appsec.fyi

Weekly Changelog

578 new resources added across 25 topics this week.

Apr 12 — Apr 19, 2026

Recon+45 SSTI+40 JWT+38 GraphQL+35 OSINT+35 IDOR+34 Supply Chain+34 Deserialization+32 Authentication+32 Secrets+31 SSRF+24 XSS+16 Mobile+15 API Security+15 AI+15 AuthZ+15 Burp Suite+15 SQLi+15 XXE+15 RCE+14 Fuzzing+14 Python+14 CSRF+12 Talks+12 Bug Bounty+11

Recon +45

DateResourceSummary
2026-04-19The 2026 State of Attack Surface Management — ProjectDiscoveryThe 2026 State of Attack Surface Management — ProjectDiscovery
2026-04-19The Ultimate Guide to Attack Surface Management Tools in 2025The Ultimate Guide to Attack Surface Management Tools in 2025
2026-04-19Top 10 Attack Surface Management Tools for 2026 — IntruderTop 10 Attack Surface Management Tools for 2026 — Intruder
2026-04-1912 Attack Surface Management Tools to Know in 202612 Attack Surface Management Tools to Know in 2026
2026-04-19SubFinder: Automating Subdomain Enumeration for Bug Bounty in 2025SubFinder: Automating Subdomain Enumeration for Bug Bounty in 2025
2026-04-17Bug Bounty Recon: Perform Faster Port Scan (Rootsploit)Bug Bounty Recon: Perform Faster Port Scan (Rootsploit)
2026-04-17Naabu Zero to Hero Guide (Cyber Aryan)Naabu Zero to Hero Guide (Cyber Aryan)
2026-04-17Mastering Network Scanning: Nmap and Masscan GuideMastering Network Scanning: Nmap and Masscan Guide
2026-04-17Naabu Cheat Sheet: Commands & Examples (HighOn.Coffee)Naabu Cheat Sheet: Commands & Examples (HighOn.Coffee)
2026-04-17naabu: Fast Go port scanner (ProjectDiscovery)naabu: Fast Go port scanner (ProjectDiscovery)
2026-04-17Recon series #4: Port scanning methods (YesWeHack)Recon series #4: Port scanning methods (YesWeHack)
2026-04-17bountyRecon: Bash automation for bug bounty reconbountyRecon: Bash automation for bug bounty recon
2026-04-17JSFScan.sh: JavaScript recon automation (KathanP19)JSFScan.sh: JavaScript recon automation (KathanP19)
2026-04-17Reconky: Content discovery bash scriptReconky: Content discovery bash script
2026-04-17Bug-Bounty-Automation: Bash recon (Retr0-45809)Bug-Bounty-Automation: Bash recon (Retr0-45809)
2026-04-17Recon-Script: automation with Nuclei (s1d6point7bugcrowd)Recon-Script: automation with Nuclei (s1d6point7bugcrowd)
2026-04-17Bug-Bounty-Recon-Automation shell script (Amangupta1234)Bug-Bounty-Recon-Automation shell script (Amangupta1234)
2026-04-17The Ultimate Guide to Finding Bugs With Nuclei (ProjectDiscovery)The Ultimate Guide to Finding Bugs With Nuclei (ProjectDiscovery)
2026-04-17The Ultimate Recon Arsenal: 25+ Commands for Bug Bounty WorkflowThe Ultimate Recon Arsenal: 25+ Commands for Bug Bounty Workflow
2026-04-17xpfarm: Automated bug bounty & recon framework (GitHub)xpfarm: Automated bug bounty & recon framework (GitHub)
