# Pinaka Security
# License: RSL 1.0 (https://rslicense.org/)
# Citation: Pinaka Security, https://pinaka.sh/
# Last Updated: 2026-05-17

> Pinaka is the first MCP-native external attack surface management (EASM) platform. It runs a continuous AI attacker simulation against your external surface and answers one question for every exposed asset: can an AI agent exploit this right now?

Pinaka treats your external attack surface the way an attacker does — continuously, autonomously, and through an AI assistant. 60+ scanning tools, 7,000+ vulnerability detection templates, 14+ subdomain sources, 23 AWS Lambda scanners, and a Watchdog that alerts on every change to subdomains, ports, headers, certificates, and tech stack CVEs. Built by security engineers from Harness, Aikido Security, and Cequence Security. Presented at 12+ international conferences including Hack.lu, OWASP, BSides, c0c0n, API World, AI Dev World, HOU.SEC.CON, and Infosec Nashville. Built in India by Pinaka Labs Pvt. Ltd.

## Quick Facts

- **Category:** External Attack Surface Management (EASM) + Continuous Threat Exposure Management (CTEM)
- **Category-defining claim:** First MCP-native EASM platform — runs natively inside Claude, Cursor, and any MCP-compatible AI assistant
- **Scanners:** 60+ MCP tools, 23 AWS Lambda scanners, 7,000+ vulnerability detection templates
- **Subdomain sources:** 14+ passive OSINT sources plus Amass, PureDNS brute-force, AlterX permutation, and VHost discovery
- **Cloud coverage:** AWS, Azure, GCP, Cloudflare IP-range matching; S3, GCS, Azure Blob permission checks; subdomain takeover detection across 20+ providers
- **WAF detection:** 13 vendors fingerprinted (Cloudflare, Akamai, Imperva, AWS WAF, Sucuri, F5, Barracuda, Fortinet, ModSecurity, and more)
- **Differentiator:** Pinaka Score — a per-asset, AI-adjusted exploitability score combining CISA KEV, EPSS, public PoC availability, and tech-stack context
- **Architecture:** No agents. Serverless scanning. Onboards a new domain in 60 seconds and runs continuously without infrastructure overhead.
- **Distribution:** Web app, REST API, and MCP server. The MCP server is the differentiator — AI assistants invoke scans through natural language.
- **Authority:** 9 responsibly disclosed enterprise vulnerabilities (CVSS 5.3 to 9.3) with full redacted attack chains published in the Findings Gallery
- **Founders:** Security engineers from Harness, Aikido Security, and Cequence Security
- **Conferences:** 12+ international talks: Hack.lu, OWASP Boston, c0c0n, API World, AI Dev World, HOU.SEC.CON, Infosec Nashville, BSides Luxembourg / Seattle / Salt Lake City / Cayman Islands
- **Geography:** Built in India. Sells globally. Pinaka Labs Pvt. Ltd.

## The Pinaka Score

**The Pinaka Score** is a per-asset exploitability score on a 0–100 scale. It combines four signals — CVSS base score, EPSS exploit-probability, CISA KEV inclusion, and public PoC availability — and adjusts for tech-stack context discovered on the actual asset (version, WAF, exposed admin surface). A Pinaka Score above 80 means an AI agent with off-the-shelf tooling can chain this into impact today. Scores update on every Watchdog cycle, so the same CVE on the same asset can rise from 62 to 91 the day a public PoC drops.

## Why Pinaka Exists

**Why Pinaka exists.** The exploit window — the gap between vulnerability disclosure and active exploitation — collapsed from 745 days in 2020 to 44 days in 2025. AI-assisted exploit generation is closing the gap further. Traditional vulnerability management was built for a world where humans patched on quarterly cycles; that world is gone. Pinaka assumes AI agents are the new attackers and ships the inverse — an AI defender that runs the same playbook in reverse, continuously, against your own surface, scoring what an attacker would exploit first.

