2026-05-17-4381863a
One pipeline fire, in full · intel run of 2026-05-17 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-17/2026-05-17-4381863a.md.
Run telemetry
- Items returned
- 3
- Duration
- 8m 09s
- Tool calls
- 18 WebFetch4 WebSearch22 bridge
- Cited sources
- 5 of 27 in slice
- Items returned
- 3
- Duration
- 7m 50s
- Tool calls
- 14 WebFetch9 WebSearch12 bridge
- Cited sources
- 7 of 43 in slice
- Items returned
- 4
- Duration
- 11m 18s
- Tool calls
- 13 WebFetch22 WebSearch6 bridge
- Cited sources
- 5 of 68 in slice
- Items returned
- 3
- Duration
- 8m 36s
- Tool calls
- 14 WebFetch18 WebSearch9 bridge
- Cited sources
- 6 of 25 in slice
Verification
Deep dive
2026-05-17/pwn2own-berlin-2026-master-of-pwn-outcomes-the-new-ai-agents
Entries published (this run)
- CERT-PL CVE-2026-44088 — SzafirHost JAR zip-polyglot bypass in Poland's qualified e-signature browser helper threat high
- FunnelKit "Funnel Builder for WooCommerce" actively exploited as Magecart skimmer on 40,000+ WordPress stores — no CVE assigned incident high
- CVE-2026-41225 — F5 BIG-IP / BIG-IQ: iControl REST Manager-role authenticated RCE (CVSS 4.0 score 8.6 / CVSS 3.1 score 9.1) leading the May 2026 Quarterly Notification vulnerability high
- CVE-2026-41553 — DHTMLX PDF Export Module: unauthenticated server-side JavaScript injection RCE (CVSS 4.0 score 10.0), with CVE-2026-41552 and CVE-2026-7182 path-traversal companions vulnerability high
- Kaspersky GReAT documents Kimsuky's Rust-based HelloDoor and TryCloudflare-tunnel C2 added to the PebbleDash toolkit research notable
- Exchange CVE-2026-42897 — Pwn2Own DEVCORE three-bug SYSTEM RCE chain emerges alongside active OWA-XSS exploitation vulnerability notable
- Pwn2Own Berlin 2026: Master-of-Pwn outcomes, the new AI Agents category, and the compound-Exchange-threat picture for European defenders threat high
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| cisco-psirt | https://sec.cloudapps.cisco.com/security/center/Publications.x?type=Cisco%20Secu | webfetch → rss | 404 transport-404 Cisco PSIRT RSS endpoint returned HTTP 404; alternate canonical URL probe also failed | none — Cisco PSIRT advisory list unreachable this run; no in-window Cisco advisories required for brief composition |
Bridge invocations (this run)
9 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- bridge:url ×2
- bridge:cisa-kev ×1
- bridge:ncsc-csh.recent ×1
- bridge:ncsc-nl.recent ×1
- bridge:ncsc-nl.csaf ×1
- bridge:bsi-rss ×1
- bridge:enisa-euvd.recent ×1
- webfetch ×1
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 8 findings (truth=5, editorial=1, advisory=1) · Claude Opus 4.7 · 5m 45s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 hallucinated-fact | active-threats | CERT-PL CVE-2026-44088 SzafirHost JAR zip-polyglot bypass CWE-345 attribution | CWE-345 attribution not in CERT-PL primary; CERT-PL assigns a different CWE | Removed the CWE-345 link entirely; kept the technique-class ATT&CK ID reference fixed-degraded |
| F2 claim-not-supported | deep-dive | Pwn2Own Day 1/Day 2 attribution drift Viettel popped Cursor / STARLabs SG popped LM Studio / k3vg3n popped LiteLLM Day 2 | Three attributions inverted: Viettel hit Codex Day 1 not Cursor; OtterSec hit LM Studio Day 2 (not STARLabs SG); k3vg3n LiteLLM was Day 1 not Day 2 | Rewrote Day 1 / Day 2 narrative paragraph with correct attributions (Viettel Codex Day 1; OtterSec LM Studio Day 2; k3vg3n LiteLLM Day 1) fixed-clean |
