Daily notes on AI, testing, and building software.
CVE-2026-20182 is a CVSS 10.0 critical authentication bypass vulnerability in the Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage) that allows a remote, unauthenticated attacker to gain full…
Microsoft researchers found that even frontier AI models — including Claude Opus, GPT-5, and Gemini — lose roughly 25% of document content across 20 delegated interactions. For test automation pipelines that rely on AI…
CVE-2026-42897 is an unpatched cross-site scripting (XSS) and spoofing zero-day vulnerability in on-premises Microsoft Exchange Server, disclosed on May 14, 2026, with confirmed active exploitation in the wild.…
Anthropic's newly released multiagent orchestration in Claude Managed Agents lets a lead agent break work into pieces and delegate each to specialist sub-agents running in parallel — a model that maps almost perfectly…
CVE-2026-41096 is a critical heap-based buffer overflow in the Windows DNS Client (dnsapi.dll) that allows an unauthenticated remote attacker to execute arbitrary code with SYSTEM privileges on any Windows machine —…
Test-Oriented Programming (TOP) inverts the traditional development workflow by making tests the only artifact developers write — and delegating all production code to AI. For QA professionals, this isn't just a…
Agentic QA has crossed from experimental to production-ready in 2026 — with architectures built around Plan-Act-Verify reasoning loops and self-healing DOM selectors that adapt to UI drift automatically. For QA…
CVE-2026-43941 is a critical (CVSS 9.6) Remote Code Execution vulnerability in electerm, a popular open-source SSH, SFTP, and serial terminal client built on Electron. The flaw allows an attacker controlling a malicious…
"Dirty Frag" is a two-CVE local privilege escalation (LPE) exploit chain in the Linux kernel that allows any unprivileged local user to gain full root access in a single command on nearly every major Linux distribution.…
Two chained vulnerabilities in Ollama's Windows auto-updater — CVE-2026-42248 (missing signature verification) and CVE-2026-42249 (path traversal RCE via HTTP response headers) — allow an attacker who can intercept…