winfunc https://winfunc.com AI-native security engineering platform. Find, triage, and patch security vulnerabilities in hours. en-us Sat, 18 Apr 2026 10:39:53 GMT https://winfunc.com/icon.png winfunc https://winfunc.com <![CDATA[Hacking the old HackerNews codebase]]> https://winfunc.com/research/hacking-the-old-hackernews-codebase https://winfunc.com/research/hacking-the-old-hackernews-codebase Sat, 18 Apr 2026 00:00:00 GMT Mufeed VH Research research fun <![CDATA[What an automated vulnerability research system actually found]]> https://winfunc.com/research/what-an-automated-vulnerability-research-system-actually-found https://winfunc.com/research/what-an-automated-vulnerability-research-system-actually-found Thu, 26 Mar 2026 00:00:00 GMT Mufeed VH Research research hacktivity security <![CDATA[How Asterisk Works]]> https://winfunc.com/research/how-winfunc-works https://winfunc.com/research/how-winfunc-works Fri, 30 Aug 2024 00:00:00 GMT Mufeed VH Research engineering repost deprecated <![CDATA[stream accepts revoked client certificates despite ssl_ocsp on (CVE-2026-28755)]]> https://winfunc.com/hacktivity/CVE-2026-28755 https://winfunc.com/hacktivity/CVE-2026-28755 Thu, 01 Jan 2026 00:00:00 GMT Winfunc Research Security Research NGINX Medium CVE-2026-28755 <![CDATA[SCGI unbuffered mode sent truncated CONTENT_LENGTH causing backend desync]]> https://winfunc.com/hacktivity/nginx-scgi-content-length-unbuffered https://winfunc.com/hacktivity/nginx-scgi-content-length-unbuffered Thu, 01 Jan 2026 00:00:00 GMT Winfunc Research Security Research NGINX Medium <![CDATA[RSC reply decoder DoS via $K FormData amplification (CVE-2026-23864)]]> https://winfunc.com/hacktivity/CVE-2026-23864 https://winfunc.com/hacktivity/CVE-2026-23864 Thu, 01 Jan 2026 00:00:00 GMT Winfunc Research Security Research React High CVE-2026-23864 <![CDATA[Permission model bypass via unchecked Unix Domain Socket connections (CVE-2026-21636)]]> https://winfunc.com/hacktivity/CVE-2026-21636 https://winfunc.com/hacktivity/CVE-2026-21636 Wed, 01 Jan 2025 00:00:00 GMT Winfunc Research Security Research Node.js Medium CVE-2026-21636 <![CDATA[Authentication bypass on FastMCP custom routes]]> https://winfunc.com/hacktivity/anthropic-fastmcp-auth-bypass https://winfunc.com/hacktivity/anthropic-fastmcp-auth-bypass Wed, 01 Jan 2025 00:00:00 GMT Winfunc Research Security Research Anthropic Critical <![CDATA[SQL Injection via queueName in getDatabaseQueuesMetrics]]> https://winfunc.com/hacktivity/supabase-sql-injection-via-queue-names https://winfunc.com/hacktivity/supabase-sql-injection-via-queue-names Wed, 01 Jan 2025 00:00:00 GMT Winfunc Research Security Research Supabase Critical <![CDATA[Exponential merge keys in Bun's YAML implementation leads to DoS]]> https://winfunc.com/hacktivity/bun-yaml-dos https://winfunc.com/hacktivity/bun-yaml-dos Wed, 01 Jan 2025 00:00:00 GMT Winfunc Research Security Research Bun High <![CDATA[0-click Account Takeover and Admin Operations via helper endpoint authorization bypass ]]> https://winfunc.com/hacktivity/gumroad-helper-auth-bypass-ato https://winfunc.com/hacktivity/gumroad-helper-auth-bypass-ato Wed, 01 Jan 2025 00:00:00 GMT Winfunc Research Security Research Gumroad Critical <![CDATA[SSRF bypass via IPv4-mapped IPv6 literals in IsReservedIP (CVE-2026-2455)]]> https://winfunc.com/hacktivity/CVE-2026-2455 https://winfunc.com/hacktivity/CVE-2026-2455 Thu, 01 Jan 2026 00:00:00 GMT Winfunc Research Security Research Mattermost Medium CVE-2026-2455 <![CDATA[DoS via unchecked User-Agent token in getBrowserVersion (CVE-2026-25783)]]> https://winfunc.com/hacktivity/CVE-2026-25783 https://winfunc.com/hacktivity/CVE-2026-25783 Thu, 01 Jan 2026 00:00:00 GMT Winfunc Research Security Research Mattermost Medium CVE-2026-25783 <![CDATA[Unbounded PBKDF2 hashing allows remote login DoS via oversized passwords (CVE-2026-24458)]]> https://winfunc.com/hacktivity/CVE-2026-24458 https://winfunc.com/hacktivity/CVE-2026-24458 Thu, 01 Jan 2026 00:00:00 GMT Winfunc Research Security Research Mattermost High CVE-2026-24458 <![CDATA[Private Channel Enumeration via /mute Slash Command (CVE-2026-21386)]]> https://winfunc.com/hacktivity/CVE-2026-21386 https://winfunc.com/hacktivity/CVE-2026-21386 Thu, 01 Jan 2026 00:00:00 GMT Winfunc Research Security Research Mattermost Low CVE-2026-21386 <![CDATA[Multi-session sign-out hook allows forged cookies to revoke arbitrary sessions]]> https://winfunc.com/hacktivity/better-auth-multi-session-signout-ato https://winfunc.com/hacktivity/better-auth-multi-session-signout-ato Wed, 01 Jan 2025 00:00:00 GMT Winfunc Research Security Research Better-Auth Medium