Skip to content
research · 61 pieces

Research.

61 published pieces — original research, CVE technical writeups, and a reference taxonomy of AI security — across adversarial AI, prompt injection, agent security, kernel and container work.

all45ai security research16jailbreaking6prompt injection7infrastructure & appsec6per-cve writeups10

AI Security Research

2026-06-27
Reverse-Engineering Claude’s Memory Architecture From Inside the Sandbox
The binaries, protobuf schemas, TLS interception, encryption model, and a CWE-522 credential extraction chain — extracted live from inside the Claude code sandbox.
agent security
2026-06-15
SKILBin: AI Agent Skills as the New LOLBin
a malicious Claude skill harvests SSH, AWS, and Kubernetes credentials inside an Anthropic-signed process no EDR flags — the LOLBin for the agent era.
agent security
2026-05-18
Semantic-to-Metadata Smuggling in Multi-LoRA Routing Gateways
SHELL.003 — signal suppression at the multi-LoRA routing gateway as an unreviewed trust boundary.
prompt injection
2026-05-18
Indirect Injection Was Never Blind
the wire carries the tool call before the interface hides it — closed-loop indirect injection via the SSE wire.
prompt injection
2026-03-11
Self-Replicating Memory Worm: Persistent Injection with Autonomous Propagation
A single memory edit becomes an autonomous, self-replicating worm with credential harvesting and cross-service pivoting. See how it survives session resets.
8 min
2026-03-10
Adversarial Prompting: The Complete Technical Guide
Every adversarial prompting technique mapped from role hijacking to multi-turn escalation. Learn how attacks work, why defenses fail, and how to test them.
8 min
2026-03-04
Weaponized AI Supply Chain: How Threat Actors Turned LLMs Into Attack Infrastructure
89% increase in AI-enabled attacks. LLM-integrated malware, autonomous cyber espionage, and $1.1B in deepfake fraud. Explore the full offensive AI arsenal.
7 min
2026-03-01
MCP vs A2A Attack Surface: Every Trust Boundary Mapped
MCP has 40+ CVEs and real-world breaches while A2A has zero. Get the complete side-by-side attack surface comparison with defensive guidance for AI agents.
10 min
2026-02-26
The 30% Blind Spot: Why LLM Safety Judges Fail
LLM safety judges miss 63% of unsafe content. Built one, tested six iterations, 680+ responses. See why every major AI provider has this same blind spot.
10 min
2026-02-20
AI Breach Detection Gap: The Logs Are Clean. You're Not.
74% of organizations found AI breaches when they looked. Most are not looking. Discover why LLM attacks evade traditional security detection and what to do.
12 min
2026-02-20
LLM Red Teamer's Playbook: Diagnosing AI Defense Layers
Stop guessing which jailbreak works. A systematic, layered methodology for diagnosing LLM defense layers and selecting the right bypass technique each time.
22 min
2026-02-20
AATMF v3.1 vs MITRE ATLAS: Which AI Security Framework Wins?
MITRE ATLAS covers 66 techniques. AATMF v3.1 maps 240 techniques with 4,980+ prompts and quantitative risk scoring. Compare both frameworks and choose wisely.
7 min
2026-02-17
AI Coding Agent Attack Surface: A Full Taxonomy
AI coding agents trust code comments, README files, and MCP servers like humans trust authority. Explore the full attack surface taxonomy and defenses.
12 min
2026-02-13
Computational Countertransference: LLM Context Inheritance
LLMs adopt adversarial states from pasted transcripts. 13-month study reveals context inheritance as an architectural vulnerability in GPT-4o, Claude, Gemini.
10 min
2026-02-11
AI Gateway Threat Model: 8 Attack Vectors
First generalized AI gateway threat model covering 8 unmapped attack vectors. 91K attack sessions analyzed. Apply these AATMF TC-21 gateway defense tactics.
11 min
2026-02-11
Agentic AI Threat Landscape: Attack Vectors & Defenses
Full agentic AI threat landscape covering prompt injection, MCP tool poisoning, multi-agent infection, and memory poisoning. Learn why no single defense works.
18 min
2025-10-17
RAG, Agentic AI, and the New Attack Surface
RAG pipelines and agentic AI expand the LLM attack surface beyond prompts. How retrieval poisoning and tool autonomy create exploitable vulnerability classes.
9 min
2025-08-09
AI Social Engineering: Deepfake Voice Detection
How AI enables sophisticated social engineering through deepfake voices. Real-world attack cases, detection techniques, and organizational defense strategies.
4 min
2025-01-25
The Structural Vulnerabilities of Large Language Models
Tokenization evasion, parsing limit exploits, and alignment failure modes that break production LLMs. A full pipeline security report for AI deployments.
5 min
2024-06-08
Hidden Risks of AI: An Offensive Security Perspective
Emerging AI threat vectors analyzed from an offensive security lens. Shadow AI, supply chain poisoning, and blind spots that blue teams consistently miss.
4 min

