Gobuster Go Directory Brute Forcer Cheat Sheet

Anthropic's Git MCP server, which connects AI tools to Git repositories, had significant vulnerabilities that enabled remote code execution and file tampering through prompt injection. Discovered by Cyata, the flaws included path validation bypass

Our research team just published findings in Dark Reading on a class of vulnerabilities affecting MCP servers. Unbounded URI calls that can expose internal resources. In-depth research conducted by David O.. For anyone building agentic workflows: MCP is becoming the standard for how agents connect to tools. That's powerful, and it means we need to understand what we're connecting to. Every MCP server you add gives your agent access to something. A file system. A database. An API. The question isn't just "does this tool work?" It's "what can this tool reach?" Check your MCP servers before you connect. Understand what the associated tools allow access to. We built MCP Trust Registry for exactly this: https://lnkd.in/gdsDWVTG

A research I was part of at Cyata just dropped. We found 3 vulnerabilities in Anthropic's official Git MCP server. When combined with the Filesystem MCP server → code execution. To make it work, we used a niche Git feature called clean/smudge filters. CVE-2025-68143 | CVE-2025-68144 | CVE-2025-68145 Read more here: https://lnkd.in/dfhkr_qt

🚨 Researchers detect active exploitation of a critical React Native CLI flaw. CVE-2025-11953 allows unauthenticated OS command execution on exposed Metro dev servers, with attacks deploying PowerShell and a Rust payload. 🔗 Read → https://lnkd.in/g6Fp57-S

The Ticking Time Bomb in Your Server: How “Adjusting Thresholds” Instead of Fixing Code Leads to Catastrophic Breaches + Video Introduction: In a candid LinkedIn post, industry expert Pierre Dewez highlighted a critical yet often overlooked failure in IT management: when system architecture fails under load, teams frequently "adjust the acceptance threshold" rather than correct the root cause. This practice, sarcastically tagged as PutInProduction (whatever), transforms a performance issue into a significant security vulnerability. Unaddressed capacity flaws can lead to system crashes during peak traffic—a prime scenario for Denial-of-Service (DoS) conditions, data corruption, and opportunistic threat actor infiltration during downtime....

Something that surprised me: giving an LLM more tools can make it worse at using them. Research shows tool selection degrades beyond 30-50 tools. And those tool definitions aren't free—I've seen them consume up to 30% of the context window before the agent does anything useful. This matters for MCP. Connect an agent to a few MCP servers and you're easily looking at 100+ tools loaded into context. Plus the security issue of agents having capabilities they shouldn't. Wrote about solving both problems at the gateway layer—filter tools based on who's asking, default deny. https://lnkd.in/eBAb79W9 #Kong #MCP #AIAgents #LLM

🚀 New Medium Walkthrough Published – Hack The Box “Previous” 🚀 I’ve just published a step-by-step walkthrough of the Hack The Box – Previous machine on Medium. This medium-difficulty Linux box offers a great blend of modern web exploitation and privilege escalation techniques. 🔍 What this machine covers (highlights): Exploiting CVE-2025-29927 (Next.js authentication middleware authorization bypass) Abusing Local File Inclusion (LFI) to extract compiled Next.js server files Credential discovery and SSH access as a standard user Privilege escalation via Terraform, leveraging root-level apply permissions This box is an excellent learning resource for understanding real-world web vulnerabilities, post-exploitation enumeration, and misconfigured DevOps tooling. 📖 Read the full walkthrough on Medium: [https://lnkd.in/gbuU7yKg] Happy hacking and continuous learning! 🔐🔥 #HackTheBox #MediumWriteup #WebSecurity #NextJS #CVE202529927 #LFI #LinuxPrivilegeEscalation #Terraform #EthicalHacking #CyberSecurity

The API Hunter’s Blueprint: How to Weaponize JSON Responses and Uncover Hidden Endpoints for Maximum Bug Bounty Payouts + Video Introduction: In the opaque world of modern SaaS and microservices, APIs are the hidden arteries carrying critical data. Traditional security testing often fails because testers see only what's documented, missing the shadow infrastructure inferred from API responses themselves. This article deconstructs a revolutionary mindset for offensive security: reading JSON not as data, but as a map to undiscovered—and often unprotected—endpoints ripe for exploitation....

On this day in 1982, the first PC virus was written. Today's news from Kube Today: • Ingress NGINX is being retired (March 2026). No more security patches or CVE fixes — migration time. • k8sgpt — Kubernetes analyzer that diagnoses cluster issues in plain English. • Local DNS Server for Demos — dnsmasq + Docker setup for demo environments. • Crust-Gather — a kubectl plugin for collecting Kubernetes cluster state and exposing it through an API server. Links in the comments. Daily Kubernetes news at Kube.Today. Enjoy your weekend!

Supply chain threats in the era of GenAI Skills are new dependencies. Claudehub is new dependency/package registry. Same methodology, same risk, same impact. Nice article explaining the risk/impact via POC on skills: https://lnkd.in/eVeKDT9R Opensource skills scanner from Cisco: https://lnkd.in/ewjSfcnS P.S: Scanner didn't find all the vulnerabilities from the POC Skill above, perhaps issue on my end...