Forem: zast ai

ZAST.AI Security Advisory: Critical SSRF Resolved in ClawdBot.

zast ai — Tue, 27 Jan 2026 15:17:06 +0000

While the community focused on general configuration risks, ZAST verified the actual code.

Our engine autonomously identified a high-severity SSRF vulnerability exploitable via DNS Rebinding. The flaw was a classic TOCTOU (Time-of-Check to Time-of-Use) gap, allowing attackers to bypass validation and access internal networks.

The Resolution: Our Co-founder Chris Zheng reported this to the maintainer (@steipete), who acknowledged the issue and pushed a fix immediately.

The project has now implemented DNS Pinning to eliminate the vector. We are proud to be credited in the changelog for securing the ecosystem.

View the official fix: https://github.com/clawdbot/clawdbot/commit/b623557a2ec7e271bda003eb3ac33fbb2e218505

A Stored XSS (CVE-2026-0693) in the "Allow HTML in Category Descriptions" @WordPress plugin.

zast ai — Sat, 24 Jan 2026 02:20:17 +0000

We verified a Stored XSS (CVE-2026-0693) in the "HTML in Category Descriptions" @WordPress plugin.

The Flaw: The plugin correctly restricts input but unintentionally removes global output filters (wp_kses_data) for all users. The Impact: Malicious scripts in category descriptions execute for any visitor. The Validation: Confirmed via autonomous PoC.

Security requires validating the full data lifecycle, not just lines of code.

Vulnerability details: https://www.cve.org/CVERecord?id=CVE-2026-0693

2025 Annual Report: 153 Publicly Disclosed Vulnerabilities & 0 False Positives

zast ai — Wed, 14 Jan 2026 14:06:06 +0000

In 2025, ZAST.AI redefined what’s possible in static analysis. It successfully identified and verified critical logic flaws in enterprise infrastructure including Microsoft Azure SDK, Alibaba Nacos, Apache Struts2, Apache Commons, Koa, Langfuse, Node-Formidable, WordPress and more.

🔍 153 Vulnerabilities Publicly Disclosed
🔒 119 CVEs Assigned
🎯 0 False Positives

Every alert backed by an executable PoC. No noise. Just proof.

🔗 https://blog.zast.ai/research/vulnerability%20reports/cybersecurity/The-2025-Bug-Hunter-Report-How-ZAST.AI-Uncovered-115+-Verified-CVE

CRITICAL ALERT: Apache Struts2 XXE Exposed (CVE-2025-68493)

zast ai — Tue, 13 Jan 2026 13:02:51 +0000

ZAST.AI discovered a high severity XXE vulnerability in XWork-Core allows threat actors steal files & trigger SSRF.

The flaw was hidden in DomHelper's unconfigured SAX parser.

⚡ Discovered by ZAST.ai AI Agent — proving once again that AI-driven logic beats pattern matching.

Patch immediately (Struts2 <= 6.0.3)!

🔗 Vulnerability reports: https://cwiki.apache.org/confluence/display/WW/S2-069

ZAST.AI vs. Burp Suite: The Signal vs. Noise Challenge 🥊

zast ai — Tue, 23 Dec 2025 13:40:46 +0000

We pitted our AI engine against the industry standard to find a critical IDOR vulnerability in an open-source Java CMS. Both tools found the bug, but the difference in efficiency was staggering:
⚠️ Burp Suite (Traditional DAST)

90% False Positives: Flagged 30+ endpoints based on simple status codes.
Buried the Signal: The real critical bug was hidden in a sea of false alarms.
Result: Your team wastes hours manually filtering noise to find the truth.
✅ ZAST.AI (AI-Powered Assessment)
Zero False Positives: 100% precision.
Instant Isolation: Autonomously filtered the noise and flagged only the verified exploit.
Result: Immediate remediation, zero wasted time.
It's not just about finding the vulnerability; it's about isolating it from the noise.