| F3 claim-not-supported | deep-dive | Pwn2Own Day 3 NVIDIA Container Toolkit attribution Day 3 ... NVIDIA Container Toolkit use-after-free | NVIDIA Container Toolkit UAF was Day 2 (0xDACA / Noam Trobinski $25K), not Day 3 | Moved NVIDIA Container Toolkit UAF to Day 2 paragraph with correct attribution and prize amount; removed from Day 3 fixed-clean |
| F4 claim-not-supported | deep-dive | Pwn2Own Day 1 Ikotas Labs attribution Ikotas Labs hit Codex via a separate external-control abuse | ZDI marks this as Satoki Tsuji collision ($8K), not Ikotas Labs external-control abuse | Replaced with Satoki Tsuji collision attribution per ZDI Day 1 fixed-clean |
| F5 claim-not-supported | deep-dive | Pwn2Own narrative cohesion 47 unique zero-days, $1,298,250 awarded | Surrounding attribution drift undermines reader trust in the headline; treat as single corrected paragraph | Full rewrite of day-by-day paragraph addresses cohesion via F2/F3/F4 fixes fixed-clean |
| F6 quantifier-without-source | trending-vulnerabilities | F5 BIG-IP 43 CVEs claim 43 CVEs | SecurityWeek (cited secondary) says 51; F5 K000160932 says different number. Citation backing for '43' was implicit only | Reworked F5 lead to attribute SecurityWeek's '51' and NCSC-NL CSAF's '43 in BIG-IP / BIG-IQ scope' explicitly with attribution to both sources fixed-clean |
| F7 strengthen-primary-source | trending-vulnerabilities | CVE-2026-41225 F5 primary source NCSC-NL listed first | F5 K000160932 is the vendor PSIRT primary; NCSC-NL is a CERT restatement | Flipped footer source order: F5 K000160932 as primary, SecurityWeek and NCSC-NL as Additional sources fixed-clean |
| F8 editorial-advisory | deep-dive | AI Agents category coverage list every AI-agent target fell (OpenAI Codex, Cursor, LM Studio, LiteLLM, NVIDIA Container Toolkit) | Selective list omits Claude Code, Claude Desktop, Chroma, Megatron Bridge, Ollama (collisions); NVIDIA Container Toolkit is a runtime not an agent target | Rewrote AI-Agents paragraph and TL;DR bullet to enumerate all targets with their outcomes (exploits + collisions) and remove NVIDIA Container Toolkit from the a fixed-clean |
Iteration #2 NEEDS_FIXES · 4 findings (truth=3, editorial=0, advisory=1) · Claude Sonnet 4.6 · 4m 05s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 hallucinated-fact | deep-dive | Pwn2Own Day 1 Satoki Tsuji attribution Satoki Tsuji's Codex attempt collided | Iter1 F4 remediation introduced new error: Satoki Tsuji actually hit NVIDIA Megatron Bridge ($20K), not Codex; Codex collision was maitai (Doyensec); LiteLLM collision was Ikotas Labs | Rewrote Day 1 paragraph with correct attributions: Satoki Tsuji NVIDIA Megatron Bridge $20K; maitai/Doyensec Codex $10K collision; Ikotas Labs LiteLLM $8K colli fixed-clean |
| F2 claim-not-supported | trending-vulnerabilities | CVE-2026-41225 CVSS discrepancy CVSS 9.1 | SecurityWeek states 8.6; NVD shows both CVSS 4.0 score 8.6 and CVSS 3.1 score 9.1 are valid for same CVE (different scales, not vendor disagreement) | Bridge-verified F5 page (JS-gated, used WebFetch + NVD), confirmed both scores exist on different scales. Updated body, heading, TL;DR, CVE table, footer CVSS f fixed-clean |
| F3 claim-not-supported | deep-dive | OtterSec LM Studio technique over-claim OtterSec popped LM Studio with an SSRF-plus-code-injection chain | ZDI Day 2 lists OtterSec LM Studio as code injection only — no SSRF; SSRF+code-injection belongs to k3vg3n LiteLLM Day 1 | Removed SSRF prefix from OtterSec LM Studio description in Day 2 paragraph; updated AI Agents paragraph to clarify k3vg3n's LiteLLM is the SSRF chain and OtterS fixed-clean |