2026-04-17Automate Your Nuclei Recon Pipeline with VPN + Discord AlertsAutomate Your Nuclei Recon Pipeline with VPN + Discord Alerts
2026-04-17Advanced Recon: Taking Your Subdomain Discovery to the Next LevelAdvanced Recon: Taking Your Subdomain Discovery to the Next Level
2026-04-17GitHub dorking for beginners: find more vulnerabilities (Intigriti)GitHub dorking for beginners: find more vulnerabilities (Intigriti)
2026-04-17google-dorks-bug-bounty (TakSec, GitHub)google-dorks-bug-bounty (TakSec, GitHub)
2026-04-17How I Found Sensitive Information using GitHub Dorks (Part 3)How I Found Sensitive Information using GitHub Dorks (Part 3)
2026-04-17The Ultimate Subdomain Recon PlaybookThe Ultimate Subdomain Recon Playbook
2026-04-17Complete Guide to Amass Tool (2025 Edition)Complete Guide to Amass Tool (2025 Edition)
2026-04-17Mastering Passive Reconnaissance for Bug Bounty and PentestingMastering Passive Reconnaissance for Bug Bounty and Pentesting
2026-04-17How to Use Recon-ng Tool for OSINT and Bug BountyHow to Use Recon-ng Tool for OSINT and Bug Bounty
2026-04-17Mastering OSINT for Bug Bounty: Advanced Deep ReconMastering OSINT for Bug Bounty: Advanced Deep Recon
2026-04-17Mastering Passive Information Gathering: Extensive OSINT GuideMastering Passive Information Gathering: Extensive OSINT Guide
2026-04-17Google Dorking Mastery: From Passive OSINT to Bug BountyGoogle Dorking Mastery: From Passive OSINT to Bug Bounty
2026-04-179 Attack Surface Monitoring Tools in 2026 (SentinelOne)9 Attack Surface Monitoring Tools in 2026 (SentinelOne)
2026-04-17Recon Methodology: Subdomain EnumerationRecon Methodology: Subdomain Enumeration
2026-04-17Recon Guide: Subdomain EnumerationRecon Guide: Subdomain Enumeration
2026-04-17Bug-Bounty-recon: Automated recon framework (GitHub)Bug-Bounty-recon: Automated recon framework (GitHub)
2026-04-17Subdomain enumeration: expand attack surface with active, passive methodsSubdomain enumeration: expand attack surface with active, passive methods
2026-04-16Passive Reconnaissance Using OSINTPassive Reconnaissance Using OSINT
2026-04-16From Recon to Sensitive Key Exposure Using NucleiFrom Recon to Sensitive Key Exposure Using Nuclei
2026-04-16reconFTW: Automated Recon ToolreconFTW: Automated Recon Tool
2026-04-16A Deep Dive on Katana Field ExtractionA Deep Dive on Katana Field Extraction
2026-04-16Subdomain Takeover in 2025: New Methods and ToolsSubdomain Takeover in 2025: New Methods and Tools
2026-04-16My Complete Recon Workflow for Bug Bounty Hunting (2025)My Complete Recon Workflow for Bug Bounty Hunting (2025)
2026-04-16Internet-Wide Recon: Moving Past IP-Centric ApproachesInternet-Wide Recon: Moving Past IP-Centric Approaches
2026-04-16The Art of Recon: Strategies for Modern Asset DiscoveryThe Art of Recon: Strategies for Modern Asset Discovery