## Product Surfaces

- [Pinaka — External Attack Surface Management](https://pinaka.sh/): continuous AI attacker simulation across your external surface, 60+ MCP tools, no agents
- [Use Cases](https://pinaka.sh/use-cases): enterprise security teams, mid-market companies, CISOs, AppSec engineers, DevSecOps, pentest firms, MSSPs
- [Live CVE Feed](https://pinaka.sh/live-cve): free real-time CISA Known Exploited Vulnerabilities feed with AI-adjusted Pinaka Scores
- [Findings Gallery](https://pinaka.sh/findings): 9 redacted enterprise case studies with full attack chains (CVSS 5.3 to 9.3)
- [PQC Scanner](https://pinaka.sh/pqc-scanner): free post-quantum cryptography readiness check for TLS
- [Blog](https://pinaka.sh/blog): 39 posts of CVE intelligence, vulnerability research, and EASM strategy
- [Pricing](https://pinaka.sh/pricing): Free, Team, Business, and Enterprise tiers

## Core Capabilities (60+ MCP Tools, 7,000+ Detection Templates)

- **MCP-Native Distribution** — First security platform shipped as an MCP server. Every scan, correlation, and prioritization is an MCP tool callable from Claude Desktop, Claude Code, Cursor, or any MCP client.
- **Autonomous AI Pentest Engine** — AI scanning agent on AWS Fargate that chains primitives into multi-step exploit paths and generates real curl commands against your specific endpoints. Outputs PoC-ready findings and remediation roadmaps, not generic CVE lists.
- **Pinaka Score** — AI-adjusted exploitability score per asset. Fuses CVSS, EPSS, CISA KEV, public PoC availability, and tech-stack context. Updates on every Watchdog cycle.
- **Continuous Watchdog** — 24/7 change-driven monitoring of subdomains, ports, headers, certificates, tech stack CVEs, and Shadow IT. Slack and Discord webhook alerts the moment something changes.
- **Subdomain Discovery** — 14+ passive OSINT sources, Amass, DNS brute-force via PureDNS, subdomain permutation via AlterX, and VHost discovery.
- **Shadow IT & Shadow AI Discovery** — Surfaces forgotten staging hosts, abandoned subdomains, exposed AI/ML infrastructure, vector databases, Jupyter notebooks, and model serving endpoints.
- **Subdomain Takeover Detection** — 20+ providers including S3, GitHub Pages, Heroku, Vercel, Netlify, Cloudfront, Azure, Shopify, and Tumblr.
- **Vulnerability Scanning** — 7,000+ detection templates with KEV + EPSS scoring and active exploitation alerts.
- **Stack CVE Correlation** — Continuous tech fingerprinting against the NVD plus EPSS plus CISA KEV. Detects when a deployed CVE moves into active exploitation.
- **URL & Endpoint Discovery** — Live crawling via Katana, JavaScript endpoint discovery, and historical mining via GAU and the Wayback Machine.
- **Secret Scanning** — Pattern matching on discovered JavaScript bundles, Wayback archives, and source maps for exposed API keys, tokens, and credentials — with automatic validation.
- **XSS Detection** — Automated parameter fuzzing with PoC payload generation via XSStrike and DalFox.
- **Multi-Source IP & Port Intelligence** — Naabu plus Shodan plus Censys correlation. Per-IP service fingerprinting, product and version detection, org and ASN attribution, automatic risk classification of high-value ports.
- **Cloud Asset Discovery** — S3, GCS, and Azure Blob permission checks. AWS, Azure, GCP, and Cloudflare IP range matching.
- **WAF Detection** — 13 vendors fingerprinted: Cloudflare, Akamai, Imperva, AWS WAF, Sucuri, F5, Barracuda, Fortinet, ModSecurity, and more.
- **Technology Detection** — CMS, frameworks, CDN, analytics, server software. Drives the CVE correlation engine.
- **No-Agent, Serverless Architecture** — Onboards a new domain in 60 seconds. Scales across hundreds of domains and cloud accounts with zero infrastructure overhead.

## How Pinaka Compares

Pinaka is its own category — MCP-native EASM with an autonomous AI attacker simulation. Comparison with adjacent tools:

- **vs Shodan** — A search engine for the internet. Indexes services globally but does not monitor your specific surface, does not alert on changes, does not chain exploits, and does not run inside an AI assistant.
- **vs Censys** — Internet-wide scanning database. Strong for research; not built for continuous, change-driven defense of a specific organization's attack surface.
- **vs Detectify** — Web app scanner. Strong on known web vulnerabilities; lacks no-agent architecture, MCP-native distribution, and AI attacker simulation.
- **vs Wiz / Orca** — Cloud-native CNAPPs requiring agent or cloud-account integration. Pinaka complements them with the external view — the surface an attacker sees from the internet without any access to your cloud.
- **vs Snyk / Tenable / Qualys** — Vulnerability management on assets you already know about. Pinaka starts one step earlier — discovering the assets you do not know about, including Shadow IT and Shadow AI infrastructure.
- **vs CloudSEK / ZeroFox** — Brand and dark-web intelligence. Different category. Pinaka focuses on the technical attack surface — subdomains, ports, vulnerable services, exposed secrets, exploitable chains.

