Threat Intelligence & Cyber Research.
Detailed security analysis, open-source intelligence (OSINT) studies, threat briefings, and vulnerability reports conducted on enterprise systems and public infrastructure.
Publications & Advisories
Showing 23 publicationsHackedAlert: Approximately 2 Million Cybersecurity Breaches in Chile
Mass vulnerability audit of top-level domains, critical subdomains, and IP ranges in Chile. The platform indexed over 1.7 million vulnerabilities standardizing under the MITRE CVE framework, revealing systemic gaps in the application of the national cybersecurity regulatory framework.
Dopamine
- Version 2.0
(Pre Keras release) / Remote Code Execution (RCE) via Insecure Deserialization using tf.io.gfile
and Gin-Config
(RCE in Google Cloud)
Critical Remote Code Execution (RCE) in Dopamine.
The reinforcement learning framework processes log metrics and checkpoint files using Python's insecure
pickle
module over the tf.io.gfile
abstraction layer. This allows remote attackers to trigger unauthenticated RCE by passing cloud or UNC
paths to model loaders or injecting Gin configuration parameters.
Genesis
- Version 0.4.6
/ Remote Code Execution (RCE) via Insecure Deserialization based on sink pickle.load
and Global Cache Poisoning via Predictable Asset Hashing (SHA256)
Critical Remote Code Execution (RCE) in Genesis.
The physics engine trusts cached remeshing files (.rm)
matching a deterministic SHA256
hash of loaded assets, allowing unauthenticated execution via cache poisoning or UNC cache redirection.
MuJoCo
- Version 3.7.0
/ Remote Code Execution (RCE) via Insecure Deserialization based on sink numpy.load
and mujoco.sysid.TimeSeries
class (RCE via UNC Path Redirection in TimeSeries
Loading)
Critical Remote Code Execution (RCE) in MuJoCo.
The TimeSeries.load_from_disk
utility processes archived signal data using numpy.load
with allow_pickle=True.
Unsanitized metadata values within the datasets permit arbitrary code execution.
MuJoCo
- Version 3.7.0
/ Remote Code Execution (RCE) via Insecure Deserialization based on sink numpy.load
and path
argument (Supply Chain Compromise via SystemTrajectory
Datasets)
Critical Remote Code Execution (RCE) in MuJoCo.
The SystemTrajectory.load_from_disk
utility resolves paths and loads dataset archives using numpy.load
with allow_pickle=True.
Unsanitized metadata values within the datasets permit arbitrary code execution.
LeRobot
- Version 0.5.1
/ Remote Code Execution (RCE) via Insecure Deserialization based on sink pickle.loads
and request.data
point in PolicyServer
Critical unauthenticated Remote Code Execution (RCE) in LeRobot.
The vulnerability occurs in the gRPC PolicyServer
endpoints (SendPolicyInstructions
and SendObservations)
where incoming data is deserialized using the insecure pickle.loads
function.
LeRobot
- Version 0.5.1
/ Remote Code Execution (RCE) via Insecure Deserialization based on sink pickle.loads
and gRPC SendInteractions
stream data in LearnerService
Critical unauthenticated Remote Code Execution (RCE) in LeRobot.
The vulnerability occurs in the gRPC SendInteractions
endpoint where stream data is deserialized using the insecure pickle.load
function inside LearnerService.
Brax
- Version 0.14.2
/ Remote Code Execution (RCE) via Insecure Deserialization based on pickle
package
Critical Remote Code Execution (RCE) in Brax.
The model parameter loading utility load_params
uses the insecure pickle.loads
sink. Combined with backend-agnostic path resolution via etils.epath,
attackers can redirect loading to remote SMB UNC shares or cloud buckets to trigger remote execution.
google-adk
- Version 1.30.0
/ Remote Code Execution (RCE) via Insecure Deserialization
Critical Remote Code Execution (RCE) in google-adk.
The framework's SQLite migration utility and SQLAlchemy shared-state schemas execute automatic pickle.loads
operations on database fields, exposing agent hosts to zero-interaction hijacking via remote database
sources.
VibeVoice
- Version 0.0.1
/ Remote Code Execution (RCE) via Insecure Deserialization based on sink's torch.load
and numpy.load
Critical Remote Code Execution (RCE) in VibeVoice.
The vulnerability occurs in the audio loading routines where VibeVoiceTokenizerProcessor
utilizes the insecure torch.load
sink on user-provided files without validation, enabling SMB UNC path redirection on Windows.
Django
- Version 6.0.4
/ Remote Code Execution (RCE) via Insecure Deserialization (Redis, Memcached & SMB/UNC Path
Redirection) based on Cache Poisoning
Critical unauthenticated Remote Code Execution (RCE) in Django.
The vulnerability lies within multiple cache backends (RedisCache
and MemcachedCache)
that deserialize stored data using the insecure pickle.loads
function, as well as filesystem session backends resolving Windows SMB/UNC network paths.