SSTI +40

DateResourceSummary
2026-04-19Inj3ctlab — SSTI Bug Bounty Labs WriteupInj3ctlab — SSTI Bug Bounty Labs Writeup
2026-04-19Server-Side Template Injection — Bug Bounty 2k25Server-Side Template Injection — Bug Bounty 2k25
2026-04-19What is SSTI in Flask/Jinja2? — PayatuWhat is SSTI in Flask/Jinja2? — Payatu
2026-04-19PayloadsAllTheThings — SSTI READMEPayloadsAllTheThings — SSTI README
2026-04-19Find and Exploit Server-Side Template Injection — TCM SecurityFind and Exploit Server-Side Template Injection — TCM Security
2026-04-17Active Exploitation of Confluence CVE-2022-26134 (Rapid7)Active Exploitation of Confluence CVE-2022-26134 (Rapid7)
2026-04-17Atlassian Confluence Widget Connector Macro SSTI (ExploitDB)Atlassian Confluence Widget Connector Macro SSTI (ExploitDB)
2026-04-17SSTItoXSS: Exploiting SSTI to bypass WAF/XSS FilterSSTItoXSS: Exploiting SSTI to bypass WAF/XSS Filter
2026-04-17SSTI (The Hacker Recipes)SSTI (The Hacker Recipes)
2026-04-17Exploiting CVE-2021-25770: SSTI in YouTrack (Synacktiv)Exploiting CVE-2021-25770: SSTI in YouTrack (Synacktiv)
2026-04-17SSTI in Freemarker (Akto)SSTI in Freemarker (Akto)
2026-04-17Ruby ERB Template Injection (TrustedSec)Ruby ERB Template Injection (TrustedSec)
2026-04-17PayloadsAllTheThings: SSTI Ruby payloadsPayloadsAllTheThings: SSTI Ruby payloads
2026-04-17Code Execution via SSTI Ruby ERB (Invicti)Code Execution via SSTI Ruby ERB (Invicti)
2026-04-17ruby-ssti: example Ruby ERB app vulnerable to SSTIruby-ssti: example Ruby ERB app vulnerable to SSTI
2026-04-17Exploring SSTI in Flask/Jinja2 (nVisium)Exploring SSTI in Flask/Jinja2 (nVisium)
2026-04-17Setting Up a Vulnerable SSTI Lab: A Hands-On GuideSetting Up a Vulnerable SSTI Lab: A Hands-On Guide
2026-04-17SSTI in Flask/Jinja2 (IndominusByte)SSTI in Flask/Jinja2 (IndominusByte)
2026-04-17tplmap-python3: Python3 port (GitHub)tplmap-python3: Python3 port (GitHub)
2026-04-17Tplmap - Tool For Automatic SSTI Exploitation (GeeksforGeeks)Tplmap - Tool For Automatic SSTI Exploitation (GeeksforGeeks)
2026-04-17Lab: SSTI in an unknown language with documented exploitLab: SSTI in an unknown language with documented exploit
2026-04-17PayloadsAllTheThings - SSTI JavaScript enginesPayloadsAllTheThings - SSTI JavaScript engines
2026-04-17HackerOne Report #423541: H1514 Server Side Template InjectionHackerOne Report #423541: H1514 Server Side Template Injection
2026-04-17A Simple Flask (Jinja2) SSTI Example (Kleiber)A Simple Flask (Jinja2) SSTI Example (Kleiber)
2026-04-17Strapi Security Disclosure: Multi-CVE SSTI chainStrapi Security Disclosure: Multi-CVE SSTI chain
2026-04-17Bug Bytes #124: SSTI to RCE in Go apps (Intigriti)Bug Bytes #124: SSTI to RCE in Go apps (Intigriti)
2026-04-17Top 25 RCE Bug Bounty Reports (Cristian Cornea)Top 25 RCE Bug Bounty Reports (Cristian Cornea)
2026-04-17What is Server-Side Template Injection? (Indusface)What is Server-Side Template Injection? (Indusface)
2026-04-17Mastering SSTI Exploitation: Executing Commands in Popular Templating EnginesMastering SSTI Exploitation: Executing Commands in Popular Templating Engines
2026-04-17SSTI: Advanced Exploitation Techniques (BootstrapSecurity)SSTI: Advanced Exploitation Techniques (BootstrapSecurity)
2026-04-17Jinja2 template injection filter bypasses (0day.work)Jinja2 template injection filter bypasses (0day.work)
2026-04-17Jinja2/Flask SSTI Filter bypass (MRLSECURITY)Jinja2/Flask SSTI Filter bypass (MRLSECURITY)
2026-04-17SSTI - Server-side template injection with a custom exploit (Scott Murray)SSTI - Server-side template injection with a custom exploit (Scott Murray)
2026-04-17picoCTF 2025: SSTI2 Exploitation WriteuppicoCTF 2025: SSTI2 Exploitation Writeup
2026-04-17picoCTF 2025: SSTI Challenge WriteuppicoCTF 2025: SSTI Challenge Writeup
2026-04-16SSTI: RCE for the Modern Web App - Black Hat 2015SSTI: RCE for the Modern Web App - Black Hat 2015
2026-04-16Server Side Template Injection - Payloads All The ThingsServer Side Template Injection - Payloads All The Things
2026-04-16Practical Exploitation of SSTI in Flask with Jinja2Practical Exploitation of SSTI in Flask with Jinja2
2026-04-16SSTI Explained with Real Code Examples - XygeniSSTI Explained with Real Code Examples - Xygeni
2026-04-16Deep Dive into SSTI: Finding and Exploiting Like a ProDeep Dive into SSTI: Finding and Exploiting Like a Pro

