Penetration Testing,
Powered by AI Agents
BugBunny deploys coordinated AI agents to perform reconnaissance, vulnerability discovery, proof-of-concept validation, and automated patch suggestions — continuously and at scale.
Review the target and add notes before launching the audit.
See It In Action
Watch BugBunny Work
From target submission to validated findings — watch a complete autonomous security audit in under two minutes.
Capabilities
Enterprise-Grade Security Automation
Coordinated AI agents that adapt, persist, and validate — just like a real red team.
Automated Reconnaissance
Coordinated AI agents systematically map your attack surface — discovering subdomains, endpoints, and exposed services across your entire infrastructure.
Adaptive Vulnerability Testing
Context-aware testing agents that adapt their methodology to each target, from black-box web application testing to white-box source code analysis.
PoC Validation
Every finding is validated with a working proof-of-concept exploit, eliminating false positives and delivering audit-ready reports with CVSS ratings.
PR Review & Patch Suggestions
BugBunny reviews each Pull Request, identifies exploitable vulnerabilities in the diff, and suggests inline patches — turning every PR into a security gate.
0
CVEs Tracked
0
Public Records
0
Reserved CVEs
0
High / Critical
Track Record
Hall of Fame
BugBunny.ai has identified critical security vulnerabilities in production systems, tracking 89 CVEs across 69 public records and 20 reserved disclosures. These are the same detection capabilities available in your audits.
Vulnerabilities identified in production systems from leading technology companies
CVE-2026-27471
ERPNext Unauthorized Document Access via Missing Validation
BugBunny.ai discovered a critical access control vulnerability in ERPNext, a widely-used open source ERP system. Certain endpoints lacked access validation, allowing unauthorized users to access sensitive business documents including employee records, financial data, and invoices without any authentication.
CVE-2026-22807
vLLM auto_map RCE via Untrusted Dynamic Module Loading
BugBunny.ai discovered a high severity remote code execution vulnerability in vLLM where Hugging Face auto_map dynamic modules are loaded during model resolution without gating on trust_remote_code. This allows arbitrary Python code execution when loading models from untrusted sources.
CVE-2026-21884
React Router SSR XSS in ScrollRestoration
BugBunny.ai discovered a cross-site scripting vulnerability in React Router's ScrollRestoration API during Server-Side Rendering. Unescaped JSON in inline scripts allows arbitrary JavaScript execution when user-controlled data is used in getKey or storageKey props.
CVE-2025-61622
Python RCE via Unguarded Pickle Fallback in pyfory/pyfury
BugBunny.ai identified a critical deserialization issue in Apache Fory's Python modules (pyfory/pyfury) where unsupported object types fall back to Python's unsafe pickle loader. Crafted data streams from untrusted sources force the pickle fallback, enabling arbitrary code execution across affected versions (0.1.0–0.10.3 and 0.12.0–0.12.2).
CVE-2025-58434
Account Takeover (Local & Cloud) - Token Leak
BugBunny.ai discovered a critical vulnerability in flowise.ai that allows complete account takeover through token leakage affecting both local and cloud deployments. This vulnerability enables unauthorized access to user accounts and sensitive data through exposed authentication tokens.
CVE-2025-59057
Stored XSS Vulnerability in React Router
React Router, a widely used routing library in the React ecosystem, is affected by a stored cross-site scripting (XSS) issue under specific input handling conditions. This may allow persistent script execution impacting application users.
CVE-2025-61686
Path Traversal in React Router File Session Storage
BugBunny.ai uncovered a path traversal issue in React Router's file session storage adapter. Crafted session IDs could escape the intended directory and overwrite arbitrary files on the host, impacting any deployment persisting sessions to disk. The maintainers shipped a fix and coordinated disclosure via GitHub Security Advisories.
Latest Discovery: CVE-2026-60077 – Reserved disclosure placeholder
Explore all 89 CVE recordsAll vulnerabilities are discovered through automated AI-powered security testing and reported through responsible disclosure
Workflow
How It Works
Three steps from target definition to validated, audit-ready security findings.
Define Your Target
Provide an authorized domain, IP range, or connect a GitHub repository. BugBunny validates the scope and begins immediately.
Autonomous Agent Deployment
Specialized AI agents work in parallel — reconnaissance, vulnerability scanning, exploit development, and validation run simultaneously.
Validated Findings & Reports
Receive audit-ready reports with verified proof-of-concept exploits, CVSS severity ratings, and step-by-step remediation guidance.
Request a Demo
See BugBunny run against your real security workflow.
Book a walkthrough for your team. We will map your current audit process, show the audit console, and explain which plan fits your targets, repositories, compliance needs, and support model.
Pricing
Simple, usage-based pricing
One flat platform fee, then pay only for the scans you run. Every scan delivers validated findings with proof-of-concept exploits.
> PAY AS YOU GO
Continuous coverage without seat-based pricing
+ usage wallet — pay only for the scans you run
New accounts get $100 in free credit to start
- Pay only for the scans you run
- Full-depth OWASP Top 10 + beyond scanning
- Verified proof-of-concept exploits
- AI follow-ups on any scan
- Custom scan directives & depth control
- GitHub repository integration
- Compliance-ready PDF audit reports
- Email alerts on critical findings
- Priority support
- Chrome extension access
> COMMAND // MILITARY GRADE
Best for enterprises needing unlimited scale & custom SLAs
Military-grade vulnerability detection at scale
White-glove security program — replaces entire pentest teams
Available as a custom contract add-on
Everything in Pay as you go, plus:
- Unlimited audits
- Unlimited AI credits
- Optional Zero Day / Zero Credit policy
- SOC 2, ISO 27001, HIPAA & GDPR-ready reports
- Military-grade detection depth
- Zero-day class vulnerability research
- PR review with inline patch suggestions
- SSO / SAML authentication
- Guaranteed SLAs & uptime
- On-premises deployment option
- RBAC & team management
- Jira, Slack & SIEM integrations
- Dedicated support & onboarding
Secure payments via Stripe · All prices in USD · $100/mo platform fee + usage-based scans · Cancel anytime
Get Started
Ready to Strengthen Your Security Posture?
Deploy autonomous AI agents that continuously test your infrastructure, validate vulnerabilities with working exploits, and deliver audit-ready findings.
Launch Audit Console$100/mo platform fee, then pay only for the scans you run · Enterprise plans available · Only test authorized targets