# Pinaka Security — Full Documentation
# License: RSL 1.0 (https://rslicense.org/)
# Citation: Pinaka Security, https://pinaka.sh/
# Last Updated: 2026-05-17

> Pinaka is the first MCP-native external attack surface management (EASM) platform. It runs a continuous AI attacker simulation against your external surface and answers one question for every exposed asset: can an AI agent exploit this right now?

Pinaka treats your external attack surface the way an attacker does — continuously, autonomously, and through an AI assistant. 60+ scanning tools, 7,000+ vulnerability detection templates, 14+ subdomain sources, 23 AWS Lambda scanners, and a Watchdog that alerts on every change to subdomains, ports, headers, certificates, and tech stack CVEs. Built by security engineers from Harness, Aikido Security, and Cequence Security. Presented at 12+ international conferences including Hack.lu, OWASP, BSides, c0c0n, API World, AI Dev World, HOU.SEC.CON, and Infosec Nashville. Built in India by Pinaka Labs Pvt. Ltd.

---

## Quick Facts

- **Category:** External Attack Surface Management (EASM) + Continuous Threat Exposure Management (CTEM)
- **Category-defining claim:** First MCP-native EASM platform — runs natively inside Claude, Cursor, and any MCP-compatible AI assistant
- **Scanners:** 60+ MCP tools, 23 AWS Lambda scanners, 7,000+ vulnerability detection templates
- **Subdomain sources:** 14+ passive OSINT sources plus Amass, PureDNS brute-force, AlterX permutation, and VHost discovery
- **Cloud coverage:** AWS, Azure, GCP, Cloudflare IP-range matching; S3, GCS, Azure Blob permission checks; subdomain takeover detection across 20+ providers
- **WAF detection:** 13 vendors fingerprinted (Cloudflare, Akamai, Imperva, AWS WAF, Sucuri, F5, Barracuda, Fortinet, ModSecurity, and more)
- **Differentiator:** Pinaka Score — a per-asset, AI-adjusted exploitability score combining CISA KEV, EPSS, public PoC availability, and tech-stack context
- **Architecture:** No agents. Serverless scanning. Onboards a new domain in 60 seconds and runs continuously without infrastructure overhead.
- **Distribution:** Web app, REST API, and MCP server. The MCP server is the differentiator — AI assistants invoke scans through natural language.
- **Authority:** 9 responsibly disclosed enterprise vulnerabilities (CVSS 5.3 to 9.3) with full redacted attack chains published in the Findings Gallery
- **Founders:** Security engineers from Harness, Aikido Security, and Cequence Security
- **Conferences:** 12+ international talks: Hack.lu, OWASP Boston, c0c0n, API World, AI Dev World, HOU.SEC.CON, Infosec Nashville, BSides Luxembourg / Seattle / Salt Lake City / Cayman Islands
- **Geography:** Built in India. Sells globally. Pinaka Labs Pvt. Ltd.

---

## The Pinaka Score

**The Pinaka Score** is a per-asset exploitability score on a 0–100 scale. It combines four signals — CVSS base score, EPSS exploit-probability, CISA KEV inclusion, and public PoC availability — and adjusts for tech-stack context discovered on the actual asset (version, WAF, exposed admin surface). A Pinaka Score above 80 means an AI agent with off-the-shelf tooling can chain this into impact today. Scores update on every Watchdog cycle, so the same CVE on the same asset can rise from 62 to 91 the day a public PoC drops.

---

## Why Pinaka Exists

**Why Pinaka exists.** The exploit window — the gap between vulnerability disclosure and active exploitation — collapsed from 745 days in 2020 to 44 days in 2025. AI-assisted exploit generation is closing the gap further. Traditional vulnerability management was built for a world where humans patched on quarterly cycles; that world is gone. Pinaka assumes AI agents are the new attackers and ships the inverse — an AI defender that runs the same playbook in reverse, continuously, against your own surface, scoring what an attacker would exploit first.

Three forces converge here. First, AI-assisted exploit generation: an attacker with a public PoC and a capable AI assistant compresses what used to take a week of vulnerability research into hours. Second, surface explosion: a single mid-market SaaS company now operates 200–500 subdomains across owned domains, marketing campaigns, third-party SaaS, and acquisitions — each one a potential entry point. Third, the agentic shift: AI assistants now read documentation, generate code, and act on systems. The same agents will, in time, read CVE feeds and act on vulnerabilities. Pinaka assumes that future and builds for it now.

---

## What is Pinaka?

Pinaka is a continuous external attack surface management platform you can talk to. It is the first MCP-native EASM tool — every scan, every correlation, and every prioritization is exposed as an MCP tool you can invoke through natural language from Claude Desktop, Claude Code, Cursor, or any MCP-compatible AI assistant.

