Disclosure timeline for four bmcweb findings reported in February 2026. Two were quietly patched on the same day, with a single GHSA covering one of them — and the GHSA has no CVE attached. The other two remain unpatched on master. The story is less about any one bug than about how thin the path from upstream advisory to vendor firmware actually is.

A detailed comparison of disclosure policies across major bug bounty platforms reveals that researchers who submit through platforms surrender their right to disclose — sometimes forever. When vendors refuse to fix, researchers have no recourse.

I analyzed seven firmware images from a major IoT camera vendor and found shared private keys, plaintext cloud protocols, and a command injection chain — all baked into the architecture from day one. This isn’t an end-of-life problem. It’s a design problem.

Walkthrough of HackTheBox CCTV machine — from ZoneMinder default credentials and CVE-2024-51482 blind SQLi to root via motionEye’s HMAC-signed API command injection in on_event_start hooks

DES crypt hashes with a $ character in the salt — generated by musl libc on OpenWrt routers — break every standard cracking tool. Here’s why, and the one-character fix.

Walkthrough of HackTheBox Pterodactyl machine — from Pterodactyl Panel LFI via pearcmd RCE to root via chained PAM session spoofing and libblockdev XFS resize SUID mount bypass

Walkthrough of HackTheBox Facts machine — from Camaleon CMS mass assignment to root via sudo facter custom facts

Walkthrough of HackTheBox Interpreter machine — from Mirth Connect pre-auth XStream deserialization RCE to root via Flask eval() code injection

Walkthrough of HackTheBox WingData machine — from Wing FTP Server NULL byte Lua injection to root via Python tarfile filter=“data” PATH_MAX bypass