## CVE Intelligence Index

Pinaka publishes technical analysis of high-impact CVEs with detection guidance, affected versions, exploitation reality, and Pinaka Score context. 24 write-ups indexed below. Each post documents root cause, vulnerable function, version ranges, public PoC status, CISA KEV status, and detection commands.

- **CVE-2026-6722, CVE-2026-7261, CVE-2026-7262, CVE-2026-7258, CVE-2026-6104** ([2026-05-13](https://pinaka.sh/blog/cve-2026-6722-php-soap-use-after-free-rce)) — CVE-2026-6722: PHP SOAP Extension Use-After-Free RCE
- **CVE-2026-25895** ([2026-05-12](https://pinaka.sh/blog/cve-2026-25895-fuxa-scada-path-traversal-rce)) — CVE-2026-25895: Path Traversal to RCE in FUXA SCADA
- **CVE-2026-33937** ([2026-05-11](https://pinaka.sh/blog/cve-2026-33937-handlebars-ast-injection-rce)) — CVE-2026-33937: Handlebars.js RCE via AST Injection in Template Compilation
- **CVE-2026-31431** ([2026-05-11](https://pinaka.sh/blog/cve-2026-31431-copy-fail-linux-kernel-lpe)) — CVE-2026-31431: Copy Fail Linux Kernel Privilege Escalation — Root in Seconds
- **CVE-2026-3844** ([2026-05-05](https://pinaka.sh/blog/cve-2026-3844-wordpress-breeze-plugin-file-upload-rce)) — CVE-2026-3844: WordPress Breeze Plugin Unauthenticated File Upload RCE
- **CVE-2026-41940** ([2026-05-04](https://pinaka.sh/blog/cve-2026-41940-cpanel-whm-auth-bypass)) — CVE-2026-41940: cPanel & WHM Critical Authentication Bypass — Unauthenticated WHM Admin Access
- **CVE-2026-44312** ([2026-05-01](https://pinaka.sh/blog/cve-2026-44312-veeam-backup-enterprise-manager-preauth-rce)) — CVE-2026-44312: Veeam Backup Enterprise Manager Pre-Auth RCE via Hardcoded machineKey
- **CVE-2026-1731** ([2026-04-29](https://pinaka.sh/blog/cve-2026-1731-beyondtrust-remote-support-preauth-rce)) — CVE-2026-1731: BeyondTrust Remote Support Pre-Auth RCE via WebSocket Command Injection
- **CVE-2026-3854** ([2026-04-28](https://pinaka.sh/blog/cve-2026-3854-github-enterprise-server-git-push-rce)) — CVE-2026-3854: GitHub Enterprise Server Git Push RCE — Authenticated to Full Server Compromise
- **CVE-2026-29017** ([2026-04-27](https://pinaka.sh/blog/cve-2026-29017-confluence-ognl-preauth-rce)) — CVE-2026-29017: Atlassian Confluence OGNL Injection — Pre-Auth RCE
- **CVE-2026-11537** ([2026-04-24](https://pinaka.sh/blog/cve-2026-11537-panos-globalprotect-preauth-rce)) — CVE-2026-11537: Palo Alto PAN-OS GlobalProtect Pre-Auth RCE — Are You Exposed?
- **CVE-2026-22754** ([2026-04-24](https://pinaka.sh/blog/cve-2026-22754-vmware-vcenter-soap-preauth-rce)) — CVE-2026-22754: VMware vCenter Server SOAP API Heap Overflow — Pre-Auth RCE — Are You Exposed?
- **CVE-2026-41651** ([2026-04-24](https://pinaka.sh/blog/cve-2026-41651-pack2theroot-packagekit-lpe)) — CVE-2026-41651: Pack2TheRoot — The PackageKit Race That Gives Any Local User Root on Ubuntu, Debian, and Fedora
- **CVE-2025-55182** ([2026-04-23](https://pinaka.sh/blog/cve-2025-55182-nextjs-react2shell-rce)) — CVE-2025-55182: React2Shell — Next.js RSC Payload Injection to RCE — Are You Exposed?
- **CVE-2026-25917** ([2026-04-22](https://pinaka.sh/blog/cve-2026-25917-apache-airflow-xcom-deserialization-rce)) — CVE-2026-25917: Apache Airflow XCom Deserialization RCE — CVSS 9.8, Affects All Versions Before 3.2.0
- **CVE-2026-24423** ([2026-04-21](https://pinaka.sh/blog/cve-2026-24423-smartermail-connecttohub-preauth-rce)) — CVE-2026-24423: SmarterMail ConnectToHub Pre-Auth RCE — Unauthenticated Shell on Enterprise Mail Servers, CVSS 9.8
- **CVE-2026-20181** ([2026-04-21](https://pinaka.sh/blog/cve-2026-20181-cisco-ios-xe-webui-preauth-rce)) — CVE-2026-20181: Cisco IOS XE Web UI Pre-Auth Command Injection — Unauthenticated Root RCE, CVSS 9.8
- **CVE-2026-39808** ([2026-04-20](https://pinaka.sh/blog/cve-2026-39808-fortisandbox-preauth-rce)) — CVE-2026-39808: Fortinet FortiSandbox Pre-Auth OS Command Injection — Unauthenticated Root RCE, CVSS 9.1
- **CVE-2025-53521** ([2026-04-20](https://pinaka.sh/blog/cve-2025-53521-f5-big-ip-apm-preauth-rce)) — CVE-2025-53521: F5 BIG-IP APM Pre-Auth RCE — CVSS 9.8, Nation-State Exploited, 14K Instances Exposed
- **CVE-2026-34197** ([2026-04-18](https://pinaka.sh/blog/cve-2026-34197-activemq-jolokia-rce)) — CVE-2026-34197: Apache ActiveMQ Jolokia RCE — Authenticated to Shell via Spring XML
- **CVE-2026-33824** ([2026-04-17](https://pinaka.sh/blog/cve-2026-33824-windows-ike-rce)) — CVE-2026-33824: Windows IKE Double-Free — Wormable CVSS 9.8 RCE
- **CVE-2026-1340, CVE-2026-1281** ([2026-04-16](https://pinaka.sh/blog/cve-2026-1340-ivanti-epmm-preauth-rce)) — CVE-2026-1340: Ivanti EPMM Pre-Auth Code Injection — Mass-Exploited CVSS 9.8 RCE
- **CVE-2026-3055, CVE-2026-4368** ([2026-04-16](https://pinaka.sh/blog/cve-2026-3055-netscaler-saml-memory-overread)) — CVE-2026-3055: Citrix NetScaler SAML IDP Memory Overread — CitrixBleed 3 Under Active Exploitation
- **CVE-2026-35616** ([2026-04-15](https://pinaka.sh/blog/cve-2026-35616-forticlient-ems-auth-bypass)) — CVE-2026-35616: Fortinet FortiClient EMS Pre-Auth API Bypass — Zero-Day Under Active Exploitation