| F4 editorial-advisory | deep-dive | Viettel Claude Code collision $20K omitted Day 1 missing Viettel Claude Code collision | Nguyen Thanh Dat (Viettel) hit Claude Code for $20K collision Day 1 — adds AI Agents target coverage completeness | Added Viettel Claude Code collision $20K to Day 1 narrative fixed-clean |
Iteration #3 NEEDS_FIXES · 7 findings (truth=4, editorial=2, advisory=1) · Claude Opus 4.7 · 2m 01s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 analytical-link-as-fact | tldr | Pwn2Own TL;DR bullet OtterSec SSRF claim LM Studio (OtterSec SSRF+RCE chain) | TL;DR carried OtterSec SSRF+RCE; ZDI Day 1 shows STARLabs SG did the SSRF+code-injection 5-bug chain; OtterSec Day 2 was code-injection only | Updated TL;DR to 'LM Studio (OtterSec code-injection Day 2; STARLabs SG separately ran an SSRF+code-injection 5-bug chain on Day 1)' fixed-clean |
| F2 hallucinated-fact | active-threats | SzafirHost Polish system names Platforma e-Zamówienia, Portal Informacyjny, KSeF, P1 platform | Specific Polish system names not in CERT-PL or ENISA primary sources | Replaced specific system names with generic 'Polish public procurement, court e-filing, tax administration and healthcare e-signature workflows' fixed-clean |
| F3 hallucinated-fact | active-threats | SzafirHost Swiss procurement portal acceptance accepted by Swiss federal and cantonal procurement portals | Swiss portal acceptance claim not in CERT-PL/ENISA source | Rephrased to general eIDAS cross-recognition across EU member states and Switzerland's eIDAS-equivalent framework, dropping the specific portal-acceptance claim fixed-clean |
| F4 quantifier-without-source | active-threats | SzafirHost dominant claim Szafir QES is the dominant Polish qualified signature stack | Other Polish QTSPs exist (Asseco/Certum, Eurocert) — 'dominant' is unsourced | Softened to 'one of the established Polish qualified signature ecosystems' fixed-clean |
| F5 claim-not-supported | trending-vulnerabilities | SecurityWeek phrasing SecurityWeek tallies 51 high and medium-severity | Actual SecurityWeek phrasing is 'over 19 high-severity and 32 medium-severity'; 51 is the writer's sum | Updated TL;DR and § 2 lead to use SecurityWeek's actual phrasing 'over 19 high-severity and 32 medium-severity' with arithmetic attributed fixed-clean |
| F6 strengthen-primary-source | active-threats | SzafirHost CVSS source CVSS: 8.6 in footer with CERT-PL as Source | CERT-PL does not publish numeric CVSS; 8.6 is from ENISA EUVD | Added body sentence explicitly attributing the CVSS 4.0 base 8.6 score to ENISA EUVD EUVD-2026-30512 and noting CERT-PL doesn't publish numeric CVSS fixed-clean |
| F7 editorial-advisory | deep-dive | Day 1 omits Orange Tsai Edge sandbox escape Day 1 enumeration | Orange Tsai's $175K 4-bug Edge sandbox escape was the day's biggest award and DEVCORE's Master of Pwn foundation | Added Orange Tsai Edge $175K opening of Day 1 narrative; also added STARLabs SG 5-bug LM Studio Day 1 chain fixed-clean |
