This post walks through CVE-2026-25916, where Roundcube’s HTML sanitizer forgot to treat the SVG feImage href as an image URL, so remote image blocking did not apply and attackers could track email opens until 1.5.13 and 1.6.13 fixed the logic.

Koi describes how a trojanized postmark-mcp MCP server on npm slipped in a one line BCC backdoor in v1.0.16 to silently exfiltrate every email an AI assistant sent, and argues this is a warning shot about highly privileged, completely ungoverned MCP connectors that sit outside normal appsec, vendor review, and egress controls.

MrBruh reports that AMD’s Windows AutoUpdate downloads an executable over plain HTTP and runs it without signature or certificate checks, so a network man in the middle can swap in malware for RCE, and AMD reportedly marked the report out of scope and declined to fix it. However the post is taken down but the disclosure might be up in few weeks I guess.

Tirith is a Rust shell hook that brings browser-like homograph defenses to the terminal by scanning commands for Unicode lookalike domains plus other terminal tricks like ANSI or invisible characters and risky pipe to interpreter patterns, then warning or blocking before anything executes.

Anthropic’s red team used Claude Opus 4.6 as an autonomous analyst to uncover and help validate hundreds of real 0‑days in heavily fuzzed open source projects, then paired that capability with new activation-level “probe” detectors to curb large-scale offensive misuse.

n8n's CVE-2026-25049 is a nasty RCE that sneaks past a recent patch by feeding the expression evaluator an object instead of a string, dodging TypeScript's compile-time checks since they vanish at runtime.

Hacktron shows how a malicious site can abuse Antigravity’s browser extension to hit its SaveScreenRecording endpoint and write arbitrary files via path traversal (e.g., into Startup) on a user’s machine, turning a screen-recording feature into an RCE primitive.

Slack’s security team built a multi-agent investigation system kind of Director, Expert, and Critic agents orchestrated via structured outputs and a “knowledge pyramid”—to automate much of alert triage, surface higher-quality findings (including unexpected issues like credential exposure), and let humans focus on supervising investigations instead of grinding through raw logs.

Praetorian’s Augustus is a Go-based, open-source LLM vulnerability scanner that hits models with 210+ prompt-injection, jailbreak, encoding, data-leak, and agent-attack probes across 28 providers, then reports where safety guardrails actually fail.

Spaceraccoon builds an LLM-powered GitHub Action that watches commits and PRs for real, exploitable vuln patches sometimes even before CVEs exist surfacing “negative-day” and “never-day” issues like a canary-stage command injection in Next.js codemods.

To counter Deno sandbox, Cloudflare has come up with Sandbox, a Workers-integrated SDK that spins up isolated Linux containers so you can safely run untrusted code, manage files and processes, expose preview URLs, and power AI agents, cloud IDEs, data analysis, and CI workloads at the edge with a simple TypeScript API and no infra to babysit.

CyberStrikeAI is an AI-native security testing platform written in Go that wires 100 plus traditional security tools into an MCP-based agent engine with roles, skills, attack-chain graphs, vuln and task management, and a web UI so you can drive full pentests from natural language.

Shannon is an autonomous AI pentester that white-box analyzes your web app’s code, drives a multi‑phase, Claude‑powered exploit workflow via Docker, and spits out proof‑by‑exploitation reports with copy‑paste PoCs for real vulns like auth bypass, injection, XSS, and SSRF.

VulnLLM‑R‑7B is a Qwen2.5‑based, 7B‑parameter reasoning model fine tuned for software vulnerability detection that does step‑by‑step code analysis, beats tools like CodeQL and AFL plus general LLMs on benchmarks, and supports multi language (C, C plus plus, Python, Java) security auditing with chain of thought style explanations.

And that’s a wrap for this week! If you enjoy this curated issue, feel free to forward or share it with your appsec folks, team, hackerclub. For feedback, hugs, bugs or chats drop an email to [email protected]