Pinaka automates the entire external reconnaissance, validation, and prioritization workflow with 60+ tools:

1. **MCP-Native Distribution** — First security platform shipped as an MCP server. Every scan, correlation, and prioritization is an MCP tool callable from Claude Desktop, Claude Code, Cursor, or any MCP client.
2. **Autonomous AI Pentest Engine** — AI scanning agent on AWS Fargate that chains primitives into multi-step exploit paths and generates real curl commands against your specific endpoints. Outputs PoC-ready findings and remediation roadmaps, not generic CVE lists.
3. **Pinaka Score** — AI-adjusted exploitability score per asset. Fuses CVSS, EPSS, CISA KEV, public PoC availability, and tech-stack context. Updates on every Watchdog cycle.
4. **Continuous Watchdog** — 24/7 change-driven monitoring of subdomains, ports, headers, certificates, tech stack CVEs, and Shadow IT. Slack and Discord webhook alerts the moment something changes.
5. **Subdomain Discovery** — 14+ passive OSINT sources, Amass, DNS brute-force via PureDNS, subdomain permutation via AlterX, and VHost discovery.
6. **Shadow IT & Shadow AI Discovery** — Surfaces forgotten staging hosts, abandoned subdomains, exposed AI/ML infrastructure, vector databases, Jupyter notebooks, and model serving endpoints.
7. **Subdomain Takeover Detection** — 20+ providers including S3, GitHub Pages, Heroku, Vercel, Netlify, Cloudfront, Azure, Shopify, and Tumblr.
8. **Vulnerability Scanning** — 7,000+ detection templates with KEV + EPSS scoring and active exploitation alerts.
9. **Stack CVE Correlation** — Continuous tech fingerprinting against the NVD plus EPSS plus CISA KEV. Detects when a deployed CVE moves into active exploitation.
10. **URL & Endpoint Discovery** — Live crawling via Katana, JavaScript endpoint discovery, and historical mining via GAU and the Wayback Machine.
11. **Secret Scanning** — Pattern matching on discovered JavaScript bundles, Wayback archives, and source maps for exposed API keys, tokens, and credentials — with automatic validation.
12. **XSS Detection** — Automated parameter fuzzing with PoC payload generation via XSStrike and DalFox.
13. **Multi-Source IP & Port Intelligence** — Naabu plus Shodan plus Censys correlation. Per-IP service fingerprinting, product and version detection, org and ASN attribution, automatic risk classification of high-value ports.
14. **Cloud Asset Discovery** — S3, GCS, and Azure Blob permission checks. AWS, Azure, GCP, and Cloudflare IP range matching.
15. **WAF Detection** — 13 vendors fingerprinted: Cloudflare, Akamai, Imperva, AWS WAF, Sucuri, F5, Barracuda, Fortinet, ModSecurity, and more.
16. **Technology Detection** — CMS, frameworks, CDN, analytics, server software. Drives the CVE correlation engine.
17. **No-Agent, Serverless Architecture** — Onboards a new domain in 60 seconds. Scales across hundreds of domains and cloud accounts with zero infrastructure overhead.

### How It Works

Pinaka is an MCP (Model Context Protocol) server. Any AI assistant that supports MCP — Cursor, Claude Desktop, Claude Code, or any other MCP client — can directly invoke Pinaka's scanning and analysis tools through natural language conversation. Describe what you want to find, and Pinaka executes it: subdomain enumeration, port intelligence, CVE correlation, exploit chain generation, secret scanning, cloud asset discovery, WAF fingerprinting, Shadow IT discovery, Shadow AI discovery, subdomain takeover detection — every primitive a security engineer needs, exposed as a tool the AI can call.

---

## How Pinaka Compares

Pinaka is its own category — MCP-native EASM with an autonomous AI attacker simulation. Direct comparison with adjacent tools:

- **vs Shodan** — A search engine for the internet. Indexes services globally but does not monitor your specific surface, does not alert on changes, does not chain exploits, and does not run inside an AI assistant.
- **vs Censys** — Internet-wide scanning database. Strong for research; not built for continuous, change-driven defense of a specific organization's attack surface.
- **vs Detectify** — Web app scanner. Strong on known web vulnerabilities; lacks no-agent architecture, MCP-native distribution, and AI attacker simulation.
- **vs Wiz / Orca** — Cloud-native CNAPPs requiring agent or cloud-account integration. Pinaka complements them with the external view — the surface an attacker sees from the internet without any access to your cloud.
- **vs Snyk / Tenable / Qualys** — Vulnerability management on assets you already know about. Pinaka starts one step earlier — discovering the assets you do not know about, including Shadow IT and Shadow AI infrastructure.
- **vs CloudSEK / ZeroFox** — Brand and dark-web intelligence. Different category. Pinaka focuses on the technical attack surface — subdomains, ports, vulnerable services, exposed secrets, exploitable chains.

---

## Use Cases

### Enterprise Security Teams
Large security organizations need EASM that scales across hundreds of domains, subsidiaries, and cloud accounts without deploying agents. Pinaka's no-agent, serverless scanning architecture lets enterprise teams onboard new assets in minutes and keep continuous vulnerability assessment running without infrastructure overhead. Role-based access, audit trails, SSO/SAML, SLA-backed support, and custom integrations available on Business and Enterprise tiers.

### Mid-Market Companies
Companies that ship fast and often lack dedicated security. Pinaka is turnkey — discovers unknown assets, validates what is exploitable, and produces a prioritized fix list without building tooling from scratch. Engineering leaders get an attack surface grade per domain and a clear remediation roadmap.

### CISOs & Security Managers
Board-level visibility into external exposure with proof that security posture is trending in the right direction. Pinaka aggregates continuous attack surface monitoring into a single risk trendline with change history, CVE correlation, KEV + EPSS scoring, and delta-based evidence of risk reduction. Live dashboards, compliance-friendly audit trails, and exportable reports.

### AppSec Engineers
Depth, automation, and integration points. 60+ automated scanners — subdomain discovery across 14+ sources, multi-source port intelligence, vulnerability scanning with 7,000+ detection templates, XSS fuzzing, secret detection, historical URL mining, JS endpoint discovery, and subdomain takeover detection — all accessible through an API and an MCP server.

