What it is
Striga describes itself as source-code auditing built on artificial intelligence. Its public site says audits use full-codebase context, combine machine-learning and static-analysis layers, assess exploitability, generate proof-of-concept payloads, and keep a human reviewer in the loop.
For Bugflation, the important scope is narrower: Striga has public CVE material and research write-ups where Striga, a Striga scan, or a security assessment using Striga appears in the discovery story.
What is verified
The current ledger indexes CVE-2026-23918, the Apache HTTP Server HTTP/2 double-free and possible RCE fixed in 2.4.67. Apache and the oss-security posting directly credit Bartlomiej Dmitruk, striga.ai, as one of the finders. Striga’s own CVE page lists the Apache httpd CVE with high severity.
Striga’s May 6, 2026 Apache write-up strengthens the entry. It says Striga
surfaced the bug during open-source research on Apache httpd 2.4.66, that the
end-to-end scan ran on open-weights models, and that the compute cost was under
$100. The write-up also describes the mod_http2 double-push root cause, a
worker-crash trigger, and a lab RCE chain that assumes known system() and
scoreboard addresses.
That makes the entry stronger, but the attribution label still matters. Apache’s advisory confirms a Striga-affiliated finder; Striga supplies the platform workflow and cost claim. The ledger therefore treats the Apache entry as self-reported AI attribution, corroborated by upstream vulnerability records.
Striga’s broader public footprint is also relevant context. The Striga CVE page lists CVEs across Apache httpd, Ollama, pac4j, and Apache Tomcat. Separate Striga research posts explicitly describe a Striga scan or assessment surfacing issues in axios, Mattermost Desktop, Apache Tomcat, and Ollama. Bugflation keeps those as context here rather than rolling them into the Apache entry.
What is held out
The under-$100 Apache httpd compute-cost claim is now public in Striga’s own write-up. Bugflation records it as first-party evidence, not independent cost verification. No Apache, NVD, or third-party source reviewed for this profile audits the compute bill.
Bugflation also does not treat every CVE on Striga’s public CVE page as an indexed finding automatically. Individual entries need their own public source trail, affected codebase, severity, and attribution label.
Why it matters
Striga is another signal that AI-assisted vulnerability discovery is moving into mainstream open-source infrastructure. The public evidence spans server software, developer tooling, desktop clients, and update paths, with several high-severity CVEs and detailed write-ups.
The Apache httpd credit is especially useful because it comes from the upstream project’s security advisory trail. It strengthens the Striga profile while still leaving the exact platform role honestly labeled.
Sources
- Striga homepage
- Striga CVE list
- Striga: Less than $100 of compute surfaces pre-auth RCE in Apache httpd
- Apache HTTP Server 2.4 vulnerabilities
- oss-security: CVE-2026-23918 Apache HTTP Server
- NVD: CVE-2026-23918
- Striga: Taking Down axios with a Single JSON Key
- Striga: The Help Button That Steals Your NTLM Hash
- Striga: Tomcat Tribes unauthenticated RCE
- Striga: Ollama Windows auto-update RCE