An anonymous researcher known as "bikini" published a repository named "exploitarium" containing zero-day exploit write-ups ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

TLDR

TLDR Information Security 2026-07-01

🔓

Attacks & Vulnerabilities

Anonymous Researcher Drops 0-day 'Exploitarium' Repo (6 minute read)

An anonymous researcher known as "bikini" published a repository named "exploitarium" containing zero-day exploit write-ups for multiple software products, including active exploitation of CVE-2026-55200 in libssh2 and CVE-2026-20896 in Gitea Docker deployments, without prior vendor notification. The vulnerabilities detailed are a pre-auth heap corruption remote code execution flaw in libssh2 and an authentication bypass in Gitea, both of which are currently unpatched. Defenders should monitor SSH and Git service logs for anomalous activity and block exploitation attempts targeting libssh2 and Gitea until official patches are released.
Longinus: 2 Boundaries in One Bug, Piercing Chrome's Renderer and V8 Sandbox with a Single Vulnerability, CVE-2026-6307 (25 minute read)

CVE-2026-6307, known as Longinus, is a critical V8 JIT compiler vulnerability in Chrome 106 that enables attackers to bypass the renderer sandbox and V8 heap isolation through a single flaw in TurboFan/Turboshaft inlining, JS-to-Wasm call wrapper canonicalization, and deoptimization FrameState handling. The vulnerability provides arbitrary read/write primitives within the sandboxed heap and allows full remote code execution without memory spraying or chained exploits. Defenders should apply Chrome updates to version 106.0.5249.119 or later and monitor for exploitation attempts targeting V8 JIT components, particularly in rendering contexts.
Vulnerabilities Expose Private Data in Indian Government Systems (2 minute read)

An independent researcher reported 14 security flaws across Indian government education, scholarship, and civil service portals, exposing student records and thousands of full bank account numbers through open directories and weak access controls. The Union Public Service Commission portal had an exposed admin interface, missing security headers, and issues that enabled automated credential attacks, creating straightforward paths to full system takeover and large‑scale data theft.
🧠

Strategies & Tactics

Mapping out your unknown: A threat hunter's guide to Salesforce (10 minute read)

Datadog's Julie Agnes Sparks analyzes the first part of the MITRE ATT&CK chain against Salesforce in the GRUB1/UNC6395 Salesloft campaign. Attackers gain initial access via OAuth phishing, compromised third-party tokens, or stolen SSO/MFA factors, then attempt brute-force retries and weak-factor swaps, locking out owners. They reuse OAuth tokens and perform discovery, hitting API limits, listing objects, and querying data to size exfiltration. Defenders should monitor Event Log Files and Real-Time Monitoring for AuraRequest calls, LoginEvent records with rare values, privileged account activities, and large queries, and correlate them by IPs, off-hours, and user agents. Queries use Datadog syntax, and the post promotes Datadog's Salesforce integration and SIEM detection rules. Other shops will need to adapt field names, and steps covered include recon through discovery, leaving collection, exfiltration, and ransom for later.
Enterprise Tech In, Shell Out (Progress Kemp LoadMaster Uninitialized Heap to Pre-Auth RCE CVE-2026-8037) (12 minute read)

CVE-2026-8037 is a pre-authentication remote code execution vulnerability in Progress Kemp LoadMaster, exploitable via the LoadMaster API when enabled due to an uninitialized heap condition. The vulnerability allows unauthenticated attackers to execute code by exploiting improper memory initialization during API request processing. Defenders should patch to LoadMaster version 7.2.63.2, which addresses the flaw by modifying the escape_quotes() routine, and monitor API access logs for unauthorized activity.
Securing AI agents: When AI tools move from reading to acting (6 minute read)

Enterprise AI agents are starting to run tasks across business systems via MCP-connected tools, which opens the door to data theft when tool metadata is poisoned. A finance-focused Copilot Studio agent example shows how hidden instructions in an enrichment server's description quietly pull unpaid invoice data and send it to an attacker-controlled endpoint, all while remaining within normal permissions and workflows. Microsoft recommends treating MCP servers and descriptions as part of the supply chain, inspecting metadata, restricting tool access, and using DLP, Sentinel, and Guardrails to monitor and block risky actions.
🧑‍💻

Launches & Tools

Semgrep: GLM 5.2 Beats Claude in Cybersecurity Coding Benchmarks (12 minute read)