### DevSecOps & Engineering
Detect drift before it ships. Compare post-deploy surface against baseline, spot staging or preview leaks automatically, confirm WAF/CDN posture changes. MCP integration with Claude and Cursor lets DevSecOps engineers run scans inline with their AI assistants.

### Pentest Firms & MSSPs
Compress weeks of scoping into hours. Scope-aware asset inventory with history, high-value endpoints ranked automatically, exportable evidence for client reports, snapshot-based testing without repeated work. Multi-tenant watchlists with alerts for consultants and MSSPs.

---

## About Pinaka Security

Pinaka is built by a team of security engineers focused on the intersection of artificial intelligence and offensive security.

### Team Background

- Security engineering at [Harness](https://www.harness.io/), [Aikido Security](https://www.aikido.dev/), and [Cequence Security](https://www.cequence.ai/)
- Experience across AI security, API security, vulnerability research, and penetration testing
- 9 responsibly disclosed vulnerabilities across enterprise targets (CVSS 5.3–9.3)

### Speaking

11+ conferences across 3 countries:

- **Hack.lu 2025** (Luxembourg) — API Underworld: Red Team Hacking Secrets [Workshop]
- **c0c0n 2025** (Kerala, India) — Red Teaming the LLM Stack [Workshop]
- **HOU.SEC.CON 2025** (Houston, TX) — Red Teaming the LLM Stack [Talk]
- **Infosec Nashville** (Nashville, USA) — API Underworld [Talk]
- **BSides Cayman Islands** (George Town) — API Underworld [Workshop]
- **API World 2025** (Santa Clara, USA) — API Underworld [Talk]
- **BSides Luxembourg** (Belval) — API Underworld [Workshop]
- **BSides Seattle** (Seattle, USA) — API Underworld [Workshop]
- **BSides Salt Lake City** (Salt Lake City, USA) — API Underworld [Workshop]
- **OWASP Boston** (Boston, USA) — API Underworld [Workshop]
- **AI Dev World 2025** (San Jose, USA) — AI Frontiers: Shielding Digital Gateways from Bot Invasions [Talk]

### Contact

- Email: hello@pinaka.sh
- X: https://x.com/pinakahq
- Web: https://pinaka.sh/about

---

## Frequently Asked Questions

### What is Pinaka?
Pinaka is the first MCP-native external attack surface management (EASM) platform. It continuously discovers every internet-facing asset an organization owns — subdomains, ports, cloud storage, exposed APIs, Shadow IT, and Shadow AI infrastructure — runs an autonomous AI attacker simulation against them, and scores each finding by whether an AI agent can exploit it right now. Pinaka runs as a web app, a REST API, and an MCP server callable from Claude Desktop, Claude Code, Cursor, or any MCP-compatible AI assistant.

### What is the Pinaka Score?
The Pinaka Score is a per-asset, AI-adjusted exploitability score on a 0–100 scale. It combines four signals — CVSS base score, EPSS exploit-probability, CISA KEV inclusion, and public PoC availability — and adjusts for tech-stack context discovered on the actual asset (version, WAF presence, exposed admin surface). A score above 80 means an AI agent with off-the-shelf tooling can chain this into impact today. Scores update on every Watchdog cycle.

### How is Pinaka different from Shodan, Censys, Detectify, Wiz, or Tenable?
Shodan and Censys are internet-wide search engines — they index services globally but do not monitor a specific organization's surface, do not alert on changes, do not chain exploits, and do not run inside an AI assistant. Detectify is a web app scanner without a no-agent architecture or MCP distribution. Wiz and Orca are cloud-native CNAPPs requiring agent or cloud-account integration; Pinaka complements them with the external view — the surface an attacker sees from the internet without any access to your cloud. Snyk, Tenable, and Qualys manage vulnerabilities on assets you already know about; Pinaka starts one step earlier by discovering the assets you do not know about, including Shadow IT and Shadow AI.

### What does MCP-native mean and why does it matter for security teams?
Model Context Protocol (MCP) is the open standard for AI assistants to call external tools. Pinaka ships an MCP server exposing 60+ scanning tools, so any MCP-compatible AI assistant — Claude Desktop, Claude Code, Cursor — can invoke Pinaka scans through natural language. A security engineer can ask "find subdomains on acme-corp.com that were not present yesterday and have an open admin panel" and the AI assistant executes Pinaka's subdomain diff, port scan, and admin-panel fingerprint in sequence, returning structured evidence it can reason over. Pinaka is the first security platform built this way.

### Who is Pinaka built for?
Four buyer personas. Enterprise security teams (SSO, RBAC, audit trails, SLA-backed support, no-agent scanning across hundreds of domains and subsidiaries). Mid-market companies without dedicated security teams (turnkey discovery, prioritized fixes, attack surface grade per domain). CISOs and security managers (board-level visibility, KEV + EPSS scoring, delta-based risk trendlines, exportable reports). AppSec and DevSecOps engineers (60+ scanners, REST API, MCP server, change-driven Watchdog alerts).