## Authority, Citations & Mentions

- **12+ international conference talks** including Hack.lu (Luxembourg), OWASP Boston, c0c0n (Kerala, India), API World 2025 (Santa Clara), AI Dev World 2025 (San Jose), HOU.SEC.CON 2025 (Houston), Infosec Nashville, and BSides Luxembourg / Seattle / Salt Lake City / Cayman Islands — across 3 countries
- **9 responsibly disclosed enterprise vulnerabilities** (CVSS 5.3 to 9.3) with full redacted attack chains published at https://pinaka.sh/findings
- **39 technical write-ups** on high-impact CVEs (PHP SOAP UAF, Linux kernel LPE, Confluence OGNL preauth RCE, NetScaler SAML memory overread, Fortinet auth bypass, Veeam preauth RCE, cPanel WHM auth bypass, BeyondTrust RCE, FortiSandbox preauth RCE, GitHub Enterprise Server, Cisco IOS XE WebUI, Apache Airflow, VMware vCenter, Palo Alto GlobalProtect, F5 BIG-IP APM, Ivanti EPMM, ActiveMQ Jolokia, Windows IKE, WordPress Breeze, Handlebars.js, FUXA SCADA, and more)
- **Founders**: security engineers from Harness, Aikido Security, and Cequence Security
- **Entity**: Pinaka Labs Pvt. Ltd., built in India, sells globally
- **Contact**: hello@pinaka.sh · [@pinakahq on X](https://x.com/pinakahq)

