Blog

Research articles and blog posts from SecDim

10/06/2026

Why you should not use JavaScript sandbox

The maintainers of vm2 have been honest about the limitations of vm2. They have been explicit that new bypasses are...

19/05/2026

React2Shell (CVE-2025-55182): Exploitation Flow and Secure Coding Lessons

We already discussed the impact of React2Shell in our previous blog post and also created an Incident Response challenge that...

01/04/2026

Two Incomplete Fixes for a Path Traversal Vulnerability in ONNX (CVE-2026-27489)

Some vulnerabilities are patched once and forgotten. Others keep coming back because each fix only addresses the symptom rather than...

24/03/2026

Dangerous by Default: What OpenClaw CVE Record Tells Us About Agentic AI

Your AI assistant just received a WhatsApp message. It ran a shell command. Then it wrote new code and executed...

17/02/2026

LangChain load() is basically eval()

The patch for LangChain vulnerability CVE-2025-68665 disables loading secrets from environment variables by default, and introduces an escape wrapper to...

15/01/2026

Three Secure Coding Lessons from A Log Injection Bug in Django

In June 2025, a vulnerability (CVE-2025-48432) was discovered in Django that allowed remote adversaries to tamper with log output by...

24/10/2025

CVE-2025-46417: Bypassing AI Model Scanners and Exfiltrate Sensitive Data

In April 2025, we disclosed a high risk vulnerability in picklescan. The vulnerability, tracked as CVE-2025-46417. It allows attackers to...

04/09/2025

AI and Secure Code Learning: An Empirical Analysis of 420 AI-Generated Security Fixes

A research study comparing click-on (instant lookup) vs key-in (manual typing) digital dictionaries found that easier look up methods reduced...

23/07/2025

CVE-2025-29927 - Next.js Vulnerability

Overview In March 2025, security researchers Rachid Allam and Yasser Allam publicly disclosed a critical vulnerability identified as CVE-2025-29927, affecting...