This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+10 more
Summary
AI summaryUpdates cloud-iam-deep, hunt-api-misconfig, and hunt-cloud-misconfig across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Low |
Added coverage for five previously missing 2024‑2026 attack surfaces. Added coverage for five previously missing 2024‑2026 attack surfaces. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Low |
Backfilled zero‑report skills with new reports (cloud-iam-deep, okta-attack, vmware-vcenter-attack, supply-chain-attack-recon). Backfilled zero‑report skills with new reports (cloud-iam-deep, okta-attack, vmware-vcenter-attack, supply-chain-attack-recon). Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Low |
Added 29 fully‑developed chain examples for high‑volume skills. Added 29 fully‑developed chain examples for high‑volume skills. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Low |
Introduced ENGAGEMENTS.md documenting two authorized engagements. Introduced ENGAGEMENTS.md documenting two authorized engagements. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Low |
Eliminated all skills with zero reports (from 4 to 0). Eliminated all skills with zero reports (from 4 to 0). Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Low |
Resolved all named missing 2024‑26 surfaces (5/5 → 0/5). Resolved all named missing 2024‑26 surfaces (5/5 → 0/5). Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Performance | Medium |
Increased report count from 574 to 681 (+107 reports). Increased report count from 574 to 681 (+107 reports). Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Performance | Medium |
Reduced top‑3 dominance from 81.2% to 68.4% (‑13 percentage points). Reduced top‑3 dominance from 81.2% to 68.4% (‑13 percentage points). Source: llm_adapter@2026-05-28 Confidence: high |
— |
Full changelog
Workstream A — Report-curation backfill across 11 hunt-* skills.
hunt-graphql 3 -> 12 | hunt-race-condition 3 -> 12 | hunt-xxe 4 -> 10
hunt-cache-poison 4 -> 10 | hunt-auth-bypass 4 -> 12 | hunt-business-logic 7 -> 12
hunt-sqli 8 -> 12 | hunt-ssrf 9 -> 15 | hunt-csrf 10 -> 15
hunt-oauth 10 -> 19 | hunt-subdomain 11 -> 15.
Citations are primary-source URLs (HackerOne reports, GitHub Security
Advisories, PortSwigger Research, vendor advisories).
Workstream B — Five 2024-2026 surfaces previously missing now covered:
Duende BFF role-partitioned CSRF + token-confusion (hunt-csrf, hunt-auth-bypass)
OData WAF blacklist bypass (hunt-api-misconfig)
NSwag/Swagger spec exposure + ~100-path discovery wordlist
(hunt-api-misconfig, web2-recon)
Cognito IdentityPool unauthenticated-role chain (cloud-iam-deep)
CloudWatch RUM weaponization (hunt-cloud-misconfig).
Workstream C — HTTP/2 single-packet attack 145-line deep reference in
hunt-race-condition: last-byte-sync mechanic explained step by step,
Wireshark validation procedure, h2.0 single-frame vs h2.cl multi-frame
variants, race-window estimation methodology, Turbo Intruder Engine.BURP2
template explained line-by-line, multi-connection-single-stream decision
tree, Flatt Security's 10,000-request first-sequence-sync extension,
operator playbook. Cites Kettle DEF CON 31 + Flatt 2024 explicitly.
Workstream D — Zero-report skills backfilled:
cloud-iam-deep 0 -> 6 | okta-attack 0 -> 8
vmware-vcenter-attack 0 -> 10 | supply-chain-attack-recon 0 -> 12.
All citations primary-source URLs (CISA KEV, Mandiant, ZDI,
vendor advisories, GitHub Security blog).
Workstream E — Chains & Compositions sections on the 5 high-volume skills
(hunt-misc, hunt-xss, hunt-rce, hunt-idor, hunt-subdomain). 29
fully-developed A->B->C chain examples. Each chain: primitive A,
primitive B, terminal impact, real-world reference, severity rationale.
Workstream F — New ENGAGEMENTS.md (continent-level abstraction, SoW-redacted)
documenting two authorized engagements as the evidence file under the
README's "battle-tested" claim. Explicitly separates training-platform
exercises from authorized-engagement validation.
Bundle metrics:
report_count 574 -> 681 (+107)
top-3 dominance 81.2% -> 68.4% (-13 pp)
skills at report_count = 0 4 -> 0
named missing 2024-26 surfaces 5/5 -> 0/5
documented chain examples 0 -> 29
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Claude-BugHunter
All releases →Related context
Related tools
Beta — feedback welcome: [email protected]