## Frequently Asked Questions

**Q: What is Pinaka?**
A: Pinaka is the first MCP-native external attack surface management (EASM) platform. It continuously discovers every internet-facing asset an organization owns — subdomains, ports, cloud storage, exposed APIs, Shadow IT, and Shadow AI infrastructure — runs an autonomous AI attacker simulation against them, and scores each finding by whether an AI agent can exploit it right now. Pinaka runs as a web app, a REST API, and an MCP server callable from Claude Desktop, Claude Code, Cursor, or any MCP-compatible AI assistant.

**Q: What is the Pinaka Score?**
A: The Pinaka Score is a per-asset, AI-adjusted exploitability score on a 0–100 scale. It combines four signals — CVSS base score, EPSS exploit-probability, CISA KEV inclusion, and public PoC availability — and adjusts for tech-stack context discovered on the actual asset (version, WAF presence, exposed admin surface). A score above 80 means an AI agent with off-the-shelf tooling can chain this into impact today. Scores update on every Watchdog cycle.

**Q: How is Pinaka different from Shodan, Censys, Detectify, Wiz, or Tenable?**
A: Shodan and Censys are internet-wide search engines — they index services globally but do not monitor a specific organization's surface, do not alert on changes, do not chain exploits, and do not run inside an AI assistant. Detectify is a web app scanner without a no-agent architecture or MCP distribution. Wiz and Orca are cloud-native CNAPPs requiring agent or cloud-account integration; Pinaka complements them with the external view — the surface an attacker sees from the internet without any access to your cloud. Snyk, Tenable, and Qualys manage vulnerabilities on assets you already know about; Pinaka starts one step earlier by discovering the assets you do not know about, including Shadow IT and Shadow AI.

**Q: What does MCP-native mean and why does it matter for security teams?**
A: Model Context Protocol (MCP) is the open standard for AI assistants to call external tools. Pinaka ships an MCP server exposing 60+ scanning tools, so any MCP-compatible AI assistant — Claude Desktop, Claude Code, Cursor — can invoke Pinaka scans through natural language. A security engineer can ask "find subdomains on acme-corp.com that were not present yesterday and have an open admin panel" and the AI assistant executes Pinaka's subdomain diff, port scan, and admin-panel fingerprint in sequence, returning structured evidence it can reason over. Pinaka is the first security platform built this way.

**Q: Who is Pinaka built for?**
A: Four buyer personas. Enterprise security teams (SSO, RBAC, audit trails, SLA-backed support, no-agent scanning across hundreds of domains and subsidiaries). Mid-market companies without dedicated security teams (turnkey discovery, prioritized fixes, attack surface grade per domain). CISOs and security managers (board-level visibility, KEV + EPSS scoring, delta-based risk trendlines, exportable reports). AppSec and DevSecOps engineers (60+ scanners, REST API, MCP server, change-driven Watchdog alerts).

**Q: What does Pinaka discover that traditional scanners miss?**
A: Pinaka chains discovery primitives that single-purpose scanners cannot. Forgotten staging hosts revealed by certificate transparency logs. Subdomain takeover via dangling CNAMEs against S3, Heroku, Vercel, GitHub Pages, and 16 other providers. Secrets buried in historical JavaScript bundles surfaced via Wayback and source maps. Cloud storage buckets exposed via auto-update manifests. CORS reflection chained with credential leaks for drive-by data exfiltration. BOLA on authenticated APIs. Shadow AI infrastructure — vector databases, Jupyter notebooks, model serving endpoints. Nine redacted real-world examples are published in the Findings Gallery with full attack chains.

**Q: Why does Pinaka exist now?**
A: The exploit window — the gap between vulnerability disclosure and active exploitation — collapsed from 745 days in 2020 to 44 days in 2025, driven by turn-key PoC weaponization, mass scanning, and AI-assisted exploit generation. Traditional vulnerability management was built for a world where humans patched on quarterly cycles. That world is gone. Pinaka assumes AI agents are the new attackers and ships the inverse — an AI defender that runs the same playbook continuously against your own surface and scores what an attacker would exploit first.