### What does Pinaka discover that traditional scanners miss?
Pinaka chains discovery primitives that single-purpose scanners cannot. Forgotten staging hosts revealed by certificate transparency logs. Subdomain takeover via dangling CNAMEs against S3, Heroku, Vercel, GitHub Pages, and 16 other providers. Secrets buried in historical JavaScript bundles surfaced via Wayback and source maps. Cloud storage buckets exposed via auto-update manifests. CORS reflection chained with credential leaks for drive-by data exfiltration. BOLA on authenticated APIs. Shadow AI infrastructure — vector databases, Jupyter notebooks, model serving endpoints. Nine redacted real-world examples are published in the Findings Gallery with full attack chains.

### Why does Pinaka exist now?
The exploit window — the gap between vulnerability disclosure and active exploitation — collapsed from 745 days in 2020 to 44 days in 2025, driven by turn-key PoC weaponization, mass scanning, and AI-assisted exploit generation. Traditional vulnerability management was built for a world where humans patched on quarterly cycles. That world is gone. Pinaka assumes AI agents are the new attackers and ships the inverse — an AI defender that runs the same playbook continuously against your own surface and scores what an attacker would exploit first.

### Who built Pinaka?
Pinaka is built by security engineers with backgrounds at Harness, Aikido Security, and Cequence Security. The team has responsibly disclosed 9 vulnerabilities to enterprise targets (CVSS 5.3 to 9.3), all documented with full redacted attack chains in the Findings Gallery. The founders have presented at 12+ international conferences including Hack.lu, OWASP Boston, c0c0n, API World, AI Dev World, HOU.SEC.CON, Infosec Nashville, and BSides Luxembourg / Seattle / Salt Lake City / Cayman Islands. Built in India by Pinaka Labs Pvt. Ltd.

---

## Security Research — Field Notes

Real-world architectural vulnerabilities discovered during independent security research. All targets redacted. Each finding documents the full attack chain, the chained primitives that single-purpose scanners miss, and the business impact.

### Unauthenticated Production Credential Exposure on Financial API (CVSS 9.3 Critical)
A publicly exposed endpoint returned production credentials without any authentication. These credentials granted full access to a financial API handling credit applications with sensitive PII including financial identifiers, corporate addresses, and personal contact details.
Read: https://pinaka.sh/findings/credential-exposure-financial-api

### Exposed Workflow Automation Engine with Unauthenticated Webhooks (CVSS 7.3 High)
A development instance of a workflow automation platform \u2014 capable of executing shell commands, connecting to databases, and calling APIs with stored credentials \u2014 was exposed on the public internet. The settings and webhook engine were fully unauthenticated.
Read: https://pinaka.sh/findings/workflow-engine-unauthenticated

### Exposed Swagger UI with Hardcoded Admin Credentials (CVSS 7.5 High)
An internal integration API exposed fully functional API documentation covering 16 microservice APIs across supply chain operations. The authentication specification contained hardcoded admin credentials including username, password (following a predictable year-based pattern), and internal identifiers.
Read: https://pinaka.sh/findings/swagger-hardcoded-credentials

### CDN Caching Bypass on Basic Auth Protected Staging Environment (CVSS 5.3 Medium)
A staging environment was protected by HTTP Basic Authentication at the origin. However, the CDN layer served cached prerendered pages without enforcing auth, allowing full unauthenticated access to over 1 MB of staging content, application bundles, and potentially unreleased features.
Read: https://pinaka.sh/findings/cdn-auth-bypass

### Publicly Listable S3 Bucket \u2014 Desktop App Executables & Auto-Update Configs (CVSS 9.1 Critical)
The cloud storage bucket hosting the company\
Read: https://pinaka.sh/findings/s3-supply-chain

### CORS Reflection with Credentials on Business API (CVSS 8.6 Critical)
The primary business API reflected any requesting origin with credentials enabled. Combined with a publicly accessible API specification documenting 100+ endpoints, any malicious website could silently read authenticated users\
Read: https://pinaka.sh/findings/cors-business-data-theft

### Subdomain Takeover with Cookie Tossing via Domain-Scoped Session (CVSS 7.5 High)
A subdomain had a dangling DNS record pointing to a deprovisioned third-party hosting service. An attacker could claim the namespace and gain full control of the subdomain. The impact was amplified because a sibling subdomain set session cookies scoped to the parent domain \u2014 enabling cookie tossing and session fixation from the taken-over origin.
Read: https://pinaka.sh/findings/subdomain-takeover-cookie-tossing

### Unauthenticated Commerce Platform API \u2014 Payment Credentials & Multi-Brand Infrastructure (CVSS 8.6 High)
A commerce platform API exposed sensitive configuration data without authentication. A single unauthenticated request returned 400+ configuration keys including payment processor credentials for multiple providers, internal hostnames for 15+ subsidiary brands across multiple countries, and a development environment config bleeding into production.
Read: https://pinaka.sh/findings/ecommerce-config-disclosure

### Mass User Prompt Leakage via URL Parameters \u2014 Permanently Archived (CVSS 7.5 High)
The AI platform accepted user prompts via URL query parameters, which were reflected in the page HTML. These prompt-carrying URLs were actively crawled and permanently archived by major web archival services. Over 1,300 URLs containing 1,100+ unique user prompts were publicly searchable, and the leak was accelerating.
Read: https://pinaka.sh/findings/ai-prompt-mass-leakage

---

## CVE Intelligence Index (24 write-ups)

Every CVE write-up Pinaka has published. Each post documents root cause at the function or file level, affected versions, public PoC status, CISA KEV status, EPSS context, detection commands, and Pinaka Score guidance. Indexed by CVE ID for direct citation.

