rce

2026

February 9, 2026 Building a Headless Browser Exploit with Claude Opus 4.6 How Claude Opus 4.6 discovered and exploited a heap buffer overflow in PhantomJS, from source code analysis to a working proof-of-concept.
February 1, 2026 Hunting for Deserialization Gadgets in the Rails Ecosystem Walking through the process of finding a new deserialization gadget chain in the Ruby on Rails ecosystem, from trigger to sink.
January 27, 2026 Unsafe Reflection Vulnerabilities How unsafe reflection turns user input into arbitrary class instantiation, from the mechanics of CWE-470 to exploitation and prevention across Java and Ruby.

2022

February 18, 2022 Java Deserialization Vulnerabilities Understanding Java deserialization from serialization internals to exploitation, with a walkthrough of using ysoserial gadget chains to achieve RCE on Apache OpenMeetings.

2021

December 2, 2021 SSTI In Python Frameworks Exploiting Server-Side Template Injection in Jinja2 and Django, from MRO traversal to remote code execution, with detection and prevention strategies.