Per-CVE Writeups

2026-01-01
CVE-2026-48782: pydantic-ai SSRF Blocklist Bypass
CVE-2026-48782 — pydantic-ai SSRF (incomplete fix): with force_download=allow-local on untrusted URL
cve
2026-01-01
CVE-2026-31899 — CairoSVG
CVE-2026-31899: Exponential DoS via recursive amplification in CairoSVG. CVSS 7.5 · High severity. D
cve
2026-01-01
CVE-2026-2717 — HTTP Headers
CVE-2026-2717: CRLF injection in HTTP Headers. CVSS 5.5 · Medium severity. Disclosure writeup, refer
cve
2026-01-01
CVE-2026-55528: PraisonAI AgentServer Missing Auth
CVE-2026-55528 — PraisonAI's AgentServer declares an auth_token but never enforces it, leaving every
cve
2026-01-01
CVE-2026-1314 — 3D FlipBook
CVE-2026-1314: Missing authentication in 3D FlipBook. CVSS 5.3 · Medium severity. Disclosure writeup
cve
2026-01-01
CVE-2026-55530: PraisonAI Arbitrary File Write
CVE-2026-55530 — PraisonAI's ast_grep_rewrite lacks the @require_approval gate, letting an agent ove
cve
2026-01-01
CVE-2026-0811 — Advanced CF7 DB
CVE-2026-0811: CSRF in Advanced CF7 DB. CVSS 5.4 · Medium severity. Disclosure writeup, references,
cve
2026-01-01
CVE-2026-3599 — Riaxe Product Customizer
CVE-2026-3599: SQL injection in Riaxe Product Customizer. CVSS 7.5 · High severity. Disclosure write
cve
2026-01-01
CVE-2026-3594 — Riaxe Product Customizer
CVE-2026-3594: Information disclosure in Riaxe Product Customizer. CVSS 5.3 · Medium severity. Discl
cve
2026-01-01
CVE-2026-45620 — WWBN/AVideo
CVE-2026-45620: Incomplete fix for CVE-2026-43881. CVSS —, Medium. Coordinated disclosure by Kai Aiz
cve
2026-01-01
CVE-2026-8368
CVE-2026-8368: Zero header strip on cross-host redirect. CVSS —, Medium. Coordinated disclosure by K
cve
2026-01-01
CVE-2026-46132: Linux Kernel net/rtnetlink
CVE-2026-46132 — uninitialized memory infoleak in the Linux kernel net/rtnetlink subsystem.
cve
2026-01-01
CVE-2026-45363 — jwt/ruby-jwt
CVE-2026-45363: Empty-key HMAC bypass. CVSS 7.4, High. Coordinated disclosure by Kai Aizen.
cve
2026-01-01
CVE-2026-47398: PraisonAI Code Injection via Unguarded
CVE-2026-47398 — PraisonAI: two unguarded spec.loader.exec_module call sites in agents_generator.
cve
2026-01-01
CVE-2026-46627: Twig Sandbox Resource Exhaustion
CVE-2026-46627 — the Twig sandbox restricts code and data access but not resource consumption. Untru
cve
2026-01-01
CVE-2026-3595 — Riaxe Product Customizer
CVE-2026-3595: Unauthenticated user deletion in Riaxe Product Customizer. CVSS 5.3 · Medium severity
cve
2026-01-01
CVE-2026-44217 — sse-channel (npm)
CVE-2026-44217: SSE injection — unsanitized fields. CVSS —, Medium. Coordinated disclosure by Kai Ai
cve
2026-01-01
CVE-2026-48022: @hapi/wreck Redirect Credential Leak
CVE-2026-48022 — @hapi/wreck strips credential headers on redirect but checks only the hostname, ign
cve
2026-01-01
CVE-2026-45619 — WWBN/AVideo
CVE-2026-45619: Incomplete fix for CVE-2026-43884 in WWBN/AVideo — isSSRFSafeURL() discards $resolve
cve
2026-01-01
CVE-2026-1313 — MimeTypes Link Icons
CVE-2026-1313: SSRF in MimeTypes Link Icons. CVSS 8.3 · High severity. Disclosure writeup, reference
cve
2026-01-01
CVE-2026-49853: Tornado Cross-Origin Auth Header Leak
CVE-2026-49853 — Tornado's SimpleAsyncHTTPClient leaked Authorization/Cookie headers across cross-or
cve
2026-01-01
CVE-2026-47393: PraisonAI API Server Auth Disabled by
CVE-2026-47393 — PraisonAI's API code generator creates Flask servers with authentication disabled b
cve
2026-01-01
CVE-2026-49353: 9router Local-Only Access Gate Bypass via
CVE-2026-49353 — 9router's local-only access gate can be bypassed by spoofing the Host header, expos
cve
2026-01-01
