◆ Featured
01Security
Apache HTTP/2's double-free
CVE-2026-23918 — a HEADERS-then-RST_STREAM dance triggers a double-free in mod_http2. DoS today, potentially RCE.
1 min read
Read essay Currently — 13 essays shipped
Simplicity over complexity,
quantity over quality.
Notes from a security engineer building at speed — on shipping, design, and the systems that hold the web together.
Latest essays
02 entries- 02Security1 min
CVE-2026-20182 — a 10.0 on Cisco SD-WAN, in the wild
A CVSS 10.0 is rare. An exploited-in-the-wild CVSS 10.0 with admin impact, on a controller that sits between branches and the corporate WAN, is rarer.
- 03Security1 min
ShinyHunters had a month
One threat actor, multiple Fortune 500s, in two weeks. The unifying pattern is depressingly familiar — identity-provider compromise leading to SaaS data theft. No zero-day required.