Research Worth Reading - Week 18, 2026

The consensus seems to be: models don’t matter...

🤖 AI threats in the wild: The current state of prompt injections on the web

A quick list of indirect prompt injection examples Google came across: AI threats in the wild: The current state of prompt injections on the web.

🪟 Persistence Atlas: 19 Techniques Nobody Talks About

A great list of persistence methods for AD and Windows: Persistence Atlas: 19 Techniques Nobody Talks About.

😳 Securing GitHub: Wiz Research uncovers RCE in GitHub.com

RCE on github.com using a single git push.: Securing GitHub: Wiz Research uncovers RCE in GitHub.com.

🤖 Finding Zero-Days with Any Model

Niels Provos leveraging IronCurtain (and its vuln-discovery workflow) to find vulnerabilities: Finding Zero-Days with Any Model.

🤖 Why Mythos doesn’t matter (for us)

A great write-up from liveoverflow on why small models may be a better solution: Why Mythos doesn’t matter (for us).

␖ HAProxy HTTP/3 -> HTTP/1 Desync: Cross-Protocol Smuggling via a Standalone QUIC FIN (CVE-2026-33555)

It’s rare to see this level of details in a blog post. Too Long, Must Read: HAProxy HTTP/3 -> HTTP/1 Desync: Cross-Protocol Smuggling via a Standalone QUIC FIN (CVE-2026-33555).