Web-Security on HackingPassion.com : root@HackingPassion.com-[~]

HTTP/2 Bomb Takes Down nginx Apache IIS Envoy and Cloudflare

Wed, 03 Jun 2026 13:38:05 +0200

A new exploit called HTTP/2 Bomb lets one ordinary home computer take down nginx, Apache, Microsoft IIS, Envoy and Cloudflare Pingora, the web servers behind a huge share of the internet, in a matter of seconds.

It forces those servers to tie up tens of gigabytes of memory until they stop responding, it abuses the configuration they ship with by default, and when the research went public three of the five still had no patch.

Ghost CMS SQL Injection Stole Admin Keys From 700 Websites With One Request

Tue, 26 May 2026 12:51:20 +0200

A SQL injection vulnerability in Ghost CMS has turned Harvard University, Oxford University, and DuckDuckGo into malware distribution platforms. Visitors arrive at a page they trust completely, a fake Cloudflare verification prompt appears, and their machine gets infected if they follow the instructions. More than 700 sites. Software that had never had an unauthenticated critical vulnerability in its entire history.

Ghost CMS is publishing software built on Node.js, used for newsletters, membership sites, and independent blogs. It is open source and free to self-host, with a paid hosted version called Ghost Pro. More than 100,000 active installations and more than 50,000 GitHub stars.

Nginx-UI MCPwn (CVE-2026-33032): Full Server Takeover With One Unauthenticated Request

Thu, 16 Apr 2026 11:11:43 +0200

A critical vulnerability in nginx-ui has been actively exploited since March 2026, and it gives any attacker on the network full control over the nginx server behind it without a single credential. CVE-2026-33032 scores 9.8 on the CVSS scale, sits inside an AI integration that was added to the tool in late 2025, and the entire root cause turned out to be 27 characters of missing code. Recorded Future assigned it a risk score of 94 out of 100. The researchers who found it named it MCPwn. 😏

Hackers Are Hijacking NGINX Servers Without Installing Malware

Thu, 05 Feb 2026 13:58:06 +0100

Hackers are hijacking NGINX web servers and rerouting live traffic through their own infrastructure. No malware installed, no vulnerability exploited. Just a few lines changed in a configuration file, and every visitor’s data flows through attacker-controlled servers without anyone noticing. 🧐

NGINX is the most popular web server on the planet. It powers over 5 million websites and handles roughly one in three web connections worldwide. Banks, governments, and universities all depend on it. And right now, a campaign is silently turning these servers into traffic relays.

Ni8mare: n8n Vulnerability Gives Full Admin Access with One HTTP Header Change

Sat, 10 Jan 2026 15:50:00 +0100

100,000 servers. One HTTP header change. Full admin access. No password required. They call it “Ni8mare.” CVSS 10.0. The patch existed for 7 weeks. The release notes mentioned nothing. 😏

CVE-2026-21858. “Ni8mare” The name says it all.

n8n is a workflow automation platform. Think Zapier, but open source and self-hosted. Over 100 million Docker pulls. Used by Vodafone, Delivery Hero, StepStone. Thousands of enterprises run their entire automation infrastructure on it, with 400+ integrations connecting everything in one central hub.

WIRED Magazine Hacked: 2.3 Million Records Leaked via Basic IDOR Vulnerability

Tue, 30 Dec 2025 12:39:00 +0100

WIRED magazine got hacked. 2.3 million subscriber records leaked. And this is just the beginning. 😏 A hacker called “Lovely” dumped the database on Christmas Day. Called it a “Christmas Lump of Coal.”

The vulnerability? IDOR. Insecure Direct Object Reference. That’s OWASP Top 10. Basic web security. A flaw that’s been documented since 2007. Companies still get it wrong.

IDOR happens when a website uses a number to identify your data, but doesn’t check if you’re actually allowed to see it. Your profile lives at /api/user/12345. Change that to /api/user/12346? You see someone else’s profile. No password needed. The server just hands it over.