TensorFlow
- Version 2.21.0
/ Remote Code Execution (RCE) via Insecure Deserialization based on sink numpy.load
and saved_model_cli run --inputs
as Entry Point
Remote Code Execution (RCE) vector stemming from the insecure use of the numpy.load(..., allow_pickle=True)
function within TensorFlow's saved_model_cli
tool. Exploitation leverages Windows UNC network paths to bypass local bounds.
google-cloud-aiplatform
- Version 1.147.0
/ Remote Code Execution (RCE) via Insecure Deserialization (Bug Chaining)
Chaining of two vulnerabilities: Insecure Configuration Injection via AIP_STORAGE_URI
or staging_bucket
and Insecure Deserialization via pickle/cloudpickle.
LangGraph
- Version 1.1.6
/ Remote Code Execution (RCE) via Insecure Deserialization (Bypass of CVE-2026-27794)
Critical Remote Code Execution (RCE) vulnerabilities in JsonPlusSerializer
within langgraph-checkpoint.
This exploits a permissive Msgpack extension policy to bypass the CVE-2026-27794 Pickle remediation.
PyGlove
- Version 0.4.5
/ Remote Code Execution (RCE) via Insecure Deserialization based on _OpaqueObject
JSON data stream (Base64)
Critical Remote Code Execution (RCE) vulnerabilities in PyGlove.
Exploiting the automatic pickle deserialization path inside JSON structures (via _OpaqueObject)
enables code execution through network URI configuration schemes.
Onyx
- Version 3.2.11
/ Remote Code Execution (RCE) via Insecure Deserialization based on Absolute Path Injection (UNC) in
shelve.open
Critical Remote Code Execution (RCE) in Onyx.
Unsafe handling of os.path.join
with absolute UNC paths enables remote attackers to poison the cache files retrieved via shelve.open.
huggingface_hub
- Version 1.11.0
/ Remote Code Execution (RCE) via Insecure Deserialization (Supply Chain RCE via load_torch_model
Defaults)
Critical Remote Code Execution (RCE) in huggingface_hub.
The PyTorch weight deserializer utility load_torch_model
runs with an insecure default configuration of weights_only=False,
triggering unrestricted pickle loading. Exploiting Windows UNC path resolution allows unauthenticated
attackers to fetch and deserialize payloads from a remote SMB share.
huggingface_hub
- Version 1.11.0
/ Remote Code Execution (RCE) via Insecure Deserialization (Hub-to-RCE via from_pretrained_fastai)
Critical Remote Code Execution (RCE) in huggingface_hub.
The FastAI integration module from_pretrained_fastai
downloads remote learners and processes them using FastAI's native load_learner,
which relies on the insecure pickle module. Pointing or redirecting this request (e.g. via HF_ENDPOINT)
to a malicious server allows remote code execution on weight loading.
learned_optimization
- Version 0.0.1
(PiperOrigin-RevId: 888266025)
/ Remote Code Execution (RCE) via Insecure Deserialization
Critical Remote Code Execution (RCE) in learned_optimization.
The JAX-based optimization library processes baseline results and experiment checkpoints using Python's
insecure pickle
and numpy.load
functions under a shared filesystem abstraction. Attackers can trigger unauthenticated remote code
execution by providing remote URIs to baseline loaders or injecting configuration parameters.
neuroglancer
- Version 2.41.2
/ Path Traversal leads to Arbitrary File Read and Exfiltration of Secrets or Sensitive Data
Significant Path Traversal vulnerability in the neuroglancer
Python backend. When a custom file-based static content source is configured, directory traversal
sequences (../)
can bypass the regex validation and allow unauthorized reading of files outside the intended base
directory, potentially exposing API keys or configuration files.
Spatial Media
- Version 2.1
/ Arbitrary File Write chained with Path Traversal leads to Remote Code Execution (RCE)
Critical Remote Code Execution (RCE) vulnerability in Spatial Media.
The metadata injection application exposes an Arbitrary File Write combined with Path Traversal,
allowing files to be written outside designated directories. When combined with server control
structures (such as Gunicorn reload), this facilitates unauthorized execution in the context of the
container runtime environment.
Polymer
- Version 3.5.2
/ Universal DOM-Based XSS via Unsanitized Data Binding
High severity DOM-Based Cross-Site Scripting (XSS) vulnerability in the Polymer
library. Flawed properties effects handling allows untrusted input to be bound directly to sensitive DOM
properties such as inner-h-t-m-l
without default sanitization, leading to arbitrary JavaScript execution in the client browser.
libphonenumber
- Version 9.0.27
/ CSRF leads to Reflected XSS via Lack of Output Encoding in Migrator and Geocoding Prefix Reducer
Tools
High severity vulnerability in libphonenumber's
geocoding prefix reducer tool. The lack of CSRF
protection on the /combine
endpoint combined with missing output encoding in CombineGeoDataServlet.java
allows attackers to execute arbitrary scripts in the victim's session.