A security engagement revealed an HTML to PDF converter API that allowed for local file access and remote code execution due to vulnerabilities in a .NET renderer using an outdated Chromium version. The authors successfully exploited a known vulnerability in Chromium 62, demonstrating the importance of manual penetration testing in uncovering overlooked security issues.

Researchers exploited a vulnerability in CodeRabbit, an AI code review tool, allowing them to achieve remote code execution (RCE) and gain read/write access to 1 million repositories. The exploitation involved creating a malicious pull request that leveraged a flaw in the integration of external static analysis tools, leading to the leakage of sensitive API tokens and secrets. CodeRabbit quickly remediated the vulnerabilities after disclosure, enhancing their security measures in response.

A vulnerability on the American Archive of Public Broadcasting's website allowed unauthorized access to protected media for years before being patched this month. The flaw, which had been exploited since at least 2021, involved a simple script that bypassed access controls, leading to concerns about the sharing of private content within data hoarding communities on Discord. AAPB has since confirmed the fix and reinforced its commitment to protecting archival materials.

A critical vulnerability in the Windows NTFS file system, identified as CVE-2025-49689, allows for exploitation through specially crafted virtual disks (VHD). This vulnerability leads to multiple memory corruptions due to insufficient checks on integer overflow, facilitating potential escalation of privileges for attackers using malicious virtual disks in phishing attempts.