CVEs & Advisories

Security Research

CVE disclosures, vulnerability advisories, and original security research published from active engagements and independent investigation.

Disclosures

CVE Disclosures

CVE-2025-54236 — SessionReaper

Magento / Adobe Commerce — Nested Deserialization RCE

Critical 9.8 PoC Available

Unauthenticated remote code execution via nested PHP object deserialization in the Magento session handler. Affects Magento Open Source and Adobe Commerce versions prior to the February 2025 patch. Proof-of-concept demonstrates full shell access from the checkout endpoint with no prior authentication.

View PoC → Disclosed: February 2025

Research — LLM Prompt Injection Primitives

Multiple Vendors — AI Model Trust Boundary Violations

High Coordinated Disclosure

Systematic analysis of prompt injection attack primitives across commercial LLM deployments. Research covers context poisoning, instruction hierarchy bypass, and multi-turn manipulation chains. Published as advisory with generalized mitigations applicable across model families.

Read Write-Up →

SSRF to Cloud Account Compromise

Web Application + AWS — Attack Chain Research

Research

Documented attack chain from server-side request forgery in a SaaS web application through IMDS metadata retrieval to full AWS account credential exfiltration. Illustrates why web application and cloud penetration testing must be scoped together rather than as separate engagements.

Read Full Analysis →

Publications

Whitepapers & Advisories

2026

Recursive Language Models

Scaling LLM context windows by treating prompts as environment variables. Security implications of recursive context manipulation in production AI systems.

Read →

2025

170+ Cybersecurity Regulations

MIT researchers analyzed the global regulatory landscape. What it means for SaaS compliance strategy and why traditional pentesting misses the point on regulatory evidence.

Read →

Policy

Responsible Disclosure

All vulnerabilities discovered by Bagheera Labs in systems we are not authorized to test are reported to the affected vendor through coordinated disclosure. We follow a 90-day disclosure timeline aligned with standard industry practice, providing vendors with sufficient time to remediate before public release.

If you are a vendor who has received a report from Bagheera Labs, or if you have discovered a vulnerability you wish to report, please contact us directly.

Contact for Disclosure →