Research

For a Fistful of Dollars: Less than $100 of Compute Surfaces Pre-auth RCE in Apache httpd

A double-free in Apache httpd's mod_http2 stream cleanup, surfaced by Striga, turns a two-frame HTTP/2 sequence into pre-auth Remote Code Execution.

6 May 2026Bartłomiej Dmitruk

Ollama Updates Itself Into Persistent RCE on Windows

A path traversal and a missing signature check in Ollama's Windows updater, surfaced by Striga, chain into persistent code execution that runs on every login.

29 Apr 2026Bartłomiej Dmitruk

Fail Open, Game Over: Turning a One-Line Tomcat Fix into Unauthenticated RCE

Striga uncovered a fail-open regression in Apache Tomcat's cluster encryption that turns a one-line code change into unauthenticated Remote Code Execution.

13 Apr 2026Bartłomiej Dmitruk

The Help Button That Steals Your NTLM Hash

A Striga scan of Mattermost Desktop revealed that server-controlled URLs bypass Electron's protocol validation entirely, enabling silent NTLM credential theft on Windows.

10 Apr 2026Bartłomiej Dmitruk