Skip to content
View SnailSploit's full-sized avatar
🐌
Same attack. Different substrate.
🐌
Same attack. Different substrate.
116 followers · 4 following

Achievements

Achievement: Starstruckx3Achievement: Pull Sharkx2Achievement: YOLOAchievement: Quickdraw

Achievements

Achievement: Starstruckx3Achievement: Pull Sharkx2Achievement: YOLOAchievement: Quickdraw

Highlights

Block or report SnailSploit

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
SnailSploit/README.md

SnailSploit Banner

SnailSploit · Kai Aizen

Same attack. Different substrate.

Website The Jailbreak Chef LinkedIn X

Linux Kernel CVEs GHSA Hakin9 NVD

Independent offensive security researcher. I break production systems — Linux kernel, Kubernetes, container runtimes, OSS libraries, and the LLMs increasingly woven through them — then publish the methodology. Frameworks for structured adversarial-AI red teaming. Tooling for systematic vulnerability discovery. Books and articles for the human layer.

Creator of AATMF / P.R.O.M.P.T / SEF · Author of Adversarial Minds · Hakin9 contributing author · Linux kernel contributor

Linux Kernel Contributions

Five mainline-merged patches across networking, IPC, Bluetooth, RDMA, and io_uring — reviewed and accepted through the standard kernel maintainer process into Linus's tree.

Subsystem Vulnerability Status
io_uring/zcrx user_ref race → double-free → OOB write Mainline 7.0-rc1 · stable backports 6.18.16 + 6.19.6
net/tipc tipc_mon_peer_up UAF vs bearer teardown Mainline
Bluetooth hci_conn UAF in create_big_sync / create_big_complete Mainline
RDMA/ionic Unbounded node_desc sysfs read via %.64s Mainline
net/rtnetlink ifla_vf_broadcast stack infoleak (zero init missing) Mainline

All patches on lore.kernel.org →

AI Security Research

Original research — published at snailsploit.com, Hakin9 Magazine, and Medium.

Research Summary
Self-Replicating Memory Worm Adversarial self-replicating prompt that survives across sessions and propagates via long-term memory writes — the AI-worm primitive applied to persistent agent state.
Memory Injection Through Nested Skills Novel persistence chain — skill injection + memory poisoning = self-healing autonomous implant. Validated against DVWA and Juice Shop in agent harness.
ChatGPT Canvas DNS Exfiltration DNS exfiltration via rendered Canvas content — triggers lookups without outbound HTTP.
ChatGPT Sandbox: Pickle RCE + DNS Chain Pickle deserialization RCE chained with DNS exfil to break out of the Code Interpreter sandbox.
MCP vs A2A Attack Surface Comparative threat model: where Model Context Protocol and Agent-to-Agent diverge in trust boundaries.
The 30% Blind Spot — LLM Safety Judges Empirical study showing LLM-as-judge safety classifiers miss ~30% of adversarial output classes.
Adversarial Prompting: Complete Guide End-to-end methodology covering direct, indirect, multi-turn, and agentic prompt injection.

Frameworks & Tooling

Project Description
AATMF v3.1 Adversarial AI Threat Modeling Framework — 15 tactics, 240+ techniques, 2,150+ procedures. Mapped to NIST AI RMF and MITRE ATLAS. Stars
AATMF Red Teaming Toolkit Python CLI for systematic LLM safety testing — three-layer eval pipeline, defense fingerprinting, decay tracking, attack chain planning. Stars
LLM Red Teamer's Playbook Diagnostic methodology for bypassing LLM defense layers — input filters → alignment → identity → output → agentic trust. Stars
Claude-Red Curated offensive security skills library for the Claude skills system — 38 SKILL.md files spanning SQLi, shellcode, EDR evasion, exploit dev. Stars

Offensive Tools

Tool Description
Burp MCP Toolkit MCP security analysis for Burp Suite — prompt injection and tool poisoning testing via Model Context Protocol.
SnailHunter AI-powered bug bounty automation — LLM analysis combined with traditional security scanning.
KubeRoast Red-team Kubernetes misconfiguration & attack-path scanner.
Xposure Autonomous credential intelligence platform for attack-surface recon.
SnailSploit Recon Chrome MV3 extension — passive recon, security headers, IP intel, CPE→CVE enrichment.
SnailPath Async directory & route discovery — HTTP/2, soft-404 suppression, JS/sourcemap mining.
ZenFlood Low-bandwidth stress testing — modernized Slowloris.
SnailObfuscator Structurally-aware code obfuscation engine.
Awesome-Snail-OSINT Curated OSINT resource collection for offensive recon.