GLM 5.2, an open-weight model from Zhipu AI, achieved a 39% F1 score in Semgrep's IDOR detection benchmark, outperforming Claude Code's 32% at a cost of $0.17 per true finding, though Semgrep's own multimodal pipeline with endpoint scaffolding reached 53% to 61%, underscoring that harness design significantly influences real-world effectiveness beyond raw model capability. The results highlight GLM 5.2 as a cost-efficient, competitive option for security-focused code analysis, particularly when deployed within optimized evaluation frameworks.
NetExec (GitHub Repo)

NetExec is a network service exploitation tool that helps automate the assessment of the security of large networks.
Ponytail (GitHub Repo)

A coding agent/plugin that makes your AI agent “think like the laziest senior dev in the room.” The goal of the plugin is to reduce the amount of code generated to the absolute minimum.
🎁

Miscellaneous

TLDR is hiring a curator for TLDR Infosec! (TLDR Curator, ~5 hrs/week)

Over 400,000 subscribers read TLDR Infosec to stay on top of the latest in cybersecurity, vulnerabilities, breaches, threat research, and security tools. If you work in security and want to help curate it, send your LinkedIn or resume to infosec@tldr.tech!
Top 1 Million Analysis – June 2026: Ten Years of Web Security (15 minute read)

Scott Helme's decade retrospective on the Tranco Top 1 Million (819,002 responding sites) shows the foundational web-security primitives now firmly entrenched: HTTPS redirects have climbed roughly 960% since 2015 to 658,038 sites, CSP has grown 125x to 170,057, and HSTS sits at 252,846, yet the headline story is that presence has decoupled from quality, with 46.8% of CSPs still carrying unsafe-inline, only 21% of HSTS deployments preload-eligible, and DMARC stuck at p=none on 51.4% of publishing domains. The structural takeaway is concentration risk: Cloudflare now fronts over a third of responding sites and single-handedly drives aggregate movement in NEL, HTTP/3, and the cross-origin isolation family whenever it flips a default, meaning much of the web's measured "progress" reflects one provider's configuration rather than independent operator decisions. Helme runs sponsor Report URI and folds in course and product mentions, so read the optimistic framing accordingly, but the core signal stands: with over half the population still scoring an F on basic headers, the next decade's lever is correct configuration and better platform defaults, not further raw adoption.
Security and Misuse Concerns Surround 100,000+ AI-Powered License Plate Readers (4 minute read)

Over 100,000 AI-enabled automated license plate readers, primarily deployed by Flock, have been installed across the United States, enabling persistent location tracking and raising alarms about unchecked surveillance and potential police misuse. Security flaws and weak data safeguards in these systems risk unauthorized access, mission creep, and harmful exploitation of collected data by law enforcement or malicious actors. Defenders and policymakers should audit ALPR data retention policies, monitor access logs for anomalous queries, and enforce strict compliance with civil liberties standards to mitigate abuse.
New attack provides one more reason why AI browsers are a bad idea (7 minute read)

Researchers show how a booby-trapped game on a website can push AI-powered browsers into a fantasy context where wrong answers, such as 2 + 2 = 5, become “correct” and safety rules stop applying. Once the agent accepts that false logic, the site can prompt it to pull code or credentials from local resources, turning merged browsing and automation features into a high‑risk path for data theft on user machines.

Quick Links

Aflac Japan Data Breach Impacts 4.38 Million (2 minute read)

Hackers repeatedly accessed Aflac Japan's systems between June 15 and June 25, stealing personal data tied to its policyholder portal for about 4.38 million customers and agents, including contact, identity, and insurance details, as well as bank transfer information for roughly 230,000 people, but no card data.
Anthropic to restore Claude Fable access on Wednesday (1 minute read)

Anthropic says the Department of Commerce lifted export controls on its top models, starting access to Fable 5 on Wednesday, while Mythos 5 remains limited to select companies.
Scammers race to cash in on Venezuelan earthquake disaster (2 minute read)

WhoisXML API researchers found 212 domains referencing the recent Venezuela earthquake within five days, including 105 on June 25 and none in the previous three days.

Love TLDR? Tell your friends and get rewards!

Share your referral link below with friends to get free TLDR swag!
Track your referrals here.

Want to advertise in TLDR? 📰

If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.

Want to work at TLDR? 💼

Apply here, create your own role or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! TLDR is one of Inc.'s Best Bootstrapped businesses of 2025.

If you have any comments or feedback, just respond to this email!

Thanks for reading,
Prasanna Gautam, Eric Fernandez & Sammy Tbeile


Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.