JWT +38

DateResourceSummary
2026-04-19CVE-2025-45768: PyJWT Information Disclosure VulnerabilityCVE-2025-45768: PyJWT Information Disclosure Vulnerability
2026-04-19How JWT Libraries Block Algorithm Confusion: Code Review LessonsHow JWT Libraries Block Algorithm Confusion: Code Review Lessons
2026-04-19JSON Web Token Attacks and Vulnerabilities — AcunetixJSON Web Token Attacks and Vulnerabilities — Acunetix
2026-04-19Security of JSON Web Tokens (JWT) — Cyber PolygonSecurity of JSON Web Tokens (JWT) — Cyber Polygon
2026-04-19Analyzing Broken User Authentication Threats to JWTs — AkamaiAnalyzing Broken User Authentication Threats to JWTs — Akamai
2026-04-17JWT Token Lifecycle: Expiration, Refresh, and RevocationJWT Token Lifecycle: Expiration, Refresh, and Revocation
2026-04-17python-jwt token forgery CVE-2022-39227python-jwt token forgery CVE-2022-39227
2026-04-17CVE-2024-53861: PyJWT Issuer Field Partial MatchCVE-2024-53861: PyJWT Issuer Field Partial Match
2026-04-17Python-JOSE Security Risk: CVE-2024-33663 ExplainedPython-JOSE Security Risk: CVE-2024-33663 Explained
2026-04-17JWT Bomb in Python-JOSE CVE-2024-33664JWT Bomb in Python-JOSE CVE-2024-33664
2026-04-17JWT Pentest Book (six2dez)JWT Pentest Book (six2dez)
2026-04-17JWT Pentest Checklist (Cyber Frogy)JWT Pentest Checklist (Cyber Frogy)
2026-04-17JWT Pentest Checklist v1.0 (Chintan Gurjar)JWT Pentest Checklist v1.0 (Chintan Gurjar)
2026-04-17HackerOne #1210502: Jitsi Authentication Bypass (JWT)HackerOne #1210502: Jitsi Authentication Bypass (JWT)
2026-04-17HackerOne #2472798: Newspack Extended Access JWT bypassHackerOne #2472798: Newspack Extended Access JWT bypass
2026-04-17JSON Web Token Vulnerabilities (0xn3va cheat sheet)JSON Web Token Vulnerabilities (0xn3va cheat sheet)
2026-04-17JWT Forgery via unvalidated jku parameter (Invicti)JWT Forgery via unvalidated jku parameter (Invicti)
2026-04-17jwt-hack: JSON Web Token Hack Toolkit (GitHub)jwt-hack: JSON Web Token Hack Toolkit (GitHub)
2026-04-17Insecure JSON Web Tokens (The Hacker Recipes)Insecure JSON Web Tokens (The Hacker Recipes)
2026-04-17Hacking JSON Web Tokens - Vickie LiHacking JSON Web Tokens - Vickie Li
2026-04-17Known Exploits and Attacks (jwt_tool Wiki)Known Exploits and Attacks (jwt_tool Wiki)
2026-04-17JWT Security Best Practices for 2025 (JWT.app)JWT Security Best Practices for 2025 (JWT.app)
2026-04-17JWT Security Best Practices (Phase Two)JWT Security Best Practices (Phase Two)
2026-04-17JWT Security Guide: Best Practices & Implementation (Gupta Deepak)JWT Security Guide: Best Practices & Implementation (Gupta Deepak)
2026-04-17JWT authentication bypass via kid header path traversal (siunam)JWT authentication bypass via kid header path traversal (siunam)
2026-04-17JWT authentication bypass via algorithm confusion (siunam)JWT authentication bypass via algorithm confusion (siunam)
2026-04-17ctf-jwt-token: Vulnerability in early JWT node.js library (GitHub)ctf-jwt-token: Vulnerability in early JWT node.js library (GitHub)
2026-04-17JWT Authentication Bypass Using alg:none - CTF WriteupJWT Authentication Bypass Using alg:none - CTF Writeup
2026-04-17JWT Algorithm Confusion Attack: Two Active CVEs in 2026JWT Algorithm Confusion Attack: Two Active CVEs in 2026
2026-04-17JWT Algorithm Confusion: Turning RS256 Tokens into HS256 DisastersJWT Algorithm Confusion: Turning RS256 Tokens into HS256 Disasters
2026-04-17CVE-2026-29000: pac4j-jwt Authentication BypassCVE-2026-29000: pac4j-jwt Authentication Bypass
2026-04-17Understanding JWT Security and Common Vulnerabilities (secops)Understanding JWT Security and Common Vulnerabilities (secops)
2026-04-17JWT Security in 2025: Critical Vulnerabilities for B2B SaaSJWT Security in 2025: Critical Vulnerabilities for B2B SaaS
2026-04-17JWT Vulnerabilities: Complete Testing Guide (IntelligenceX)JWT Vulnerabilities: Complete Testing Guide (IntelligenceX)
2026-04-17JWT Vulnerabilities List: 2026 Security Risks & Mitigation Guide (Red Sentry)JWT Vulnerabilities List: 2026 Security Risks & Mitigation Guide (Red Sentry)
2026-04-16JWT Header Parameter InjectionsJWT Header Parameter Injections
2026-04-16CVE-2026-29000: Authentication Bypass in pac4j-jwtCVE-2026-29000: Authentication Bypass in pac4j-jwt
2026-04-16JWT Algorithm Confusion Attacks: CVE-2026-22817 Fix GuideJWT Algorithm Confusion Attacks: CVE-2026-22817 Fix Guide

