https://enismaholli.com https://enismaholli.com/blog/hidden-injection-cloud A vulnerability in Gemini Cloud Assist allowed invisible Unicode prompt injection combined with unsafe HTML rendering. Hidden instructions embedded in normal-looking text could execute automatically, causing the browser to exfiltrate cloud project data, IAM roles, and environment details Mon, 16 Feb 2026 00:00:00 GMT https://enismaholli.com/blog/hidden-ascii This post shows how invisible Unicode characters (U+E0020–U+E007F) can be used to inject hidden instructions into text, causing AI models to respond in unexpected ways. Using the ASCII Smuggler tool, I demonstrated how a simple word like “Hey” or a job title like “Pentester” could carry invisible prompts that change an AI model’s response Sun, 29 Jun 2025 00:00:00 GMT https://enismaholli.com/blog/nextcloud-account-takeover A high-severity vulnerability in Nextcloud’s sharing system allowed low-privileged users to bypass restrictions, share external storage, and steal victims’ JWT tokens, enabling account takeover. Sat, 28 Jun 2025 00:00:00 GMT https://enismaholli.com/blog/nextcloud-notes We discovered a vulnerability that allowed any authenticated user to access and manipulate notes of other users by exploiting folder-sharing functionality. Thu, 26 Jun 2025 00:00:00 GMT https://enismaholli.com/blog/nextcloud We discovered a critical vulnerability in Nextcloud’s Workflow Engine that allowed any authenticated user to achieve remote code execution Sat, 21 Jun 2025 00:00:00 GMT