Top AI Product

Every day, hundreds of new AI tools launch across Product Hunt, Hacker News, and GitHub. We dig through the noise so you don't have to — surfacing only the ones worth your attention with honest, no-fluff reviews. Explore our latest picks, deep dives, and curated collections to find your next favorite AI tool.


Squidbleed:Claude Mythos 挖出潜伏 29 年的 Squid 漏洞

Security firm Calif.io pointed Claude Mythos Preview, running multi-agent analysis, at Squid proxy’s FTP parsing code. The model flagged a heap over-read almost immediately. The bug dates to a January 1997 commit — older than Squid’s own GitHub history. Human code review missed it for 29 years. It’s now CVE-2026-47729, aka Squidbleed.

One line of C, 29 years of exposure

The root cause is a strchr API contract violation: search for ‘\0′ and C11 says the null terminator counts as part of the string, so the check passes and the pointer walks off the buffer. The payoff for an attacker: control one FTP server and Squid bleeds other users’ cleartext HTTP requests — Authorization headers, cookies, API keys. FTP is enabled by default, port 21 sits in the default Safe_ports ACL. Fixed in Squid v7.6, shipped June 8, 2026. The patch is one null check.

Why security Twitter won’t shut up about it

This isn’t a product launch — it’s the strongest proof point yet for LLM agents as vulnerability hunters on real infrastructure code. A Heartbleed-class bug from the Clinton era, surviving decades of human audits, spotted instantly by a model reading for contract violations humans normalize away.


You Might Also Like


Discover more from Top AI Product

Subscribe to get the latest posts sent to your email.



Leave a comment