GraphQL +35

DateResourceSummary
2026-04-19PayloadsAllTheThings — GraphQL InjectionPayloadsAllTheThings — GraphQL Injection
2026-04-19Approaching GraphQL End Points — Bug Bounty NotesApproaching GraphQL End Points — Bug Bounty Notes
2026-04-19DoS via Mutation Aliasing in GraphQL — HackerOne DisclosureDoS via Mutation Aliasing in GraphQL — HackerOne Disclosure
2026-04-19GraphQL API Vulnerabilities Learning Path — PortSwiggerGraphQL API Vulnerabilities Learning Path — PortSwigger
2026-04-19GraphQL Introspection Security: Lessons from the Parse Server VulnerabilityGraphQL Introspection Security: Lessons from the Parse Server Vulnerability
2026-04-17Hasura GraphQL 1.3.3 Local File Read via SQL InjectionHasura GraphQL 1.3.3 Local File Read via SQL Injection
2026-04-17Discovering GraphQL endpoints and SQLi vulnerabilitiesDiscovering GraphQL endpoints and SQLi vulnerabilities
2026-04-17HackerOne Report #435066: SQL injection in GraphQL endpointHackerOne Report #435066: SQL injection in GraphQL endpoint
2026-04-17Prisma and PostgreSQL vulnerable to NoSQL injection? (Aikido)Prisma and PostgreSQL vulnerable to NoSQL injection? (Aikido)
2026-04-17GraphQL Security: 9 Best Practices to Protect Your API (Escape)GraphQL Security: 9 Best Practices to Protect Your API (Escape)
2026-04-17Authorization in GraphQL (Apollo)Authorization in GraphQL (Apollo)
2026-04-179 Ways To Secure your GraphQL API - Apollo Checklist9 Ways To Secure your GraphQL API - Apollo Checklist
2026-04-17Enforcing GraphQL security best practices with GraphOSEnforcing GraphQL security best practices with GraphOS
2026-04-17Apollo Authentication and Authorization DocsApollo Authentication and Authorization Docs
2026-04-17Securing GraphQL API endpoints using rate limits and depth limits (LogRocket)Securing GraphQL API endpoints using rate limits and depth limits (LogRocket)
2026-04-17Cyclic Queries and Depth Limiting (Escape)Cyclic Queries and Depth Limiting (Escape)
2026-04-17IDOR Vulnerability In GraphQL Api On inmobi.comIDOR Vulnerability In GraphQL Api On inmobi.com
2026-04-17Exploiting GraphQL: Complete Guide for Bug Bounty HuntersExploiting GraphQL: Complete Guide for Bug Bounty Hunters
2026-04-17Exploiting GraphQL for fun and bounties (BugBase)Exploiting GraphQL for fun and bounties (BugBase)
2026-04-17GraphQL for Bug Bounty (Mudhalai Mr)GraphQL for Bug Bounty (Mudhalai Mr)
2026-04-17GraphQL IDOR leads to information disclosure (Eshan Singh)GraphQL IDOR leads to information disclosure (Eshan Singh)
2026-04-17Bug Bounty: BAC in GraphQL (10 Major Vulns - Cloverleaf)Bug Bounty: BAC in GraphQL (10 Major Vulns - Cloverleaf)
2026-04-17Exploiting GraphQL for Penetration Testing (Raxis)Exploiting GraphQL for Penetration Testing (Raxis)
2026-04-17OWASP WSTG: Testing GraphQLOWASP WSTG: Testing GraphQL
2026-04-17Exploiting GraphQL Vulnerabilities: Misconfig to Data LeaksExploiting GraphQL Vulnerabilities: Misconfig to Data Leaks
2026-04-16BatchQL: GraphQL Security Auditing for Batch AttacksBatchQL: GraphQL Security Auditing for Batch Attacks
2026-04-16InQL: Advanced GraphQL Security Testing Burp ExtensionInQL: Advanced GraphQL Security Testing Burp Extension
2026-04-16Exploiting CSRF in GraphQL ApplicationsExploiting CSRF in GraphQL Applications
2026-04-16GraphQL Vulnerabilities Cheat SheetGraphQL Vulnerabilities Cheat Sheet
2026-04-16Exploiting GraphQL (Assetnote Research)Exploiting GraphQL (Assetnote Research)
2026-04-16GraphQL Discovery: Pentesting 101 GuideGraphQL Discovery: Pentesting 101 Guide
2026-04-16GraphQL Pentesting: Beginner's Guide to AdvancedGraphQL Pentesting: Beginner's Guide to Advanced
2026-04-16The Complete GraphQL Security Guide: Fixing the 13 Most Common VulnerabilitiesThe Complete GraphQL Security Guide: Fixing the 13 Most Common Vulnerabilities
2026-04-16Abusing GraphQL Introspection: A Gateway for Recon and ExploitationAbusing GraphQL Introspection: A Gateway for Recon and Exploitation
2026-04-16Exploiting GraphQL: A Full-Spectrum Security AssessmentExploiting GraphQL: A Full-Spectrum Security Assessment