**Q: Who built Pinaka?**
A: Pinaka is built by security engineers with backgrounds at Harness, Aikido Security, and Cequence Security. The team has responsibly disclosed 9 vulnerabilities to enterprise targets (CVSS 5.3 to 9.3), all documented with full redacted attack chains in the Findings Gallery. The founders have presented at 12+ international conferences including Hack.lu, OWASP Boston, c0c0n, API World, AI Dev World, HOU.SEC.CON, Infosec Nashville, and BSides Luxembourg / Seattle / Salt Lake City / Cayman Islands. Built in India by Pinaka Labs Pvt. Ltd.

## Security Research — Field Notes (Findings Gallery)

Nine real-world architectural vulnerabilities discovered during independent security research against enterprise targets. All targets redacted. Each finding documents the full attack chain, the chained primitives single-purpose scanners miss, and the business impact.

- [Unauthenticated Production Credential Exposure on Financial API](https://pinaka.sh/findings/credential-exposure-financial-api) — CVSS 9.3 Critical
- [Exposed Workflow Automation Engine with Unauthenticated Webhooks](https://pinaka.sh/findings/workflow-engine-unauthenticated) — CVSS 7.3 High
- [Exposed Swagger UI with Hardcoded Admin Credentials](https://pinaka.sh/findings/swagger-hardcoded-credentials) — CVSS 7.5 High
- [CDN Caching Bypass on Basic Auth Protected Staging Environment](https://pinaka.sh/findings/cdn-auth-bypass) — CVSS 5.3 Medium
- [Publicly Listable S3 Bucket \u2014 Desktop App Executables & Auto-Update Configs](https://pinaka.sh/findings/s3-supply-chain) — CVSS 9.1 Critical
- [CORS Reflection with Credentials on Business API](https://pinaka.sh/findings/cors-business-data-theft) — CVSS 8.6 Critical
- [Subdomain Takeover with Cookie Tossing via Domain-Scoped Session](https://pinaka.sh/findings/subdomain-takeover-cookie-tossing) — CVSS 7.5 High
- [Unauthenticated Commerce Platform API \u2014 Payment Credentials & Multi-Brand Infrastructure](https://pinaka.sh/findings/ecommerce-config-disclosure) — CVSS 8.6 High
- [Mass User Prompt Leakage via URL Parameters \u2014 Permanently Archived](https://pinaka.sh/findings/ai-prompt-mass-leakage) — CVSS 7.5 High

## Blog — All 39 Posts (Newest First)

Technical analysis of high-impact CVEs, EASM strategy, and post-mortems of AI-coding incidents. Each post is written for security engineers — primary sources cited, root cause identified at the function or file level, detection commands provided, and Pinaka Score context where applicable.