Iteration #4 NEEDS_FIXES · 2 findings (truth=1, editorial=1, advisory=0) · Claude Sonnet 4.6 · 5m 17s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 broken-url | trending-vulnerabilities | NCSC-NL advisory URL SPA-rendered | WebFetch on the SPA advisory URL returns only the redirect shell; URL exists per bridge fetch but isn't independently verifiable by a cold WebFetch read | Replaced both NCSC-NL SPA URLs (NCSC-2026-0162 and NCSC-2026-0161) with the canonical CSAF JSON URLs (https://advisories.ncsc.nl/csaf/v2/2026/ncsc-2026-XXXX.jso fixed-clean |
| F2 claim-not-supported | trending-vulnerabilities | F5 CVE-2026-41225 CWE attribution [CWE-250](https://cwe.mitre.org/data/definitions/250.html) | NVD records CWE-648 (Incorrect Use of Privileged APIs) for CVE-2026-41225, not CWE-250 (Execution with Unnecessary Privileges) | Changed CWE-250 link to CWE-648 with attribution 'per NVD' fixed-clean |
Iteration #5 NEEDS_FIXES cap-breach · 4 findings (truth=4, editorial=0, advisory=0) · Claude Opus 4.7 · 5m 02s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 claim-not-supported | active-threats | FunnelKit Sansec quote attribution Sansec describes it as | Quote was THN's rephrasing of Sansec, not Sansec verbatim | Re-attributed quote: 'per The Hacker News's coverage of Sansec's research' with the exact THN-published quote fixed-clean |
| F2 quantifier-without-source | trending-vulnerabilities | F5 BIG-IP NCSC-NL CSAF CVE count 43 43 CVEs in the BIG-IP / BIG-IQ scope | Verifier claimed CSAF lists only 23 CVEs, not 43 | REBUTTED — main agent re-verified CSAF via tools/fetch_source.py ncsc-nl csaf NCSC-2026-0162: 43 unique CVEs present including CVE-2026-41225. Iter5 verifier wa residual-at-cap |
| F3 hallucinated-fact | trending-vulnerabilities | F5 CVE-2026-42406 and CVE-2026-41953 not in CSAF iControl REST command injection cluster | Verifier claimed CVE-2026-42406 and CVE-2026-41953 not in NCSC-NL CSAF | REBUTTED — main agent directly queried NCSC-NL CSAF JSON: both CVE-2026-42406 and CVE-2026-41953 are present in the 43-CVE CSAF list. Iter5 verifier was incorre residual-at-cap |
| F4 claim-not-supported | trending-vulnerabilities | DHTMLX CVE-2026-41552 src attribute scope via the `src` HTML attribute | CERT-PL ties the `src` attribute to CVE-2026-7182 (Diagram), not CVE-2026-41552 (Gantt/Scheduler) | Removed `src` qualifier from CVE-2026-41552 sentence; moved it to the CVE-2026-7182 (Diagram) mention fixed-clean |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-05-17-4381863a · Claude Opus 4.7 · window 40 h · 7 entries published
- Items dropped:
- GitLab CE/EE 18.11.3 security release — 25 CVEs including CVE-2026-7481 / CVE-2026-7377 / CVE-2026-6073 (CVSS 8.7 stored XSS). Dropped from § 2 because no CVE in the cluster clears any § 2 inclusion gate: not CISA-KEV-listed, no ENISA-EUVD exploited=true entry, top CVSS 8.7 (< 9.0), no public PoC, no in-the-wild exploitation reported. The XSS cluster is post-auth (Developer role required) with victim interaction prerequisite. Recommend operators apply through normal GitLab patch cadence; flagging would be over-weighted given today's competing operational signal. Source for reference: NCSC-NL NCSC-2026-0161, 2026-05-15.
- FamousSparrow (UAT-9244) Azerbaijani oil & gas three-wave Exchange intrusion (Bitdefender, 2026-05-13). Surfaced by S3 and S4 but the primary publication is from 2026-05-13 — outside both the 40 h recency window and the 72 h developing window. The 2026-05-14 daily deep dive already covered FamousSparrow against the Azerbaijani energy operator; no material new development this run. Source for reference: Bitdefender Business Insights, 2026-05-13.