- **CVE-2026-6722, CVE-2026-7261, CVE-2026-7262, CVE-2026-7258, CVE-2026-6104** (2026-05-13) — CVE-2026-6722: PHP SOAP Extension Use-After-Free RCE
  Read: https://pinaka.sh/blog/cve-2026-6722-php-soap-use-after-free-rce
- **CVE-2026-25895** (2026-05-12) — CVE-2026-25895: Path Traversal to RCE in FUXA SCADA
  Read: https://pinaka.sh/blog/cve-2026-25895-fuxa-scada-path-traversal-rce
- **CVE-2026-33937** (2026-05-11) — CVE-2026-33937: Handlebars.js RCE via AST Injection in Template Compilation
  Read: https://pinaka.sh/blog/cve-2026-33937-handlebars-ast-injection-rce
- **CVE-2026-31431** (2026-05-11) — CVE-2026-31431: Copy Fail Linux Kernel Privilege Escalation — Root in Seconds
  Read: https://pinaka.sh/blog/cve-2026-31431-copy-fail-linux-kernel-lpe
- **CVE-2026-3844** (2026-05-05) — CVE-2026-3844: WordPress Breeze Plugin Unauthenticated File Upload RCE
  Read: https://pinaka.sh/blog/cve-2026-3844-wordpress-breeze-plugin-file-upload-rce
- **CVE-2026-41940** (2026-05-04) — CVE-2026-41940: cPanel & WHM Critical Authentication Bypass — Unauthenticated WHM Admin Access
  Read: https://pinaka.sh/blog/cve-2026-41940-cpanel-whm-auth-bypass
- **CVE-2026-44312** (2026-05-01) — CVE-2026-44312: Veeam Backup Enterprise Manager Pre-Auth RCE via Hardcoded machineKey
  Read: https://pinaka.sh/blog/cve-2026-44312-veeam-backup-enterprise-manager-preauth-rce
- **CVE-2026-1731** (2026-04-29) — CVE-2026-1731: BeyondTrust Remote Support Pre-Auth RCE via WebSocket Command Injection
  Read: https://pinaka.sh/blog/cve-2026-1731-beyondtrust-remote-support-preauth-rce
- **CVE-2026-3854** (2026-04-28) — CVE-2026-3854: GitHub Enterprise Server Git Push RCE — Authenticated to Full Server Compromise
  Read: https://pinaka.sh/blog/cve-2026-3854-github-enterprise-server-git-push-rce
- **CVE-2026-29017** (2026-04-27) — CVE-2026-29017: Atlassian Confluence OGNL Injection — Pre-Auth RCE
  Read: https://pinaka.sh/blog/cve-2026-29017-confluence-ognl-preauth-rce
- **CVE-2026-11537** (2026-04-24) — CVE-2026-11537: Palo Alto PAN-OS GlobalProtect Pre-Auth RCE — Are You Exposed?
  Read: https://pinaka.sh/blog/cve-2026-11537-panos-globalprotect-preauth-rce
- **CVE-2026-22754** (2026-04-24) — CVE-2026-22754: VMware vCenter Server SOAP API Heap Overflow — Pre-Auth RCE — Are You Exposed?
  Read: https://pinaka.sh/blog/cve-2026-22754-vmware-vcenter-soap-preauth-rce
- **CVE-2026-41651** (2026-04-24) — CVE-2026-41651: Pack2TheRoot — The PackageKit Race That Gives Any Local User Root on Ubuntu, Debian, and Fedora
  Read: https://pinaka.sh/blog/cve-2026-41651-pack2theroot-packagekit-lpe
- **CVE-2025-55182** (2026-04-23) — CVE-2025-55182: React2Shell — Next.js RSC Payload Injection to RCE — Are You Exposed?
  Read: https://pinaka.sh/blog/cve-2025-55182-nextjs-react2shell-rce
- **CVE-2026-25917** (2026-04-22) — CVE-2026-25917: Apache Airflow XCom Deserialization RCE — CVSS 9.8, Affects All Versions Before 3.2.0
  Read: https://pinaka.sh/blog/cve-2026-25917-apache-airflow-xcom-deserialization-rce
- **CVE-2026-24423** (2026-04-21) — CVE-2026-24423: SmarterMail ConnectToHub Pre-Auth RCE — Unauthenticated Shell on Enterprise Mail Servers, CVSS 9.8
  Read: https://pinaka.sh/blog/cve-2026-24423-smartermail-connecttohub-preauth-rce
- **CVE-2026-20181** (2026-04-21) — CVE-2026-20181: Cisco IOS XE Web UI Pre-Auth Command Injection — Unauthenticated Root RCE, CVSS 9.8
  Read: https://pinaka.sh/blog/cve-2026-20181-cisco-ios-xe-webui-preauth-rce
- **CVE-2026-39808** (2026-04-20) — CVE-2026-39808: Fortinet FortiSandbox Pre-Auth OS Command Injection — Unauthenticated Root RCE, CVSS 9.1
  Read: https://pinaka.sh/blog/cve-2026-39808-fortisandbox-preauth-rce
- **CVE-2025-53521** (2026-04-20) — CVE-2025-53521: F5 BIG-IP APM Pre-Auth RCE — CVSS 9.8, Nation-State Exploited, 14K Instances Exposed
  Read: https://pinaka.sh/blog/cve-2025-53521-f5-big-ip-apm-preauth-rce
- **CVE-2026-34197** (2026-04-18) — CVE-2026-34197: Apache ActiveMQ Jolokia RCE — Authenticated to Shell via Spring XML
  Read: https://pinaka.sh/blog/cve-2026-34197-activemq-jolokia-rce
- **CVE-2026-33824** (2026-04-17) — CVE-2026-33824: Windows IKE Double-Free — Wormable CVSS 9.8 RCE
  Read: https://pinaka.sh/blog/cve-2026-33824-windows-ike-rce
- **CVE-2026-1340, CVE-2026-1281** (2026-04-16) — CVE-2026-1340: Ivanti EPMM Pre-Auth Code Injection — Mass-Exploited CVSS 9.8 RCE
  Read: https://pinaka.sh/blog/cve-2026-1340-ivanti-epmm-preauth-rce
- **CVE-2026-3055, CVE-2026-4368** (2026-04-16) — CVE-2026-3055: Citrix NetScaler SAML IDP Memory Overread — CitrixBleed 3 Under Active Exploitation
  Read: https://pinaka.sh/blog/cve-2026-3055-netscaler-saml-memory-overread
- **CVE-2026-35616** (2026-04-15) — CVE-2026-35616: Fortinet FortiClient EMS Pre-Auth API Bypass — Zero-Day Under Active Exploitation
  Read: https://pinaka.sh/blog/cve-2026-35616-forticlient-ems-auth-bypass

