Producción betaLa plataforma está en fase de pruebas y transformación continua. Puedes subir cursos y usar el campus con normalidad; disculpa cualquier ajuste temporal mientras consolidamos la experiencia.
Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five and a half years at Woolwich Crown Court on Thursday, 16 July 2026, for the 2024 hack of Transport for London. The attack left 148 TfL systems inoperable and forced all 27,000 of the transport authority's emplo...
A lot of this week’s trouble starts with something that looks close enough. A familiar repo. A useful installer. A harmless sync setting. Then the handoff goes bad, the box starts talking to someone else, and the damage moves faster than the explanation. Old bugs are back, weak...
n8n, the workflow automation platform, handed out the wrong accounts at login. On Enterprise instances configured to trust more than one external token issuer, it matched an incoming JWT to a local user on the sub claim alone and ignored iss. A valid token from issuer A carrying...
Cybersecurity researchers have called attention to a new modular malware called TELEPUZ that's been spreading via websites infected with ClickFix lures since late April 2026. "The malware is full-featured, lightweight, and modular," Elastic Security Labs researcher Cyril Françoi...
ClickLock Stealer, a new macOS infostealer, answers a victim's refusal by killing their apps on a loop until they hand over the login password. It arrives as a command pasted into Terminal, asks for the password behind a fake system dialog, and when the victim cancels, installs...
More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions. The investigation revealed previousl...
Ask an AI agent to summarize the reviews on a product page, and a single planted review can make it click "Buy Now" instead. Ask a coding assistant to apply a maintainer's fix from a GitHub thread, and a fake comment can make it run a stranger's command on your computer. Neither...
An advanced malware previously attributed to a China-linked threat actor has resurfaced after more than four years within a Taiwan manufacturing firm, along with a previously unreported backdoor dubbed Stupig. Daxin ("srt64.sys"), as the kernel-mode rootkit is referred to, was f...
Artificial intelligence (AI) is changing offensive security, but it has not changed the standard that matters most: a finding has to be proven before it becomes useful. AI-assisted tools can read code quickly, generate payloads, summarize attack surfaces, explain unfamiliar APIs...
Pull the certificate off the flash of a Shark RV2320EDUS robot vacuum, and you can run root commands on other people's Shark vacuums across the same AWS region: watch the camera, drive the robot, read the map of the house, and take the Wi-Fi password in plaintext. A researcher p...
OpenAI has disclosed details of GPT-Red, an internal automated red-teaming model that scales prompt injection vulnerability discovery with an aim to fix issues before the tools are deployed widely. "GPT‑Red is a strong red-teamer, and our previous models are highly vulnerable to...
Zoom has released security updates for a critical security flaw impacting Zoom Workplace for Windows that could facilitate account takeover. The vulnerability, tracked as CVE-2026-53412 (CVSS score: 9.8), affects Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and...
Cybersecurity researchers have disclosed details of a previously unreported Internet-of-Things (IoT) botnet framework dubbed TuxBot v3 Evolution that shows signs of being developed with assistance from a large language model (LLM), albeit with not so successful results. "While t...
A malware framework called OkoBot has been running on Windows machines since April 2025, and one of its modules is built to con hardware wallet owners out of their recovery phrase. On an infected PC, the request comes from inside the wallet's own desktop software. Sometimes it w...
Mozilla has released updates to address two critical flaws in Firefox for which it warned that exploit code has been published. The vulnerabilities are listed below - CVE-2026-15718, an invalid pointer in the JavaScript: WebAssembly component CVE-2026-15719, a site isolation in...
For years, routing traffic through cloud proxies was good enough. Then work moved to the browser, AI entered the workflow, and the inspection model stopped keeping up. Enterprise workflows now live across SaaS applications, browsers, and an expanding ecosystem of generative AI t...
Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) has released a new proof-of-concept (PoC) exploit called LegacyHive. It has been described as a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability. The Windows User Profile Service, a...
A single approved marketing tag can quietly load fourth-party code your security team has never seen, granting full access to your forms, customer data, and checkout pages. This on-demand webinar reveals how this Approval Gap forms, and gives your team the blueprint to close it...
Open a repository in Cursor on Windows and, if a file named git.exe is sitting in the project root, Cursor runs it. No click, no approval dialog, no warning that anything in the folder is about to execute. Whatever that binary does, it does as you, with your source, your SSH key...
