ZeroPath @ZeroPathAI

Introducing Zero, our AI assistant for AppSec teams. Not a chatbot. A persistent agent built on top of our SAST, SCA, and code intelligence. Bug bounty report comes in: Zero analyzes it, proposes a fix, creates detection rules, scans the org. CVE drops: Zero checks reachability, notifies the right teams, opens follow-ups, escalates if SLAs slip. Security teams should be focused on decisions that need them. Zero handles the rest. zeropath.com/blog/introduci…

The results are in: a Mythos-powered scan of curl resulted in 1 low severity security vulnerability... a far cry from the ~170 issues found and fixed with ZeroPath in late 2025. This highlight two important two truths: * The "vulnpocalypse" is here already (and so far we're surviving). * The harness is as important as the model. Mythos performs no better than 6 month old models in ZeroPath's battle-tested vuln detection system. We look forward to seeing what ZeroPath can do with Mythos on board! zeropath.com/blog/zeropath-…

We're launching our AI Assistant Tuesday. Thursday we're live with @JamesBerthoty from @latiotech breaking down what agents actually mean for appsec teams in practice. 45 min, live demo. May 14 · 1pm EST. Register: us06web.zoom.us/webinar/regist…

ZeroPath Research discovered CVE-2026-39816, a high severity vulnerability in Apache NiFi. Prior to version 2.9.0, an oversight in the permission model allowed users without the EXECUTE_CODE permissions to run arbitrary code. For more details and a POC: zeropath.com/blog/nifi-cve-…

ZeroPath discovered CVE-2026-42167 in ProFTPd, one of the internet's most popular FTP daemons. The flaw allows for auth bypass and even pre-auth RCE in some configurations. Update to 1.3.9a now! zeropath.com/blog/proftpd-c… Take a look at the blog for technical details and a working POC.

Walkthrough: exploiting ZeroPath's new critical severity Spinnaker vulns for code execution and production environment access. (CVE-2026-32604 and CVE-2026-32613) youtu.be/ma-00ggxSp4

We've discovered two critical (CVSS 10.0) flaws in the popular Spinnaker continuous delivery platform. Both allow attackers to execute arbitrary code and steal production source control and cloud credentials. MITRE has assigned the vulnerabilities CVE-2026-32604 and CVE-2026-32613. Detailed write up with POCs: zeropath.com/blog/spinnaker…

Reducing the total amount of work that hits developers in the first place comes from depth of analysis. The more context ZeroPath has about a codebase, the higher the coverage, the more it can auto-remediate before anything surfaces in a PR. Fewer findings. More auto-patched. Less time spent by developers who should be shipping product.

The current version of RAGFlow (0.24) contains an unpatched vulnerability that allows low-privilege authenticated attackers to execute arbitrary code. Blog: zeropath.com/blog/ragflow-r… POC: github.com/ZeroPathAI/rag… Video Walkthrough: youtube.com/watch?v=1F-27C…

How good is Opus 4.6 by itself at vuln detection? Given raw code, a simple prompt and some tools, we found it finds about 1 in 4 simple C vulnerabilities, at the cost of a high FP rate and unstable results. zeropath.com/blog/benchmark… Requiring structured justification or using tool calls to verification agents improved results, but we believe that more sophisticated engineering around the model is likely necessary for enterprise use at scale.

CrackArmor included one of 36 sudo flaws previously discovered by ZeroPath. We're releasing the whole batch today, including a POC for remote code execution in sudo logsrvd! Not all mainstream linux distributions have included patches for these issues in their sudo packages yet. Worth verifying you're not vulnerable. zeropath.com/blog/sudo-bug-…

@qualys just published the CrackArmor advisory describing a chain of vulnerabilities in AppArmor that can allow an unprivileged attacker to escalate privileges. Part of the exploit chain relies on a vulnerability in sudo originally discovered by the ZeroPath research team last year. sudo changelog: github.com/sudo-project/s… CrackArmor advisory: cdn2.qualys.com/advisory/2026/…

Fun, free exploit development CTFs based on real world CVEs, and accompanied by hints, walkthroughs and working POCs. zeropath.com/blog/zeropath-… We've distilled complex issues down to repeatable, Dockerized challenges that have the nuance of the real vulnerabilities attackers love without all the noise.

ZeroPath is a Top 10 finalist at @OneRSAC Innovation Sandbox. Years of noisy tools + missed vulnerabilities have pushed enterprises to rethink AppSec entirely. AI SAST marks the inflection point. Excited to show what that future looks like at RSA!

Openclaw (Clawdbot) Vulnerability Alert Malicious websites can exploit Openclaw to steal user credentials through crafted payloads. Tighten browser security and check configs. For more details, read ZeroPath's blog on this vuln. #AppSec #CyberSecurity #InfoSec zeropath.com/blog/openclaw-…

ZeroPath researchers discovered a flaw in OpenClaw (aka ClawdBot) that allowed malicious websites to steal session cookies from other browser tabs using an unauthenticated websocket endpoint. Once stolen, attackers could use these cookies to access services like Microsoft 365 without MFA. OpenClaw fixed the issue on February 1st, 2026… users should be sure to update their instances. zeropath.com/blog/openclaw-…

AI powered SAST : The New Frontier? I tested @ZeroPathAI for a week, and this is my initial review. devansh.bearblog.dev/ai-sast/

Just disclosed CVE-2025-59529 in Avahi: a local DoS where CLIENTS_MAX was defined but never enforced. Any unprivileged user can flood the Simple Protocol server with connections until the daemon exhausts FDs and crashes, breaking .local resolution system-wide. The vulnerability? Missing code no validation logic at all. Full analysis: zeropath.com/blog/avahi-sim… #infosec #linux #CVE

Read @MegaManSec's post here: joshua.hu/llm-engineer-r… We want to support this kind of work, so if you're interested in using ZeroPath for security research, please reach out!

ZeroPath recently helped find real bugs in curl, sudo, and some other OSS repositories. We came across @MegaManSec's independent deep dive on AI SAST tools today, in which he used ZeroPath and some other tools against targets like curl and sudo. Leveraging the tool and custom rules, he was able to find a bunch of issues, which got him a shoutout from Daniel (founder & lead developer of curl).