---

## All Blog Posts (39, newest first)

Technical analysis of high-impact CVEs, EASM strategy, and post-mortems of AI-coding incidents. Each post is written for security engineers — primary sources cited, root cause identified at the function or file level, detection commands provided, and Pinaka Score context where applicable.

### CVE-2026-6722: PHP SOAP Extension Use-After-Free RCE (2026-05-13)
Technical analysis of CVE-2026-6722 in PHP\
Read: https://pinaka.sh/blog/cve-2026-6722-php-soap-use-after-free-rce

### CVE-2026-25895: Path Traversal to RCE in FUXA SCADA (2026-05-12)
Technical analysis of CVE-2026-25895 in FUXA SCADA. CVSS 9.8, public PoC. Unauthenticated path traversal enabling arbitrary file write and remote code execution against industrial control systems — how to detect exposure and how Pinaka catches it.
Read: https://pinaka.sh/blog/cve-2026-25895-fuxa-scada-path-traversal-rce

### Threat Modeling Is Broken. Here\ (2026-05-12)
Traditional threat models are fiction built from outdated architecture diagrams. Learn how to build threat models from real reconnaissance data — grounded in STRIDE, cited by evidence, mapped to NIST/CIS.
Read: https://pinaka.sh/blog/threat-modeling-is-broken

### How to Answer Security Questionnaires Without Lying (2026-05-12)
Most companies answer security questionnaires aspirationally. Here\
Read: https://pinaka.sh/blog/security-questionnaires-without-lying

### CVE-2026-33937: Handlebars.js RCE via AST Injection in Template Compilation (2026-05-11)
Technical analysis of CVE-2026-33937 in Handlebars.js (Node.js). CVSS 9.8, public PoC. AST injection during template compilation enables remote code execution in Node.js applications — how to detect exposure and how Pinaka catches it.
Read: https://pinaka.sh/blog/cve-2026-33937-handlebars-ast-injection-rce

### CVE-2026-31431: Copy Fail Linux Kernel Privilege Escalation — Root in Seconds (2026-05-11)
Technical analysis of CVE-2026-31431, the Copy Fail Linux kernel local privilege escalation. CVSS 7.8, CISA KEV. How page cache corruption turns local access into root, affected kernels, patch guidance, detection, and attack surface impact.
Read: https://pinaka.sh/blog/cve-2026-31431-copy-fail-linux-kernel-lpe

### The Exploit Window Is Closing: 745 Days to 44, and the Clock Is Still Accelerating (2026-05-11)
Time from vulnerability disclosure to active exploitation collapsed from 745 days in 2020 to 44 days in 2025 — a 94% drop driven by turn-key PoC weaponization and mass scanning. Why your patch SLA hasn\
Read: https://pinaka.sh/blog/exploit-window-shrinking-ai

### CVE-2026-3844: WordPress Breeze Plugin Unauthenticated File Upload RCE (2026-05-05)
Technical analysis of CVE-2026-3844 in WordPress Breeze plugin by Cloudways. CVSS 9.8, public PoC. Unauthenticated arbitrary file upload leading to remote code execution — how to detect exposure and how Pinaka catches it.
Read: https://pinaka.sh/blog/cve-2026-3844-wordpress-breeze-plugin-file-upload-rce

### CVE-2026-41940: cPanel & WHM Critical Authentication Bypass — Unauthenticated WHM Admin Access (2026-05-04)
Technical analysis of CVE-2026-41940 in cPanel & WHM. CVSS 9.8, public PoC. Unauthenticated bypass to full WHM administrative access — how to detect exposure and how Pinaka catches it.
Read: https://pinaka.sh/blog/cve-2026-41940-cpanel-whm-auth-bypass

### Threat Exposure Management: Why Security Stopped Counting Bugs and Started Counting Attack Paths (2026-05-04)
What threat exposure management is, why it replaced vulnerability scanning as the security category that matters in 2026, and how continuous attack surface monitoring with threat validation closes the gap that breached every recent headline.
Read: https://pinaka.sh/blog/threat-exposure-management-why-now

