There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.
A thread on a few of them.
Timeline
Post
Remote status
Context
3CVE-2026-34486 - Tomcat
- Only exploitable if a certain feature is used, if its endpoint is reachable and if port 4000 is available. It's pretty niche.
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
@GossiTheDog
>It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it.
You can just scan the whole Internet with this. The attacker doesn't need to know the configuration.
>The PoC they've built specifically disabled ASLR
Doesn't really matter either. Randomization so far always was just another fence to jump over. It makes exploitation harder, not impossible.
>It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it.
You can just scan the whole Internet with this. The attacker doesn't need to know the configuration.
>The PoC they've built specifically disabled ASLR
Doesn't really matter either. Randomization so far always was just another fence to jump over. It makes exploitation harder, not impossible.
Replies
0Fetching replies…