OSINT +35

DateResourceSummary
2026-04-19OSINT Framework: How to Build a Custom Maltego TransformOSINT Framework: How to Build a Custom Maltego Transform
2026-04-19Top 10 OSINT Tools, Products & Solutions — SocialLinksTop 10 OSINT Tools, Products & Solutions — SocialLinks
2026-04-19How to Use OSINT for Investigations — Moody'sHow to Use OSINT for Investigations — Moody's
2026-04-19OSINT Industries — Online Investigations PlatformOSINT Industries — Online Investigations Platform
2026-04-19OSINT Tools Security Analysts Should Know for 2025OSINT Tools Security Analysts Should Know for 2025
2026-04-17Geolocation 101: image-based OSINT tipsGeolocation 101: image-based OSINT tips
2026-04-17Image Analysis and Geolocation with OSINT (OSINT Combine)Image Analysis and Geolocation with OSINT (OSINT Combine)
2026-04-17spiderfoot: OSINT automation for threat intel (GitHub)spiderfoot: OSINT automation for threat intel (GitHub)
2026-04-17OSINT Framework: The Ultimate Guide for Ethical HackersOSINT Framework: The Ultimate Guide for Ethical Hackers
2026-04-17Spiderfoot vs Maltego for OSINT Research CasesSpiderfoot vs Maltego for OSINT Research Cases
2026-04-17Operational Technology Discovery: ICS OSINTOperational Technology Discovery: ICS OSINT
2026-04-17Beyond Google: Navigating the Hidden Internet with Shodan and CensysBeyond Google: Navigating the Hidden Internet with Shodan and Censys
2026-04-17Comparative review: Shodan, ZoomEye, Netlas, Censys, FOFAComparative review: Shodan, ZoomEye, Netlas, Censys, FOFA
2026-04-17OSINT Gathering Using Censys (Hackers Arise)OSINT Gathering Using Censys (Hackers Arise)
2026-04-17Top 5 OSINT Sources for Pentesting and Bug Bounties (Intel 471)Top 5 OSINT Sources for Pentesting and Bug Bounties (Intel 471)
2026-04-17sarenka: OSINT tool (Shodan/Censys) (GitHub)sarenka: OSINT tool (Shodan/Censys) (GitHub)
2026-04-17Domain and IP Investigation with OSINT: Complete Guide (OSINTBench)Domain and IP Investigation with OSINT: Complete Guide (OSINTBench)
2026-04-17OSINT Techniques & Tools (Imperva)OSINT Techniques & Tools (Imperva)
2026-04-17Top OSINT Tools For Dark Web (Brandefense)Top OSINT Tools For Dark Web (Brandefense)
2026-04-17OSINT Basics: What is Dark Web Intelligence (DARKInt)?OSINT Basics: What is Dark Web Intelligence (DARKInt)?
2026-04-17Top 15 OSINT Tools in 2025 (OSINT BYLE)Top 15 OSINT Tools in 2025 (OSINT BYLE)
2026-04-17OSINT 2025: New and updated digital investigative toolsOSINT 2025: New and updated digital investigative tools
2026-04-17How to Use the OSINT Framework: Sources, Tools, Steps (BitSight)How to Use the OSINT Framework: Sources, Tools, Steps (BitSight)
2026-04-17OSINT Tools And Techniques (Neotas)OSINT Tools And Techniques (Neotas)
2026-04-17Complete OSINT Guide 2025: Find Anyone OnlineComplete OSINT Guide 2025: Find Anyone Online
2026-04-16I Participated in a Trace Labs CTF - Now I'm Hooked on OSINTI Participated in a Trace Labs CTF - Now I'm Hooked on OSINT
2026-04-16Recon Village - OSINT and Reconnaissance Village at DEF CON 33Recon Village - OSINT and Reconnaissance Village at DEF CON 33
2026-04-16A Beginner's Guide to OSINT Investigation with MaltegoA Beginner's Guide to OSINT Investigation with Maltego
2026-04-16Social Media Intelligence (SOCMINT) in Modern InvestigationsSocial Media Intelligence (SOCMINT) in Modern Investigations
2026-04-16OSINT Challenge in 30: Social Media GeolocationOSINT Challenge in 30: Social Media Geolocation
2026-04-16Trace Labs OSINT Educational SeriesTrace Labs OSINT Educational Series
2026-04-16OSINT Investigation Techniques for Missing Person Cases (Trace Labs)OSINT Investigation Techniques for Missing Person Cases (Trace Labs)
2026-04-16Automated OSINT Techniques for Digital Asset Discovery and Cyber Risk AssessmentAutomated OSINT Techniques for Digital Asset Discovery and Cyber Risk Assessment
2026-04-16Awesome OSINT - A Curated List of OSINT ResourcesAwesome OSINT - A Curated List of OSINT Resources
2026-04-16OSINT Techniques: Complete List for InvestigatorsOSINT Techniques: Complete List for Investigators

