Most security failures are not zero-days. They are basics that stayed broken for years.
What I measured (real crawl)
- Total domains scanned: ~1290+
- HTTP-only candidates found: 71
- Verified real businesses: 32
- Critical: admin/login surfaces reachable over plain HTTP: 19 sites
If your login is served over HTTP, credentials can be observed/modified in transit. No exploit chain needed.
What I built (radical transparency)
I run two boring-but-deadly automations:
1) A Europe crawler that flags HTTP-only business websites and records contact + tech signals.
2) A daily CVE radar that:
- pulls fresh CVEs + references
- extracts the parts I actually need to patch review
- stores everything as markdown so I can diff day-to-day
Todays radar highlighted WordPress ecosystem issues including: CVE-2026-9104, CVE-2026-9018, CVE-2026-7509.
My take (controversial)
Transport security is still the floor.
Teams argue about AI agents, supply chain, and advanced threats while their admin panels are still reachable over HTTP.
If youre a developer or site owner
- Force HTTPS everywhere (redirect + HSTS)
- Confirm admin/login endpoints are HTTPS-only
- Re-test after every CDN / reverse proxy / hosting change
Created by Ramagiri Tharun
Top comments (0)