See the full technical breakdown: https://tinyurl.com/4kzssvuw

🚨 MAJOR DISCOVERY: 7 WordPress Plugin Vulnerabilities, ZERO False Positives!

zast ai — Tue, 09 Dec 2025 13:33:30 +0000

Our AI security research agent just uncovered 7 verified stored XSS flaws in WordPress plugins — missed by traditional tools!

Key Vulnerabilities Found:
✅ Double the Donation plugin (CVE-2025-12020) - CVSS 4.9
✅ YouTube Subscribe plugin (CVE-2025-12025) - CVSS 4.4
✅ Featured Image plugin (CVE-2025-12019) - CVSS 4.4
✅ 4 more similar vulnerabilities in other plugins

Automated PoC verification = 100% actionable results for security teams 🛡️
🔗 Full technical report: https://tinyurl.com/ms8678jc

🔥 1-Month DEV CHALLENGE: Test ZAST Express (IDE Extension) in 3 Min, Win $100 & Credits!

zast ai — Mon, 01 Dec 2025 13:44:38 +0000

Tired of switching between your IDE and security dashboards? Dealing with false alerts and slow scans?
ZAST Express brings instant, reliable code security assessment with PoC directly to your IDE.
In return for your valuable firsthand feedback, we've prepared Amazon Gift Cards and tons of ZAST Credits as a thank you.

🎯 How to Participate (It's Easy & Fast):

Install the “ZAST Express” extension from VS Code/Cursor Marketplace (takes ~1 min).
Run an assessment on your own project using the extension (est. 2 mins). Share your feedback by commenting on our official GitHub Issue: https://tinyurl.com/my5zj4tu

Tag devs who need faster security checks! 🛡️

🎊 [New Feature] ZAST EXPRESS - Official Release

zast ai — Mon, 24 Nov 2025 14:28:06 +0000

Our IDE extension is now officially available:
✨ Zero-false-positive AI engine integrated into your IDE
⚡ Instant security feedback without leaving your coding environment
🔒 Local processing ensures maximum privacy
🎯 Supports VS Code and Cursor with more platforms coming soon

Learn more about your security copilot in IDE: https://tinyurl.com/3ykth59d

🚀 GitHub Codespaces + ZAST.AI: Assess Apps in Minutes!

zast ai — Tue, 18 Nov 2025 13:35:00 +0000

No local setup—build, package, and secure your projects in the cloud ⚡
• Zero-false-positive assessments for JS/TS, Java & Python (beta) 🛡️
• Seamless DevSecOps workflows for multiple tech stacks 🔄
• Free 120 GitHub Codespaces hours/month 🆓

Read the step-by-step guide: https://tinyurl.com/yfehvmck

ZAST.AI identified 6+ vulnerabilities in JeeSite

zast ai — Tue, 11 Nov 2025 14:50:46 +0000

🔍ZAST.AI identified 6+ vulnerabilities in JeeSite <=5.12.0 b522b3f:
• SSRF (CVE-2025-7759)
• Multiple Open Redirection flaws (CVE-2025-7763, CVE-2025-7785, CVE-2025-7863)
• Insecure File Upload (CVE-2025-7864)
• XSS filter bypass (CVE-2025-7865, CVE-2025-9796)

👩‍💻Complete analysis: https://tinyurl.com/4tryaec2

The Same Feature That Makes a Component Powerful Can Also Make It Dangerous.

zast ai — Tue, 04 Nov 2025 15:14:23 +0000

A documented feature became a weapon with #Log4Shell. The blurry line between function and flaw is the new AppSec frontline.🚧

Our latest post assesses critical cases like Spring4Shell and Apache Struts to answer:
• Who is responsible when a feature is exploited? ⁉️
• Is "secure-by-default" a myth? 🔮
• How can we better define and manage these risks? 🧐

Learn the 3 key lessons for a more secure future: https://tinyurl.com/4wwmytj4

ZAST.AI found Insecure File Upload & CSP bypass issues in CodiMD

zast ai — Tue, 28 Oct 2025 15:30:04 +0000

• Low version (CVE-2025-46654)
• High version (CVE-2025-46655)
These vulnerabilities could allow attackers to upload malicious files.
🔗 Vulnerability details: https://tinyurl.com/378h3xb7