### CVE-2026-44312: Veeam Backup Enterprise Manager Pre-Auth RCE via Hardcoded machineKey (2026-05-01)
Technical analysis of CVE-2026-44312 in Veeam Backup & Replication Enterprise Manager. CVSS 9.8, EPSS 14.2%, CISA KEV. Hardcoded ASP.NET machineKey enables pre-auth deserialization RCE — how to detect exposure and how Pinaka catches it.
Read: https://pinaka.sh/blog/cve-2026-44312-veeam-backup-enterprise-manager-preauth-rce

### CVE-2026-1731: BeyondTrust Remote Support Pre-Auth RCE via WebSocket Command Injection (2026-04-29)
Technical analysis of CVE-2026-1731 in BeyondTrust Remote Support and PRA. CVSS 9.9, EPSS 49.7%, CISA KEV. Pre-auth WebSocket command injection — how to detect exposure and how Pinaka catches it.
Read: https://pinaka.sh/blog/cve-2026-1731-beyondtrust-remote-support-preauth-rce

### CVE-2026-3854: GitHub Enterprise Server Git Push RCE — Authenticated to Full Server Compromise (2026-04-28)
CVE-2026-3854 in GitHub Enterprise Server: git push option injection enables RCE. High severity, 88% of instances unpatched. Affects GHES <= 3.19.1. Upgrade to 3.19.3 immediately.
Read: https://pinaka.sh/blog/cve-2026-3854-github-enterprise-server-git-push-rce

### CVE-2026-29017: Atlassian Confluence OGNL Injection — Pre-Auth RCE (2026-04-27)
CVE-2026-29017 in Atlassian Confluence Data Center: pre-auth OGNL injection RCE, CVSS 9.8, EPSS 9.4%, CISA KEV. Affects all versions 8.0.0–9.3.0. Detect and patch now.
Read: https://pinaka.sh/blog/cve-2026-29017-confluence-ognl-preauth-rce

### CVE-2026-11537: Palo Alto PAN-OS GlobalProtect Pre-Auth RCE — Are You Exposed? (2026-04-24)
CVE-2026-11537 in Palo Alto PAN-OS GlobalProtect: pre-auth stack overflow, CVSS 9.8, EPSS 7.8%, KEV-listed. Patch immediately.
Read: https://pinaka.sh/blog/cve-2026-11537-panos-globalprotect-preauth-rce

### CVE-2026-22754: VMware vCenter Server SOAP API Heap Overflow — Pre-Auth RCE — Are You Exposed? (2026-04-24)
CVE-2026-22754 in VMware vCenter Server: pre-auth heap overflow, CVSS 9.8, KEV-listed, public PoC. Detect exposure and patch to vCenter 7.0 U3t or 8.0 U3b.
Read: https://pinaka.sh/blog/cve-2026-22754-vmware-vcenter-soap-preauth-rce

### CVE-2026-41651: Pack2TheRoot — The PackageKit Race That Gives Any Local User Root on Ubuntu, Debian, and Fedora (2026-04-24)
CVE-2026-41651 (Pack2TheRoot): PackageKit TOCTOU race grants root to any local user. CVSS 8.8, Ubuntu/Debian/Fedora affected. Patch to 1.3.5 immediately.
Read: https://pinaka.sh/blog/cve-2026-41651-pack2theroot-packagekit-lpe

### CVE-2025-55182: React2Shell — Next.js RSC Payload Injection to RCE — Are You Exposed? (2026-04-23)
CVE-2025-55182 (React2Shell): Next.js RSC payload injection to RCE, KEV-listed. Detect and patch your Next.js deployments now.
Read: https://pinaka.sh/blog/cve-2025-55182-nextjs-react2shell-rce

### CVE-2026-25917: Apache Airflow XCom Deserialization RCE — CVSS 9.8, Affects All Versions Before 3.2.0 (2026-04-22)
CVE-2026-25917 in Apache Airflow: XCom deserialization RCE, CVSS 9.8, KEV-listed. Affects all versions before 3.2.0. Patch now.
Read: https://pinaka.sh/blog/cve-2026-25917-apache-airflow-xcom-deserialization-rce

### EASM for Indian Startups — Why Continuous Attack Surface Management Is Now a Compliance and Capital Question (2026-04-22)
Why Indian startups need continuous attack surface monitoring now — DPDP compliance, CERT-In mandates, and what investors are asking about security.
Read: https://pinaka.sh/blog/easm-for-indian-startups

### EASM vs. Pentesting — When to Run Which, and How to Wire Them Together (2026-04-22)
EASM vs. penetration testing: what each finds, when to run each, and how to wire them together for complete external attack surface coverage.
Read: https://pinaka.sh/blog/easm-vs-pentesting

### What Is EASM? External Attack Surface Management, Explained by the Team That Lives In It (2026-04-22)
What is EASM? External attack surface management explained — how it works, what it finds, and why security teams are adopting continuous ASM.
Read: https://pinaka.sh/blog/what-is-easm

### CVE-2026-24423: SmarterMail ConnectToHub Pre-Auth RCE — Unauthenticated Shell on Enterprise Mail Servers, CVSS 9.8 (2026-04-21)
CVE-2026-24423 in SmarterMail: unauthenticated RCE via ConnectToHub, CVSS 9.8, KEV-listed. Detect and patch exposed enterprise mail servers.
Read: https://pinaka.sh/blog/cve-2026-24423-smartermail-connecttohub-preauth-rce

