Engineering notes from the trenches.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
6 posts ← reset filters
A critical missing authorization check in FUXA's Scheduler API allowed any authenticated operator to create or modify scheduled device actions—escalating to full admin control over SCADA operations. Breakdown of the attack, detection, and fix.
CVE-2026-10280 landed with a sparse NVD entry and no technical depth. Here's how to think about it, what mcpilot 0.1.0 users need to do right now, and why MCP tooling demands defense-in-depth.
A critical vulnerability in nebula-mesh exposes freshly-minted operator API keys via redirect URL query parameters, leaking them to browser history, Referer headers, and proxy logs. Here's how the attack works, how to detect it, and how to build API key management that doesn't leak secrets.
A comment in nebula-mesh's code confesses the design flaw: API trusts the bearer token for authorization. Here's why that breaks multi-tenant isolation, how to spot the pattern, and how to fix it before it becomes an incident.
CVE-2025-26319 exposes a critical mass assignment flaw in Flowise's PUT /api/v1/user endpoint, letting any authenticated user overwrite password hashes and escalate privileges without verification.
A default empty API client token in phpMyFAQ lets any unauthenticated user create and modify FAQ entries, categories, and questions via the REST API. Here's what happened, why it matters, and how to fix it.