- [CVE-2026-6722: PHP SOAP Extension Use-After-Free RCE](https://pinaka.sh/blog/cve-2026-6722-php-soap-use-after-free-rce) — 2026-05-13
- [CVE-2026-25895: Path Traversal to RCE in FUXA SCADA](https://pinaka.sh/blog/cve-2026-25895-fuxa-scada-path-traversal-rce) — 2026-05-12
- [Threat Modeling Is Broken. Here\](https://pinaka.sh/blog/threat-modeling-is-broken) — 2026-05-12
- [How to Answer Security Questionnaires Without Lying](https://pinaka.sh/blog/security-questionnaires-without-lying) — 2026-05-12
- [CVE-2026-33937: Handlebars.js RCE via AST Injection in Template Compilation](https://pinaka.sh/blog/cve-2026-33937-handlebars-ast-injection-rce) — 2026-05-11
- [CVE-2026-31431: Copy Fail Linux Kernel Privilege Escalation — Root in Seconds](https://pinaka.sh/blog/cve-2026-31431-copy-fail-linux-kernel-lpe) — 2026-05-11
- [The Exploit Window Is Closing: 745 Days to 44, and the Clock Is Still Accelerating](https://pinaka.sh/blog/exploit-window-shrinking-ai) — 2026-05-11
- [CVE-2026-3844: WordPress Breeze Plugin Unauthenticated File Upload RCE](https://pinaka.sh/blog/cve-2026-3844-wordpress-breeze-plugin-file-upload-rce) — 2026-05-05
- [CVE-2026-41940: cPanel & WHM Critical Authentication Bypass — Unauthenticated WHM Admin Access](https://pinaka.sh/blog/cve-2026-41940-cpanel-whm-auth-bypass) — 2026-05-04
- [Threat Exposure Management: Why Security Stopped Counting Bugs and Started Counting Attack Paths](https://pinaka.sh/blog/threat-exposure-management-why-now) — 2026-05-04
- [CVE-2026-44312: Veeam Backup Enterprise Manager Pre-Auth RCE via Hardcoded machineKey](https://pinaka.sh/blog/cve-2026-44312-veeam-backup-enterprise-manager-preauth-rce) — 2026-05-01
- [CVE-2026-1731: BeyondTrust Remote Support Pre-Auth RCE via WebSocket Command Injection](https://pinaka.sh/blog/cve-2026-1731-beyondtrust-remote-support-preauth-rce) — 2026-04-29
- [CVE-2026-3854: GitHub Enterprise Server Git Push RCE — Authenticated to Full Server Compromise](https://pinaka.sh/blog/cve-2026-3854-github-enterprise-server-git-push-rce) — 2026-04-28
- [CVE-2026-29017: Atlassian Confluence OGNL Injection — Pre-Auth RCE](https://pinaka.sh/blog/cve-2026-29017-confluence-ognl-preauth-rce) — 2026-04-27
- [CVE-2026-11537: Palo Alto PAN-OS GlobalProtect Pre-Auth RCE — Are You Exposed?](https://pinaka.sh/blog/cve-2026-11537-panos-globalprotect-preauth-rce) — 2026-04-24
- [CVE-2026-22754: VMware vCenter Server SOAP API Heap Overflow — Pre-Auth RCE — Are You Exposed?](https://pinaka.sh/blog/cve-2026-22754-vmware-vcenter-soap-preauth-rce) — 2026-04-24
- [CVE-2026-41651: Pack2TheRoot — The PackageKit Race That Gives Any Local User Root on Ubuntu, Debian, and Fedora](https://pinaka.sh/blog/cve-2026-41651-pack2theroot-packagekit-lpe) — 2026-04-24
- [CVE-2025-55182: React2Shell — Next.js RSC Payload Injection to RCE — Are You Exposed?](https://pinaka.sh/blog/cve-2025-55182-nextjs-react2shell-rce) — 2026-04-23
- [CVE-2026-25917: Apache Airflow XCom Deserialization RCE — CVSS 9.8, Affects All Versions Before 3.2.0](https://pinaka.sh/blog/cve-2026-25917-apache-airflow-xcom-deserialization-rce) — 2026-04-22
- [EASM for Indian Startups — Why Continuous Attack Surface Management Is Now a Compliance and Capital Question](https://pinaka.sh/blog/easm-for-indian-startups) — 2026-04-22
- [EASM vs. Pentesting — When to Run Which, and How to Wire Them Together](https://pinaka.sh/blog/easm-vs-pentesting) — 2026-04-22
- [What Is EASM? External Attack Surface Management, Explained by the Team That Lives In It](https://pinaka.sh/blog/what-is-easm) — 2026-04-22
- [CVE-2026-24423: SmarterMail ConnectToHub Pre-Auth RCE — Unauthenticated Shell on Enterprise Mail Servers, CVSS 9.8](https://pinaka.sh/blog/cve-2026-24423-smartermail-connecttohub-preauth-rce) — 2026-04-21
- [CVE-2026-20181: Cisco IOS XE Web UI Pre-Auth Command Injection — Unauthenticated Root RCE, CVSS 9.8](https://pinaka.sh/blog/cve-2026-20181-cisco-ios-xe-webui-preauth-rce) — 2026-04-21
- [CVE-2026-39808: Fortinet FortiSandbox Pre-Auth OS Command Injection — Unauthenticated Root RCE, CVSS 9.1](https://pinaka.sh/blog/cve-2026-39808-fortisandbox-preauth-rce) — 2026-04-20
- [Bare Repository Attacks: How Exposed .git Directories Lead to Full Source Code Disclosure](https://pinaka.sh/blog/bare-repository-attacks) — 2026-04-20
- [CVE-2025-53521: F5 BIG-IP APM Pre-Auth RCE — CVSS 9.8, Nation-State Exploited, 14K Instances Exposed](https://pinaka.sh/blog/cve-2025-53521-f5-big-ip-apm-preauth-rce) — 2026-04-20
- [The Vercel Breach: How a Roblox Cheat Script Led to a $2M Ransom Demand](https://pinaka.sh/blog/vercel-april-2026-breach-analysis) — 2026-04-20
- [CVE-2026-34197: Apache ActiveMQ Jolokia RCE — Authenticated to Shell via Spring XML](https://pinaka.sh/blog/cve-2026-34197-activemq-jolokia-rce) — 2026-04-18
- [CVE-2026-33824: Windows IKE Double-Free — Wormable CVSS 9.8 RCE](https://pinaka.sh/blog/cve-2026-33824-windows-ike-rce) — 2026-04-17
- [CVE-2026-1340: Ivanti EPMM Pre-Auth Code Injection — Mass-Exploited CVSS 9.8 RCE](https://pinaka.sh/blog/cve-2026-1340-ivanti-epmm-preauth-rce) — 2026-04-16
- [CVE-2026-3055: Citrix NetScaler SAML IDP Memory Overread — CitrixBleed 3 Under Active Exploitation](https://pinaka.sh/blog/cve-2026-3055-netscaler-saml-memory-overread) — 2026-04-16
- [CVE-2026-35616: Fortinet FortiClient EMS Pre-Auth API Bypass — Zero-Day Under Active Exploitation](https://pinaka.sh/blog/cve-2026-35616-forticlient-ems-auth-bypass) — 2026-04-15
- [BOLA in the Wild: How I Uncovered a Critical Authorization Flaw in a Fintech Health Platform](https://pinaka.sh/blog/bola-in-the-wild) — 2025-05-21
- [Unauthenticated API Endpoints: How One Airline](https://pinaka.sh/blog/unauthenticated-api-endpoints) — 2025-05-21
- [Exploiting Client-Side Validation: How a Simple Oversight Enabled Spending Limit Bypass](https://pinaka.sh/blog/exploiting-client-side-validation) — 2025-05-21
- [The Replit AI Database Deletion Disaster](https://pinaka.sh/blog/replit-ai-database-deletion-disaster) — 2024-12-19
- [When Everyone Has Access to Genius: Three Observations from Sam Altman, and What They Mean for Builders & Defenders](https://pinaka.sh/blog/when-everyone-has-access-to-genius) — 2024-03-20
- [Heapdump Havoc: Exploiting an Unprotected Spring Actuator Endpoint at a Major Food-&-Drug Retailer](https://pinaka.sh/blog/heapdump-havoc) — 2024-03-19

