Pinned
Apple patched a 13-year-old bug in WebKit yesterday.
Apex, Cantina's autonomous AppSec agent, found it.
It's one of three Apex findings in the same release. Two are CSP bypasses.
Full writeup: cantina.review/ze5
00:00
Cantina 🪐
4,689 posts
Cantina 🪐
@cantinasecurity
Cantina is an agentic security operating system that handles it all, from detection to remediation, autonomously. Check it out @ cantina.security
Joined February 2023
- Cantina 🪐 reposted
Join the Lido Community Call next Thursday. Catch up on what’s next for the Lido staking modules, Lido's recent Web3SOC certification, and guest sessions on client diversity. Add it to your calendar: luma.com/pmb473ba
- We detected that Pathling, an open-source FHIR analytics server from the e-Health Research Centre, has an $ import-pnp operation that sends the server's OAuth credentials to any URL the caller specifies. Any authenticated user can trigger the chain with a single HTTP request,
- Cantina 🪐 reposted
This is the Fable "vulnerability" the USG claims: ask the model to read a codebase and fix flaws. Anthropic is right: you can't fix this. Cybersecurity is double-edged: the same part of the model's brain that finds exploits also helps write secure software. The only fix is to
I’ve had a number of conversations with folks inside and outside government about the current situation with Anthropic, and here is what I believe to be true: — As we know, Anthropic publicly released its Mythos class models earlier this week under the commercial name Fable. - Cantina threat discovery: Apple's swift-crypto reads memory it shouldn't when a network peer sends a short post-quantum key. That's what we found in Apple's swift-crypto. The X-Wing HPKE decapsulation runs in Swift and forwards its input to a BoringSSL C function that expects
- Two memory-safety bugs in the same Ruby core file, 30 months apart. We found the second in the pthread DNS resolver that byroot at Shopify hit in 2023 and Ruby committers patched within hours. If an attacker can delay DNS responses to a Ruby 4.0.x app, they can crash the
- In the 2026 Verizon DBIR, a stark data point stands out: healthcare’s incident-to-breach conversion rate is now 96% and only 26% of critical vulnerabilities are fully patched. We’re Excited to join the HealthSec panel “Optimizing Cybersecurity Spend in Healthcare: Balancing
- $250,000 bug bounty now live: @3f_xyz is opening its leveraged RWA vault contracts on @Morpho for security research on Cantina. Up for a new challenge? Start the hunt here, researchers: cantina.xyz/bounties/d5586…
- The $5,000,000 @Polymarket x Cantina bug bounty program just expanded: 7 newly deployed contracts are now in scope. 🪐 Start the hunt: cantina.xyz/bounties/ff945…
- Today, we're launching the @injective bug bounty program on Cantina. The scope covers the following: injective-core, Peggy bridge, swap, RFQ, and five web surfaces, including Helix, Mito, and Hub. Which bounty are you going after first? Program details: cantina.xyz/bounties/79042…
- You're going to be working late for this one: The @Morpho Midnight competition is live. Morpho Midnight is a non-custodial protocol for fixed-rate, fixed-term credit markets. Let's see what you've got, researchers: cantina.xyz/competitions/4…
The Morpho Midnight code base:
