Privilege escalation to root in Lima QEMU guests via a world-writable agent socket (CVE-2026-53657)
An unprivileged user inside a Lima QEMU guest could reach the root-owned guest-agent socket and run commands as root in the VM. Fixed in Lima v2.1.3.
Field notes from the operators: novel primitives, tooling we build, and what shows up when synthetic adversaries spend a week with your surface.
An unprivileged user inside a Lima QEMU guest could reach the root-owned guest-agent socket and run commands as root in the VM. Fixed in Lima v2.1.3.
A registered phpBB 4.0.0-alpha1 user could point Web Push at any URL; the server fetched it. Coordinated disclosure; fixed in phpBB 4.0.0-a2.
A two-byte gRPC request crashed AWS’s Kubernetes KMS plugin. Coordinated disclosure with AWS VDP; fix merged as aws-encryption-provider#169.
We built Syntetisk around a single hypothesis: that adversarial tooling becomes sharper when operator judgment compounds. Every senior reviewer decision — “this is a real finding,” …