### CVE-2026-20181: Cisco IOS XE Web UI Pre-Auth Command Injection — Unauthenticated Root RCE, CVSS 9.8 (2026-04-21)
CVE-2026-20181 in Cisco IOS XE: unauthenticated command injection in Web UI, CVSS 9.8, KEV-listed. Detect exposure and disable the http server.
Read: https://pinaka.sh/blog/cve-2026-20181-cisco-ios-xe-webui-preauth-rce

### CVE-2026-39808: Fortinet FortiSandbox Pre-Auth OS Command Injection — Unauthenticated Root RCE, CVSS 9.1 (2026-04-20)
CVE-2026-39808 in Fortinet FortiSandbox: pre-auth OS command injection, CVSS 9.1. Unauthenticated root RCE — detect and patch now.
Read: https://pinaka.sh/blog/cve-2026-39808-fortisandbox-preauth-rce

### Bare Repository Attacks: How Exposed .git Directories Lead to Full Source Code Disclosure (2026-04-20)
How exposed .git directories lead to full source code disclosure. Tools, techniques, detection methods, and remediation for bare repo attacks.
Read: https://pinaka.sh/blog/bare-repository-attacks

### CVE-2025-53521: F5 BIG-IP APM Pre-Auth RCE — CVSS 9.8, Nation-State Exploited, 14K Instances Exposed (2026-04-20)
CVE-2025-53521 in F5 BIG-IP APM: pre-auth RCE, CVSS 9.8, nation-state exploited. 14K instances exposed. Detect and patch now.
Read: https://pinaka.sh/blog/cve-2025-53521-f5-big-ip-apm-preauth-rce

### The Vercel Breach: How a Roblox Cheat Script Led to a $2M Ransom Demand (2026-04-20)
How a Roblox cheat script led to infostealer compromise, secret exfiltration, and a $2M ransom demand at Vercel — a supply chain breach analysis.
Read: https://pinaka.sh/blog/vercel-april-2026-breach-analysis

### CVE-2026-34197: Apache ActiveMQ Jolokia RCE — Authenticated to Shell via Spring XML (2026-04-18)
CVE-2026-34197 in Apache ActiveMQ: RCE via Jolokia and Spring XML, KEV-listed. Detect exposed Jolokia endpoints and patch.
Read: https://pinaka.sh/blog/cve-2026-34197-activemq-jolokia-rce

### CVE-2026-33824: Windows IKE Double-Free — Wormable CVSS 9.8 RCE (2026-04-17)
CVE-2026-33824: Windows IKE double-free enabling wormable CVSS 9.8 RCE. No auth required. Detect exposure and apply Microsoft patches.
Read: https://pinaka.sh/blog/cve-2026-33824-windows-ike-rce

### CVE-2026-1340: Ivanti EPMM Pre-Auth Code Injection — Mass-Exploited CVSS 9.8 RCE (2026-04-16)
CVE-2026-1340 in Ivanti EPMM: pre-auth code injection, CVSS 9.8, mass-exploited KEV entry. Detect mobile device management exposure and patch.
Read: https://pinaka.sh/blog/cve-2026-1340-ivanti-epmm-preauth-rce

### CVE-2026-3055: Citrix NetScaler SAML IDP Memory Overread — CitrixBleed 3 Under Active Exploitation (2026-04-16)
CVE-2026-3055 in Citrix NetScaler: SAML IDP memory overread (CitrixBleed 3), KEV-listed and actively exploited. Detect and patch now.
Read: https://pinaka.sh/blog/cve-2026-3055-netscaler-saml-memory-overread

### CVE-2026-35616: Fortinet FortiClient EMS Pre-Auth API Bypass — Zero-Day Under Active Exploitation (2026-04-15)
CVE-2026-35616 in Fortinet FortiClient EMS: pre-auth API bypass zero-day, actively exploited. Detect exposure and apply emergency patches.
Read: https://pinaka.sh/blog/cve-2026-35616-forticlient-ems-auth-bypass

### BOLA in the Wild: How I Uncovered a Critical Authorization Flaw in a Fintech Health Platform (2025-05-21)

Read: https://pinaka.sh/blog/bola-in-the-wild

### Unauthenticated API Endpoints: How One Airline (2025-05-21)

Read: https://pinaka.sh/blog/unauthenticated-api-endpoints

### Exploiting Client-Side Validation: How a Simple Oversight Enabled Spending Limit Bypass (2025-05-21)

Read: https://pinaka.sh/blog/exploiting-client-side-validation

### The Replit AI Database Deletion Disaster (2024-12-19)

Read: https://pinaka.sh/blog/replit-ai-database-deletion-disaster

### When Everyone Has Access to Genius: Three Observations from Sam Altman, and What They Mean for Builders & Defenders (2024-03-20)

Read: https://pinaka.sh/blog/when-everyone-has-access-to-genius

### Heapdump Havoc: Exploiting an Unprotected Spring Actuator Endpoint at a Major Food-&-Drug Retailer (2024-03-19)

Read: https://pinaka.sh/blog/heapdump-havoc

---

## Live CVE Feed

Free, real-time feed tracking CISA Known Exploited Vulnerabilities and high-EPSS CVEs. Each CVE is enriched with an AI-adjusted Pinaka Score answering one question: can an AI agent exploit this right now?
URL: https://pinaka.sh/live-cve