Abstract: Java deserialization vulnerabilities have become a critical security threat, challenging to detect and even harder to exploit due to deserialization's flexible and customizable nature.

Java Development Kit (JDK) 26, a planned update to standard Java due March 17, 2026, has reached its second release candidate (RC) stage. The RC is open for critical bug fixes, with the feature set ...

SAP has rolled out security fixes for 13 new security issues, including additional hardening for a maximum-severity bug in SAP NetWeaver AS Java that could result in arbitrary command execution. The ...

For more information, we refer to the reference publication. If you are overwhelmed by the fragment construction (trampoline + chain + sinkadapter), do not worry! We set default values (here) for ...

‘Third time’s the charm?’ asks a prominent security researcher after what appears to be the same critical Java deserialization flaw gets a third security update. SolarWinds has released a third patch ...

Long-Term Support release, with features ranging from structured concurrency and compact object headers to ahead-of-time method profiling and JFR CPU-time profiling on Linux, is now generally ...

A critical Sitecore zero-day vulnerability is under active exploitation in the latest series of ViewState deserialization attacks this year. The vulnerability, tracked as CVE-2025-53690 and disclosed ...

PortSwigger’s Director of Research, James Kettle presents latest research at Black Hat USA / DEF CON 2025 KNUTSFORD, England–(BUSINESS WIRE)–PortSwigger, a renowned application security software ...

PortSwigger, a renowned application security software provider, is issuing a bold challenge to the web security community: it's time to retire HTTP/1.1 for good. At Black Hat USA and DEF CON, James ...

A flaw in code for handling Parquet, Apache’s open-source columnar data file format, allows attackers to run arbitrary code on vulnerable instances. The vulnerability, tracked as CVE-2025-30065, is a ...