snailsploit[$]
⌘K live
kai aizen
independent
2026.05

same attack.
different substrate.

I break production systems — Linux kernel, Kubernetes, container runtimes, OSS libraries, and the LLMs increasingly woven through them — then publish the methodology. Frameworks for structured adversarial-AI red teaming. Tooling for systematic vulnerability discovery. Books and articles for the human layer.
engage services →read the frameworks
Linux Kernel · 5 mainline patchesCVEs · 23 publishedGHSA · 2 advisoriesHakin9 · Contributing authorMITRE/NVD · Contributor
shell.001
sitesnailsploit.com
jailbreakChefthejailbreakchef.com
linkedinlinkedin.com/in/kaiaizen
xx.com/SnailSploit
githubgithub.com/SnailSploit
01 · about
about.
kai aizen · 2026
I break production systems — Linux kernel, Kubernetes, container runtimes, OSS libraries, and the LLMs increasingly woven through them — then publish the methodology. Frameworks for structured adversarial-AI red teaming. Tooling for systematic vulnerability discovery. Books and articles for the human layer.
— same attack. different substrate.
role
independent offensive security researcher
scope
linux kernel · k8s · container runtimes · oss · llms
frameworks
AATMF · P.R.O.M.P.T · SEF
author
Adversarial Minds · Hakin9 contributing
contributor
MITRE / NVD · Linux kernel mainline
02 · ai security research
ai security research.
All research →
published at snailsploit.com, hakin9 magazine, medium.
Self-Replicating Memory WormAdversarial self-replicating prompt that survives across sessions and propagates via long-term memory writes — the AI-worm primitive applied to persistent agent state.
Memory Injection Through Nested SkillsSkill injection + memory poisoning = self-healing autonomous implant. Validated against DVWA and Juice Shop in agent harness.
ChatGPT Canvas DNS ExfiltrationDNS exfiltration via rendered Canvas content — triggers lookups without outbound HTTP.
ChatGPT Sandbox: Pickle RCE + DNS ChainPickle deserialization RCE chained with DNS exfil to break out of the Code Interpreter sandbox.
MCP vs A2A Attack SurfaceComparative threat model: where Model Context Protocol and Agent-to-Agent diverge in trust boundaries.
The 30% Blind Spot — LLM Safety JudgesEmpirical study showing LLM-as-judge safety classifiers miss ~30% of adversarial output classes.
Adversarial Prompting: Complete GuideEnd-to-end methodology covering direct, indirect, multi-turn, and agentic prompt injection.
03 · frameworks
frameworks & tooling.
All frameworks →
AATMF v3.1Adversarial AI Threat Modeling Framework — 15 tactics, 240+ techniques, 2,150+ procedures. Mapped to NIST AI RMF and MITRE ATLAS.
AATMF Red Teaming ToolkitPython CLI for systematic LLM safety testing — three-layer eval pipeline, defense fingerprinting, decay tracking, attack chain planning.
LLM Red Teamer's PlaybookDiagnostic methodology for bypassing LLM defense layers — input filters → alignment → identity → output → agentic trust.
Claude-RedCurated offensive security skills library for the Claude skills system — 38 SKILL.md files spanning SQLi, shellcode, EDR evasion, exploit dev.
04 · offensive tools
offensive tools.
All tools (incl. GitHub) →
MCP security analysis for Burp Suite — prompt injection and tool poisoning testing via Model Context Protocol.
AI-powered bug bounty automation — LLM analysis combined with traditional security scanning.
Red-team Kubernetes misconfiguration & attack-path scanner.
Autonomous credential intelligence platform for attack-surface recon.
Chrome MV3 extension — passive recon, security headers, IP intel, CPE→CVE enrichment.
Async directory & route discovery — HTTP/2, soft-404 suppression, JS/sourcemap mining.
Low-bandwidth stress testing — modernized Slowloris.
Structurally-aware code obfuscation engine.
Curated OSINT resource collection for offensive recon.
05 · linux kernel
5 mainline patches · merged via standard maintainer process
kernel contributions.
Kernel contributions →
io_uring/zcrxuser_ref race → double-free → OOB writeMainline 7.0-rc1 · backports 6.18.16 + 6.19.6
net/tipctipc_mon_peer_up UAF vs bearer teardownMainline
Bluetoothhci_conn UAF in create_big_sync / create_big_completeMainline
RDMA/ionicUnbounded node_desc sysfs read via %.64sMainline
net/rtnetlinkifla_vf_broadcast stack infoleak (zero init missing)Mainline
06 · cves
23 cves disclosed.
sorted by blast radius
container & cluster infrastructure
1
CVE-2026-3288Kubernetes ingress-nginxConfig injection → RCE8.8high
apache foundation
2
CVE-2026-30911Apache Airflow CoreMissing authentication8.1high
CVE-2026-32794Apache Airflow (Databricks provider)TLS verification bypass4.8med
cross-language oss
5
CVE-2026-43884WWBN/AVideo · PHPSSRF — HTTP redirect & DNS rebinding bypass7.7high
CVE-2026-31899CairoSVG · PythonExponential DoS — recursive amplification7.5high
CVE-2026-32809ouch-org/ouch · RustSymlink escape — arbitrary file overwrite7.4high
CVE-2026-33693activitypub-federation-rust · RustSSRF — 0.0.0.0 bypass in fediverse federation6.5med
CVE-2026-32885ddev/ddev · GoZipSlip — path traversal in archive extraction6.5med
wordpress plugin ecosystem
15
CVE-2026-3596Riaxe Product CustomizerPrivilege escalation9.8crit
CVE-2026-1313MimeTypes Link IconsSSRF8.3high
CVE-2026-3599Riaxe Product CustomizerSQL injection7.5high
CVE-2025-9776CatFoldersSQL injection via CSV import6.5med
CVE-2025-12163OmniPressStored XSS6.4med
CVE-2026-2717HTTP HeadersCRLF injection5.5med
CVE-2026-0811Advanced CF7 DBCSRF5.4med
CVE-2026-13143D FlipBookMissing authentication5.3med
CVE-2026-3594Riaxe Product CustomizerInformation disclosure5.3med
CVE-2026-3595Riaxe Product CustomizerUnauthenticated user deletion5.3med
CVE-2025-11171ChartifyMissing authentication5.3med
CVE-2025-11174Document Library LiteUnauth info disclosure5.3med
CVE-2026-0814Advanced CF7 DBMissing authentication4.3med
CVE-2025-12030ACF to REST APIIDOR4.3med
CVE-2026-1208Welcart Friendly FunctionsCSRF → settings update4.3med
Plus: TelSender — stored XSS that resulted in vendor-side plugin removal.
07 · advisories
security advisories.
All advisories →
GHSA-2hch-c97c-g99x7.7 · high
WWBN/AVideo
SSRF Protection Bypass via HTTP Redirect & DNS Rebinding in isSSRFSafeURL() (CVE-2026-43884)
GHSA-j425-whc4-4jgc6.3 · med
OpenClaw
system.run env override RCE — allowlist bypass via GIT_SSH_COMMAND, editor hooks, GIT_CONFIG_*
GHSA-•••— · med
pending
advisory 3
GHSA-•••— · med
pending
advisory 4
GHSA-•••— · med
pending
advisory 5
GHSA-•••— · med
pending
advisory 6