Paramiko Security Audit Results by OSTIF

Paramiko is a pure-Python implementation of SSHv2 and one of the most popular SSH solutions in the Python ecosystem. On behalf of the Open Source Technology Improvement Fund, Inc (OSTIF), we had the opportunity to conduct the first public security audit of Paramiko performed by an audit firm. Here's a summary of our findings and the full report 👉 https://lnkd.in/e2Qf49yk

🚨 High Risk Alert! CVE-2026-39987 is a critical pre-authentication remote code execution vulnerability in Marimo, a reactive Python notebook framework. An unauthenticated attacker can execute commands with the privileges of the Marimo process. This highlights the importance of API security and proper authentication mechanisms. Stay safe! #Marimo #APIsecurity #OWASP #CVE202639987 #authenticationfailure 🚨 https://lnkd.in/eNeGTTAB

🚨 High Risk Alert! 🚨 CVE-2026-39987 is a critical pre-authentication remote code execution vulnerability in Marimo, a reactive Python notebook framework. An unauthenticated attacker can execute commands with the privileges of the Marimo process. This highlights the importance of API security and proper authentication mechanisms. Stay safe! #Marimo #APIsecurity #OWASP #CVE202639987 #authenticationfailures https://lnkd.in/ejcwidVf

During a security audit of vLLM managed by Open Source Technology Improvement Fund, Inc (OSTIF).org, a bug was discovered through manual analysis by a senior security expert at X41 D-Sec GmbH. A lack of input sanitization on host header paths in Starlette leads to bypassing auth with a single character across a huge swath of Python LLM infrastructure. Update to Starlette 1.0.1 as soon as possible and read more about this vulnerability on https://badhost.org #OSTIF #BadHost #vLLM #X41DSec 

It's good to see the one and only John Vandenberg back to hacking py2many after a break. Expect many good things to happen to the repo. If you've been watching this space, I've been making a number of arguments about why transpilers are even more relevant in the age of Agents. * Diffusion model of programming (Google with my name) * Verifiable code (Work done with python DBC + SMT2) * A new parser for Python (99.99% compatible, the other 0.01% makes it more compatible with Rust, Zig, vlang) There are probably more reasons. But most importantly, don't burn your tokens doing it the wrong way. Give your agent the right tool!

I’ve been diving deep into web application security and automated testing. To better understand how vulnerabilities are found and exploited, I built a lightweight Reflected XSS & Input-Sanitization Scanner using Python. I tested the scanner in a local safe-lab environment using XAMPP and DVWA (Damn Vulnerable Web Application). Key Features of the Tool: 🔍 Crawling: Dynamically parses pages using BeautifulSoup to map out forms, URL query strings, and input fields. 💉 Payload Injection: Automatically tests targeted inputs against common XSS and bypass vectors. 📊 Analysis & Reporting: Monitors HTTP responses to detect raw reflections and outputs vulnerable endpoints directly to a structured .txt report. Key Takeaways: Testing this across different security tiers showed me exactly why simple input "blacklisting" fails, and why robust, context-aware output encoding is essential for defense. Check out the code repository on my GitHub here: https://lnkd.in/dhbKke2u Disclaimer: This tool was built purely for educational purposes and was only executed against permitted local environments. #Cybersecurity #Python #ApplicationSecurity #AppSec #PenetrationTesting #GitHub #Coding #XSS Syntecxhub

I recently started diving into GraphQL architecture and identified a common pitfall: how easily endpoints can be exploited via array-based resource exhaustion if they lack strict input validation. To better understand and test for this, I built a universal Python-based tester that measures response time degradation. I’ve added this to my new GitHub repository, alongside other PoCs for SQLi and CSRF that I've been working on. Check out the repo here: https://lnkd.in/gCqHT9_E #CyberSecurity #WebSecurity #Python #Engineering

Excited to announce the release of my research project: D-DES (Dynamic Data Encryption Standard) - Now live on PyPI! For the past few months, I have been deeply immersed in an independent research project that merges my passion for cybersecurity with software engineering. Today, I am thrilled to finally share my custom cryptographic library, ddes-dua-crypto, with the global developer community! D-DES is a modernized implementation of the classic Data Encryption Standard (DES). My research focused on addressing the vulnerabilities of static substitution by introducing: Dynamic S-Box: Replaced traditional static tables with a single, key-seeded dynamic 6x4 S-Box generation logic. CBC Mode and PKCS#7 Padding: Implemented industrial-grade data diffusion and robust handling for files of any arbitrary size. CLI and API Support: Engineered as both a standalone Command Line Interface tool and a versatile Python library for seamless integration. This journey taught me everything from bit-level permutations to the complexities of open-source distribution. It is a significant milestone in my path as a Cybersecurity researcher. You can install it now via pip: pip install ddes-dua-crypto Explore the source code and documentation on GitHub: https://lnkd.in/e8H2pAVQ I would love to hear your thoughts and feedback! #Cybersecurity #Cryptography #Python #OpenSource #ComputerScience #Research #WomenInTech #SoftwareEngineering #InfoSec

I set up a PreToolUse hook in Claude Code to block certain dangerous commands. It caught real stuff. Claude trying to cat my SSH keys, trying to dump env vars with API keys, trying to read its own credential store. But the hook catches patterns, not intent. Block rm -rf and Claude may respect your denial or it might try to evade. My hook blocked the rm -rf it was trying to execute, but when that didn't work, Claude wrote a Python script that called os.remove() instead. The hook never saw it. It worked. Speed bump, not a wall. Worth setting up and also worth knowing the limits. #agenticdevelopment #security #rbac

Finally got around to automating my Buffer Overflow workflow! While working on some binary exploitation labs, I realized I was spending too much time manually formatting payloads and switching between tools. So, I built a Python-based wrapper to streamline the entire process - STACKSMASH. The script now handles: ✅ Cyclic pattern generation & offset discovery (via Metasploit integration). ✅ Dynamic shellcode generation with msfvenom (including bad char filtering). ✅ Automatic Little Endian conversion (no more manual byte flipping!). ✅ A "dummy" mode to verify and align EIP control before committing to the full exploit. ✅ Version compatibility between different python versions. ✅ Modern shell security bypass. There’s something incredibly satisfying about turning a multi-step manual process into a clean, automated CLI tool. It’s not just about speed; it’s about reducing human error when you’re deep in the debugger. Check out the code here: https://lnkd.in/gVjmTT8N If you are into CTF's or binary research, please consider sharing my work! #CyberSecurity #EthicalHacking #Python #BinaryExploitation #Infosec #Automation #Linux