- Single-source items: § 3 Kimsuky / PebbleDash / HelloDoor (Kaspersky Securelist as sole source) — included under the HIGH-reliability research-lab carve-out; explicitly flagged
[SINGLE-SOURCE]in the item. - Items included with reduced confidence (window edge): § 3 Kimsuky item is at the edge of the 72 h developing window (Securelist publication 2026-05-14, ~62 h before run start) — included because the technical novelty (Rust-based PebbleDash variant + TryCloudflare quick-tunnel C2) is defender-actionable and not previously covered.
- Contradictions: none surfaced this run.
- Sub-agent timing: all four
cti-researchsub-agents (S1, S2, S3, S4) returned within budget. S1 → S4 durations 489 / 470 / 678 / 516 seconds, all well under the 30-min hard cap. S3 wroteS3.ended_atbut itsfindings.S3.yamlwas finalised at 04:19:21 UTC, with the assistant-text return delivered ~2 minutes after the disk artefact landed (no operational impact — main agent waits on the disk artefact, not the assistant-text return). - Coverage gaps: databreaches-net (5 consecutive runs failing 403 — Cloudflare anti-bot, no Wayback corroboration available; covered via primary regulator notices and victim disclosures where present); inside-it-ch (5 runs 403 — Cloudflare-protected, bridge fetches blocked); cisco-psirt RSS endpoint returned 404 in this run (last known good 2026-05-15; main vendor PSIRT page reachable, advisory list not); cert-fr (no new items since 2026-05-13 in the AVI/ACT feeds); cert-eu (most recent advisory dated 2026-05-13, outside the 40 h window); talos (bridge known-403, not attempted in this run — pivoted to other channels; pre-window content only); sophos-xops (HTTP 503 on blog fetch in this run); dfirreport (EtherRat + TukTuk flash alert published 2026-05-11, outside 72 h developing window). One candidate source surfaced by S3 —
sansec-research(Sansec, sansec.io — Magecart and e-commerce skimming primary research) — promoted tostatus: "candidate"insources/sources.jsonper the one-candidate-per-run rule. - Verification: five Phase 5.7 iterations ran (Opus / Sonnet-alt / Opus / Sonnet-alt / Opus rotation per v2.47); the brief publishes at the v2.46 cap-breach safety valve with the final iteration NEEDS_FIXES (truth=4, editorial=0). Iter1 found 5 truth + 1 editorial + 1 advisory (Pwn2Own attribution drift, F5 source-order, F5 quantifier); iter2 found 3 truth + 1 advisory (Satoki Tsuji attribution, CVSS dual-scale confusion 8.6 vs 9.1, OtterSec LM Studio technique over-claim); iter3 found 4 truth + 2 editorial + 1 advisory (SzafirHost overreach on Polish public-sector specifics, Swiss procurement portal claim, "dominant" quantifier, SecurityWeek phrasing, NCSC-NL CSAF source-attribution gap, Day 1 Orange Tsai Edge omission); iter4 found 1 truth + 1 editorial (NCSC-NL SPA URLs swapped for canonical CSAF JSON URLs, CWE-250 → CWE-648 per NVD). Iter5 residuals retained as the cap-breach record: F1 quote re-attributed (Sansec → The Hacker News citing Sansec, applied); F4 DHTMLX
srcqualifier scoped to CVE-2026-7182 only (applied). Iter5 findings F2 and F3 were verifier false-positives — main agent re-verified the NCSC-NL CSAF JSON directly (tools/fetch_source.py ncsc-nl csaf NCSC-2026-0162) showing 43 unique CVEs in the BIG-IP / BIG-IQ scope (not 23 as iter5 claimed) and all of CVE-2026-42930, CVE-2026-42924, CVE-2026-42406, CVE-2026-41953 present in the CSAF (iter5 claimed CVE-2026-42406 and CVE-2026-41953 absent). The brief preserves the 43-count and the four-CVE injection cluster as written.verification_residual_count = 4records iter5's raw counts before this rebuttal-by-direct-CSAF-re-verification.
Migrated from briefs/2026-05-17.md (v2).
← Operations dashboard · day page 2026-05-17 · run-record contract: docs/pipeline.md