How fuzzing F3D’s 3D file parser with a dictionary-based libFuzzer harness found four memory corruption vulnerabilities in VTK’s GLTF document loader — two use-after-frees, a heap buffer overflow, and a buffer overread.

How a TOCTOU race condition in KDE’s kio-admin plugin verification lets local attackers escalate privileges through Dolphin’s administrator mode — with a ~4% hit rate per attempt.

Account impersonation in django-allauth through mutable preferred_username used as provider identifier.