A breakdown of the three major announcements from Cloudflare Agents Week 2026. Sandboxes reaches GA with persistent dev environments for agents, Durable Object Facets give AI-generated code its own SQLite, and the unified CLI cf brings 3,000 API operations under one roof.
CISA added 7 actively exploited vulnerabilities to the KEV catalog including FortiClient EMS SQL injection (CVSS 9.1). Federal deadline is April 16 for Fortinet, April 27 for the remaining six.
A CVSS 9.4 file upload vulnerability in ShowDoc, disclosed in 2020, was first observed being exploited in the wild by VulnCheck Canaries in April 2026. Over 2,000 exposed instances remain, primarily in China.
Bryan Cantrill's 'The Peril of Laziness Lost' argues that LLMs have zero cost to write code and no motivation to abstract. Humans must serve as the 'deletion engine' or systems will bloat endlessly.
I tested local Vision LLMs (Gemma 3, Qwen2.5-VL, Llama 3.2 Vision, Gemma 4) to see if they could look at character illustrations and pixel art and generate RPG-style stats in JSON format.
A paper claims that a single binary operator eml(x, y) = exp(x) - ln(y) combined with the constant 1 can express all elementary functions — arithmetic, trig, logarithms, even pi. I read the paper and tested it in 5 languages.
Claude Code Max 5x promises '5x Pro,' but the baseline is undisclosed. Usage is shown only as percentages. A silent TTL change and 1.5-hour quota depletion expose the opacity of Anthropic's quota system.
Foundry Local is a local AI runtime that embeds into apps via package managers as a ~20MB native library. Built on ONNX Runtime with automatic GPU/NPU selection, it runs Phi, Qwen, Mistral and more offline through an OpenAI-compatible API.
colleague.skill, yourself-skill, nuwa-skill and other 'human distillation' OSS tools are exploding in popularity, primarily in China. Seeing a tool that distills colleagues, I wondered 'what if I distilled myself?' and researched how.
CVE-2026-40175: unrelated to the March supply-chain compromise. axios's config merge picked up tainted Object.prototype values and passed them through as HTTP headers without CRLF validation, chaining to SSRF. Fixed in 1.15.0.
UC Berkeley's RDI team demonstrated that major benchmarks including SWE-bench and WebArena can be manipulated to near-perfect scores without completing any tasks. They identified 7 vulnerability patterns and released BenchJack, an automated benchmark attack tool.
Anthropic's Claude Cowork moves from research preview to general availability, adding RBAC, group spend caps, usage analytics, OpenTelemetry support, Zoom MCP connector, and per-tool access control.