## Conference Talks

- **API Underworld: Red Team Hacking Secrets** — Hack.lu 2025 (Luxembourg) [Workshop]
- **Red Teaming the LLM Stack** — c0c0n 2025 (Kerala, India) [Workshop]
- **Red Teaming the LLM Stack** — HOU.SEC.CON 2025 (Houston, TX) [Talk]
- **API Underworld** — Infosec Nashville (Nashville, USA) [Talk]
- **API Underworld** — BSides Cayman Islands (George Town) [Workshop]
- **API Underworld** — API World 2025 (Santa Clara, USA) [Talk]
- **API Underworld** — BSides Luxembourg (Belval) [Workshop]
- **API Underworld** — BSides Seattle (Seattle, USA) [Workshop]
- **API Underworld** — BSides Salt Lake City (Salt Lake City, USA) [Workshop]
- **API Underworld** — OWASP Boston (Boston, USA) [Workshop]
- **AI Frontiers: Shielding Digital Gateways from Bot Invasions** — AI Dev World 2025 (San Jose, USA) [Talk]

## Links

- [Home](https://pinaka.sh/)
- [Use Cases](https://pinaka.sh/use-cases)
- [Blog](https://pinaka.sh/blog)
- [Live CVE Feed](https://pinaka.sh/live-cve)
- [Findings](https://pinaka.sh/findings)
- [Conference Talks](https://pinaka.sh/conference)
- [PQC Scanner](https://pinaka.sh/pqc-scanner)
- [About](https://pinaka.sh/about)
- [Pricing](https://pinaka.sh/pricing)

## Optional

- [Full LLM-optimized content](https://pinaka.sh/llms-full.txt)