MAD Bugs: Month of AI-Discovered Bugs

What? We’re here to uncover the most interesting security bugs and exploits with AI, exploring what’s possible when your pair top models with human expertise.

Between now and the end of April 2026, we’ll be dropping what we find on this blog and in our repo.

Findings

2026-03-30: Vim tabpanel modeline RCE affects Vim < 9.2.0272 (blog, PoC)
2026-03-30: GNU Emacs: Multiple Remote Code Execution Vectors on File Open (blog, PoC)

Blog posts: https://blog.calif.io/t/madbugs

PoCs and artifacts: https://github.com/califio/publications/tree/main/MADBugs

#nojs-banner { position: fixed; bottom: 0; left: 0; padding: 16px 16px 16px 32px; width: 100%; box-sizing: border-box; background: red; color: white; font-family: -apple-system, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 13px; line-height: 13px; } #nojs-banner a { color: inherit; text-decoration: underline; } This site requires JavaScript to run correctly. Please turn on JavaScript or unblock scripts

Calif

MAD Bugs: Month of AI-Discovered Bugs