Four compromised npm packages in the @asyncapi namespace have been observed distributing a multi-stage botnet loader, according to findings from OX Security, SafeDep, Socket, and StepSecurity. The affected packages are listed below - @asyncapi/generator-helpers@1.1.1 @asyncapi/g...
SonicWall has warned of active exploitation of two zero-day vulnerabilities impacting Secure Mobile Access (SMA) 1000 series appliances, one of which could be exploited to achieve arbitrary command execution. The vulnerabilities are listed below - CVE-2026-15409 (CVSS score: 10....
This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.0....
This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of...
This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of...
We use technical cookies to keep sessions secure and, only with your permission, academy measurement and communications. You can accept all, keep only essentials, or configure each preference.
Cookie preference center
VulnHunters Academy uses cookies and local storage to keep sessions secure, remember preferences, and measure site performance. Non-essential cookies are enabled only after consent.
Strictly necessary cookies
Required for login, CSRF-protected forms, consent records, interface preferences such as light/dark mode, and misuse prevention.
Performance analytics cookies
Help us understand performance, navigation errors, most consulted sections, and technical quality. Data is handled in aggregate whenever possible and is not used for automated academic decisions.
Communication and campaign cookies
Measure the effectiveness of academy communications, admission notices, course updates, and internal campaigns. You can browse and buy courses with these disabled.
Consent management
You can change preferences at any time from the footer. Rejecting non-essential cookies does not limit basic content, registration, or required academic features.
Terms and conditions
1. Authorized use
All learning is oriented toward defense, authorized auditing, responsible research, and improvement of systems you own or have explicit permission to assess.
2. Ethical conduct
Using academy knowledge, labs, or materials to access third-party systems, bypass controls, or cause harm is prohibited.
3. Intellectual property
Materials, guides, challenges, and templates belong to VulnHunters Academy or their authors. Commercial redistribution is not allowed without permission.
4. Payments and access
Paid-course access is activated after transaction confirmation. Refund policies are communicated before enrollment is completed.
5. Privacy
We process personal data under GDPR/LOPD. Until an official mailbox is enabled, access, rectification, or deletion requests are handled through the internal contact form.
6. Responsibility
Students are legally responsible for any misuse outside environments authorized by the academy.
7. Certification
Certificates are issued after rubrics, minimum attendance, and deliverables are completed. The academy may revoke them in case of academic fraud.
Privacy policy
VulnHunters Academy collects registration data, preferences, academic activity, and payment information to provide the educational service. We do not sell personal data or disclose information to third parties except where legally required or necessary providers operate the platform.
Data is retained while an account remains active or during applicable legal periods. Until an official mailbox is enabled, rights requests are handled through the internal contact form.
We apply reasonable technical measures: HttpOnly session cookies, CSRF validation, activity logs, data minimization, and separation of sensitive folders.
Professional cookie policy
Last updated: May 2026.
This policy explains how VulnHunters Academy uses cookies, local storage, and equivalent technologies on the web platform. Its purpose is transparency, user control, and safe operation of courses, marketplace, chat, profiles, and private panels.
1. What cookies are
Cookies are small files or technical records stored by the browser when you visit a website. We may also use local browser storage to remember language, consent, or interface preferences.
2. Controller
The controller is VulnHunters Academy. For privacy, consent, or rights requests, use the internal contact form until an official mailbox is enabled.
3. Strictly necessary cookies
These cookies are essential to provide the requested service: session continuity, CSRF protection, basic preferences, security measures, consent state, and private-area navigation.
4. Performance analytics cookies
These cookies help measure stability, load times, technical errors, visited pages, and aggregated use of features. They are enabled only with consent.
5. Communication and campaign cookies
These cookies measure internal academy communications, admission forms, course promotions, marketplace updates, and informative campaigns. You may reject them without losing essential features.
6. Specific purposes
We use cookies for authentication, security, fraud prevention, user preferences, consent management, technical analytics, content improvement, campaign measurement, and interactive features such as chat and marketplace.
7. Legal basis
Technical cookies are based on the need to provide the requested service. Analytics and communication cookies are based on consent, which can be granted, rejected, or withdrawn at any time.
8. Retention and providers
Session cookies are normally deleted when the browser closes or the session expires. Where payment, security, analytics, email, or hosting providers are involved, access is limited to the contracted purpose.
9. Withdrawing consent
You can change preferences from the Cookie settings link in the footer. You can also remove or block cookies from your browser settings.
10. Policy changes
We may update this policy to reflect legal, technical, or functional changes. When a change is relevant, the platform may request consent again.