This Dependency Update Looked Exactly Like an Account Takeover
Table of Contents The gap CVE scanners cannot seeMarshalHow the scoring actually worksTry it on your own pom.xmlWhat ships todayWhat is in the pipelineLinksI pointed a scanner I have been building at an old Spring project, and it flagged javax.activation. ...
-
7 New Vulnerabilities in Jackson in One Day: This Is What AI-Assisted Security Research Looks Like
Table of Contents Not a sales pitchWhat Just HappenedHow findings like this are now getting madeThis is mainstreamSeven VulnerabilitiesThe Critical RCEsThe Access Control and Deserialization BypassesThe Validator Is the VulnerabilityThe Creaking Disclosure PipelineWho’s EffectedIf you are on an EOL streamWhat …
-
Quarkus Unpacked: Insights from the Foojay Podcast
Table of Contents What is Quarkus?How does Quarkus compare to Spring, Micronaut, or other frameworks?Is Quarkus more modern because it is newer?Does Quarkus replace the JVM?What is Quarkus live reload?How does build-time optimization work?How does this differ from JIT and …
-
Did AI Just Break Software Security For Ever?
Table of Contents First: The rate of CVE arrivalsSecond: AI detection of vulnerabilities becoming the normThird: The breaking of an old asymmetryFourth: Regulators got impatientThe maths no longer worksThink about Y2KThe response doesn’t wait for the disasterThe asymmetry that should …
-
Spring Boot Migration and the CRA: When Good Enough Isn’t
Table of Contents If You’re Already on 4.0The zombie problem followed youIf You’re Still on 3.5The technical risk is growing. The legal risk is about to change.What “Without Undue Delay” Actually Means NowArticle 14 and the 24-hour clockThe calculation changes …
-
Tiberius: A Security Testing Framework for LLM Applications in Java
Table of Contents 1. The Problem2. What Tiberius Does2.1 Fixture-Based Regression Testing2.2 Guardrail Validation Against Real Attack Data2.3. Probabilistic Security Contracts2.4. Bias Testing2.5. Model Fingerprinting3. Attack Coverage3.1 Buff Mutations4. Integration5. The Case for Shared Attack Datasets6. Security Testing as a …
-
Introducing bx-jwt: Enterprise-Grade JSON Web Tokens for BoxLang
Table of Contents The Fluent Builder — jwtNew()The BIF FunctionsHMAC Sign and VerifyRSA Sign and VerifyJWE Encryptionalg:none RejectionHMAC Minimum Key Lengths (RFC 7518 §3.2)Algorithm AllowlistClock Skew ToleranceAuthentication MiddlewareToken Refresh with Grace PeriodKid-Based Key RotationSigning (JWS)Encryption (JWE) JWT authentication is everywhere. …
-
BoxLang v1.13.0: Compatibility, Concurrency, and Formatter Maturity
Table of Contents New FeaturesCharacter-Aware Trimming — trim(), ltrim(), rtrim()getClassMetadata() by Absolute PathSystemExecute() Environment ControlsThe BoxLang Formatter Goes Production-ReadyAsync & Concurrency HardeningMiniServer: Security & ReliabilityCompatibility WinsChangelog Highlights BoxLang 1.13.0 is a stability-first release with deep compatibility work and runtime hardening. …
-
Don’t Panic: The Thymeleaf Template Injection That Only Hurts If You Let It (CVE-2026-40478)
Table of Contents What the sandbox protects againstAbusing the templating engineHow the tab character breaks the Thymeleaf sandboxWhat you need to doThe CVSS score 9.1 is real, but conditionalThe Thymeleaf vulnerability with a CVSS score of 9.1 grabs your attention, …
-
Foojay Podcast #95: Is Your Java App Actually Secure, Or Does It Just Look That Way?
Table of Contents YouTubePodcast AppsGuestsSteve PooleDavid WelchContentIs your Java application actually secure, or does it just look that way? In this episode of the Foojay Podcast, Frank is joined by Steve Poole and David Welch, both from HeroDevs, to dig …