxo @adrien_jeanneau
9K Followers 1K Following 📍 @yeswehack (aka Hisxo) - I love to break things (and I'm paid for that) - Bug Hunter 🔗 Check my Github repository https://t.co/Sj3prhiZyu #BugBounty
Ivan Bjelajac 🔭 @instantfinality
7K Followers 2K Following CEO @buildonparasol | working on extending @Solana and ICM | ex @TenderlyApp, @0xPolygon Edge and @GoDaddy/@ManageWP.
Kévin GERVOT (Mizu) @kevin_mizu
7K Followers 783 Following Vulnerabilty researcher at @assetnote 🐛 | DOMLogger++ developer 👨🏻💻 | CTF with @FlatNetworkOrg, @rhackgondins 🦦 | @ECSC_TeamFrance 2023 🇫🇷
publiclyDisclosed @disclosedh1
68K Followers 2 Following This is an unofficial HackerOne public disclosure watcher who keeps you up to date about the recently disclosed bugs. By @NOBBD
Rahul Maini @iamnoooob
15K Followers 2K Following Research at @httpvoid0x2f @HacktronAI, before @pdiscoveryio
Pentester Land @PentesterLand
32K Followers 822 Following
Гето са мал�... @javnirizik
3K Followers 3K Following Ја немам неко високо мишљење о човечанству али неће му једна неман судити. Гандор
BleepingComputer @BleepinComputer
254K Followers 206 Following Breaking cybersecurity and technology news, guides, and tutorials that help you get the most from your computer. DMs are open, so send us those tips!
ph0r3nsic 🕷️ @ph0r3nsic
476 Followers 677 Following Founder @DeepLookLabs | OSWE | Offensive Security Bug Hunter 🎯 · HackerOne · Intigriti · Bugcrowd
Georgije Vukov @vuk0v
167 Followers 3K Following
Tuta @TutaPrivacy
120K Followers 26K Following Tuta is secure email, calendar & drive service with quantum-safe encryption. Open-source & forever free. Visit us 👉 https://t.co/KgiAsFMp6x Need help? @TutaSupport
SOS Intelligence @SOSIntel
20K Followers 2K Following Dark Web Intelligence. We find what's been stolen before it's weaponised. https://t.co/aQgEdlJVPl
Nev @NevenaSofranic
1K Followers 1K Following 2x Founder | Growing your tech teams since 2015 @omnesgroup |
SeeBeen 🦔 @TheSeeBeen
1K Followers 372 Following Bog WPa (u penziji) Gipsar, Moler, Bauštelac generalno I fuck good because I can't afford therapy.
Emil Lerner @emil_lerner
3K Followers 390 Following Independent security researcher. CTO & co-founder of https://t.co/F296lUgKA8. Bushwhackers CTF team.
Mohammed Diaa @mhmdiaa
1K Followers 963 Following Build things, break things, build things that break things
Branko Djurkovic @plagosus
10K Followers 3K Following Srbin u Berlinu... Software Engineer, blogger, videographer, racecar driver... #pumpaj
Igor Gašparević @Gasparevic
2K Followers 2K Following Enthusiast who love all things that go fast and smell of hot oil.
Random Robbie @Random_Robbie
16K Followers 6K Following Hunting vulns. Exploits are real. Opinions are yours. Blame yourself, not me. Anything posted here is on you not me. #LFC
Catalin Cimpanu @campuscodi
106K Followers 2K Following Cybersecurity reporter. I'm mostly active on BlueSky and Mastodon.
Michele Romano @Mik317_
4K Followers 2K Following "The walls of Sparta are the chests of its warriors" - Agesilao
streaak @streaak
7K Followers 782 Following BBAC kidnapped me | I hack things, play video games and occasionally take photographs
nilØx42 🚫 @nil0x42
3K Followers 613 Following Security researcher for 15+ years. Author of PhpSploit, Duplicut, GHRecon, DNSanity & BEURK RootKit. pŏl′ē-glŏt′ #pentest #OSINT.
✨_geeknik_//✨ @geeknik
20K Followers 7K Following Human Co-Founder & CTO⇢https://t.co/JDh2Hm96vA A mad scientist with a penchant for chaos. Fuzzing from kernelspace➠uncanny valley. Latest: CVE-2026-27477
𝚓𝚘𝚟𝚒𝚌�... @jovica
3K Followers 3K Following The world's #1 CISO who can install Gentoo and exit Vim in the same day! :: author, entrepreneur :: https://t.co/a7etvNYYvL
Tanya Janca | Shehack... @shehackspurple
50K Followers 2K Following Secure Coding Trainer, Best-selling author of Alice and Bob Learn Secure Coding & Alice and Bob Learn Application Security. #AppSec she/her 🌻
Nenad Jovanovic @shone_bate
2K Followers 246 Following Težak li je život moj, svakog dana kratak spoj ... električar, banderaš! PhD in Sustainable Energy Technologies and Strategies
wtm @wtm_offensi
3K Followers 976 Following Security researcher, bug bounty hunter, owner at Offensi. My opinions are those of my employer.
Sam Stepanyan @securestep9
7K Followers 4K Following @OWASPLondon Chapter Leader (#OWASP #OWASPLondon). OWASP Board Member. Application Security (#AppSec) Consultant. OWASP #Nettacker Project leader. #CISSP
Eusebiu Blindu @testalways
11K Followers 10K Following General stuff, tech, security, travel. testing. Movie extra in Borat, Bloodrayne. Puzzles, comments, opinions
Jenish Sojitra @_jensec
25K Followers 591 Following $2M in bug bounty. Cyber Security researcher. Product developer who likes Building in Public. Creator of https://t.co/0N9TViCzQ4
You might like
