WSO2 #3: Server-side request forgery
CVE-2025-5350 and CVE-2025-5605 combined make a pre-auth server-side request forgery (SSRF) vulnerability in WSO2 API Manager, Identity Server, and other WSO2 products.
hello, world
WSO2 #2: The many ways to bypass authentication in WSO2 products
CVE-2025-9152, CVE-2025-10611, and CVE-2025-9804 are critical authentication bypass and privilege escalation vulnerabilities I discovered in WSO2 API Manager and WSO2 Identity Server.
WSO2 #1: 404 to arbitrary file read
CVE-2025-2905 is a blind XXE vulnerability in WSO2 API Manager and other WSO2 products dependent on WSO2-Synapse.
Testing a new encrypted messaging app's extraordinary claims
How I accidentally breached a nonexistent database and found every private key in the Converso app.
Signal Groups V2 is a privacy downgrade
Signal changed the way end-to-end encrypted group conversations work, moving a client-side abstraction to the Signal servers.