Research

Fail Open, Game Over: Turning a One-Line Tomcat Fix into Unauthenticated RCE

Striga uncovered a fail-open regression in Apache Tomcat's cluster encryption that turns a one-line code change into unauthenticated Remote Code Execution.

13 Apr 2026Bartłomiej Dmitruk

The Help Button That Steals Your NTLM Hash

A Striga scan of Mattermost Desktop revealed that server-controlled URLs bypass Electron's protocol validation entirely, enabling silent NTLM credential theft on Windows.

10 Apr 2026Bartłomiej Dmitruk

1994 Called. It wants its shell back

Striga reproduced and weaponized a 32-year-old telnet buffer overflow.

1 Apr 2026gyaraDOS

Taking Down the Internet's Most Popular HTTP Client with a Single JSON Key

A Striga scan of axios revealed a prototype chain lookup that crashes any Node.js service forwarding user-controlled JSON through the world's most popular HTTP client.

27 Mar 2026Bartłomiej Dmitruk