CVE-2026-0814 — Advanced CF7 DB
CVE-2026-0814: Missing authentication in Advanced CF7 DB. CVSS 4.3 · Medium severity. Disclosure wri
cve
2026-01-01
CVE-2026-48814: Network AI Empty Default Secret Authorizes
CVE-2026-48814 — Network AI ships with an empty default secret, and the authorization check treats t
cve
2026-01-01
CVE-2026-3596 — Riaxe Product Customizer
CVE-2026-3596: Privilege escalation in Riaxe Product Customizer. CVSS 9.8 · Critical severity. Discl
cve
2026-01-01
CVE-2026-43884 — WWBN/AVideo
CVE-2026-43884: SSRF — HTTP redirect & DNS rebinding bypass in WWBN/AVideo. CVSS 7.7 · High severity
cve
2026-01-01
CVE-2025-12030 | IDOR in ACF to REST API Plugin
CVE-2025-12030: Insecure Direct Object Reference in ACF to REST API WordPress plugin. Unauthorized data access via API manipulation. CVSS 4.3 Medium.
2 min
2026-01-01
CVE-2026-32809 | Symlink Resolution Bypass in ouch
CVE-2026-32809: Unvalidated symlink targets in ouch tar extraction enable arbitrary file read via crafted archives. Affects all tar formats. CVSS 7.4.
2 min
2026-01-01
CVE-2025-9776 | SQL Injection in CatFolders Plugin
CVE-2025-9776: Authenticated SQL Injection via CSV Import in CatFolders WordPress plugin. CVSS 6.5. Full technical analysis and remediation by Kai Aizen.
1 min
2026-01-01
CVE-2026-3288 | Config Injection in ingress-nginx rewrite-target
CVE-2026-3288: Configuration injection in ingress-nginx via rewrite-target annotation enables RCE and cluster-wide Secret disclosure. CVSS 8.8 High severity.
3 min
2026-01-01
CVE-2025-12163 | Stored XSS in OmniPress Plugin
CVE-2025-12163: Stored XSS in OmniPress WordPress plugin via author-level access. CVSS 6.4. Full technical analysis, PoC, and remediation by Kai Aizen.
1 min
2026-01-01
CVE-2025-11174 | Missing Auth in Document Library Lite
CVE-2025-11174: Missing authorization in Document Library Lite exposes sensitive data. CVSS 5.3. Full vulnerability analysis and remediation by Kai Aizen.
1 min
2026-01-01
CVE-2026-33693 | SSRF via Incomplete IP Validation in activitypub-federation-rust
CVE-2026-33693: SSRF bypass in activitypub-federation-rust via 0.0.0.0. Missing is_unspecified() check affects Lemmy and 6+ Fediverse projects. CVSS 6.5.
2 min
2026-01-01
CVE-2026-32885 | Path Traversal (ZipSlip) in ddev
CVE-2026-32885: ZipSlip path traversal in ddev local development tool. Malicious archives escape extraction directory via Untar/Unzip. CVSS 6.5 Medium.
2 min
2026-01-01
CVE-2025-11171 | Missing Auth in Chartify Plugin
CVE-2025-11171: Missing authentication for admin functions in Chartify WordPress plugin. CVSS 5.3. Full technical analysis and remediation by Kai Aizen.
1 min
2026-01-01
CVE-2026-1208 | CSRF to Settings Update in Friendly Functions for Welcart
CVE-2026-1208: CSRF in Friendly Functions for Welcart WordPress plugin enables unauthorized settings manipulation. CVSS 4.3. Full analysis by Kai Aizen.
2 min
featured
When the research listed below intersects with real vendor stacks, these are the CVEs that ship.

Flagship Disclosures.

Six writeups with dedicated quick-facts, FAQ, and references — for engineers landing here from a search for the CVE itself.

CVE-2026-3288
Kubernetes ingress-nginx — Config Injection via rewrite-target
8.8 · high
CVE-2026-30911
Apache Airflow Core — Missing Authorization on HITL endpoints
8.1 · high
CVE-2026-44840
Dgraph — Pre-auth DQL Injection
9.1 · crit
CVE-2026-43121
Linux kernel · io_uring/zcrx — Race → Double-free → OOB Write
4.7 · med
GHSA-j425-whc4-4jgc
OpenClaw — system.run env-override RCE
6.3 · med
CVE-2026-32794
Apache Airflow · Databricks — TLS Verification Bypass
— · pen