CVEs

Sorted by blast radius — shared infrastructure first, single-vendor plugins last.

Container & Cluster Infrastructure

CVE Target Type Severity
CVE-2026-3288 Kubernetes ingress-nginx Config injection → RCE High (8.8)

Apache Foundation

CVE Target Type Severity
CVE-2026-30911 Apache Airflow Core Missing authentication High (8.1)
CVE-2026-32794 Apache Airflow (Databricks provider) TLS verification bypass Medium (4.8)

Cross-Language OSS

CVE Target Lang Type Severity
CVE-2026-31899 CairoSVG Python Exponential DoS — recursive amplification High (7.5)
CVE-2026-32809 ouch-org/ouch Rust Symlink escape — arbitrary file overwrite High (7.4)
CVE-2026-33693 activitypub-federation-rust Rust SSRF — 0.0.0.0 bypass in fediverse federation Medium (6.5)
CVE-2026-32885 ddev/ddev Go ZipSlip — path traversal in archive extraction Medium (6.5)

WordPress Plugin Ecosystem

CVE Target Type Severity
CVE-2026-3596 Riaxe Product Customizer Privilege escalation Critical (9.8)
CVE-2026-1313 MimeTypes Link Icons SSRF High (8.3)
CVE-2026-3599 Riaxe Product Customizer SQL injection High (7.5)
CVE-2025-9776 CatFolders SQL injection via CSV import Medium (6.5)
CVE-2025-12163 OmniPress Stored XSS Medium (6.4)
CVE-2026-2717 HTTP Headers CRLF injection Medium (5.5)
CVE-2026-0811 Advanced CF7 DB CSRF Medium (5.4)
CVE-2026-1314 3D FlipBook Missing authentication Medium (5.3)
CVE-2026-3594 Riaxe Product Customizer Information disclosure Medium (5.3)
CVE-2026-3595 Riaxe Product Customizer Unauthenticated user deletion Medium (5.3)
CVE-2025-11171 Chartify Missing authentication Medium (5.3)
CVE-2025-11174 Document Library Lite Unauth info disclosure Medium (5.3)
CVE-2026-0814 Advanced CF7 DB Missing authentication Medium (4.3)
CVE-2025-12030 ACF to REST API IDOR Medium (4.3)
CVE-2026-1208 Welcart Friendly Functions CSRF → settings update Medium (4.3)

Plus: TelSender — stored XSS that resulted in vendor-side plugin removal.

Security Advisories

Advisory Target Type Severity
GHSA-j425-whc4-4jgc OpenClaw system.run env override RCE — allowlist bypass via GIT_SSH_COMMAND, editor hooks, GIT_CONFIG_* Medium (6.3)

Source-Tree Contributions

Project Contribution Status
concourse/concourse#9486 Symlink breakout fix Merged in v8.1.1

Read the research Hire / Collaborate

Pinned Loading

  1. AATMF-Adversarial-AI-Threat-Modeling-Framework AATMF-Adversarial-AI-Threat-Modeling-Framework Public

    AATMF | An Open Source - Adversarial AI Threat Modeling Framework

    YARA 13 3

  2. ChatGPT-DNS-Exfill ChatGPT-DNS-Exfill Public

    This repository documents a controlled research experiment that demonstrates how DNS lookups triggered by rendered content can be used to exfiltrate data. The technique leverages the browser's auto…

    1

  3. KubeRoast_v1 KubeRoast_v1 Public

    From-scratch, red-team–oriented Kubernetes misconfiguration & attack-path scanner. Fast, readable, and opinionated toward real-world escalation paths.

    Python 2

  4. Xposure Xposure Public

    fully autonomous credential intelligence platform that discovers, │ │ extracts, correlates, verifies, and reports exposed secrets across your │ │ target's entire attack surface.

    Python 3

  5. The-LLM-Red-Teamer-s-Playbook The-LLM-Red-Teamer-s-Playbook Public

    A diagnostic methodology for bypassing LLM defense layers — from input filters to persistent memory exploitation.

    25 5

  6. SnailSploit_Recon_extension SnailSploit_Recon_extension Public

    SnailSploit Recon is a passive collector. It silently captures everything as you browse — scripts, API calls, forms, headers, cookies, redirects — and correlates them into prioritized attack leads …

    JavaScript 1