IDOR +34

DateResourceSummary
2026-04-19IDOR Vulnerability Exploitation Guide — RedfoxSecIDOR Vulnerability Exploitation Guide — RedfoxSec
2026-04-19Bykea: IDOR on In-App Hardcoded Zombie — HackerOneBykea: IDOR on In-App Hardcoded Zombie — HackerOne
2026-04-19IDOR Vulnerability — HackerOne Report 2633771IDOR Vulnerability — HackerOne Report 2633771
2026-04-19Top 235 IDOR Bug Bounty ReportsTop 235 IDOR Bug Bounty Reports
2026-04-17From Reset to Takeover: IDOR in Password Recovery SystemsFrom Reset to Takeover: IDOR in Password Recovery Systems
2026-04-17IDOR on Password Change to Full Account TakeoverIDOR on Password Change to Full Account Takeover
2026-04-17Vulnlab: IDOR Writeup (Ikhlasdansantai)Vulnlab: IDOR Writeup (Ikhlasdansantai)
2026-04-17Critical IDOR Vulnerability Leads to User Information DisclosureCritical IDOR Vulnerability Leads to User Information Disclosure
2026-04-17API1:2019 - Broken object level authorizationAPI1:2019 - Broken object level authorization
2026-04-17A Beginner's Guide to IDOR Testing MethodologyA Beginner's Guide to IDOR Testing Methodology
2026-04-17Maximizing IDOR Detection with Burp Suite's AutorizeMaximizing IDOR Detection with Burp Suite's Autorize
2026-04-17Manual and semi-automated testing for IDORs using Burp SuiteManual and semi-automated testing for IDORs using Burp Suite
2026-04-17Testing for IDORs (PortSwigger Burp docs)Testing for IDORs (PortSwigger Burp docs)
2026-04-17Account Takeover via IDOR (Deteact)Account Takeover via IDOR (Deteact)
2026-04-17IDOR Vulnerability Explained: Why IDOR Persists (Aikido)IDOR Vulnerability Explained: Why IDOR Persists (Aikido)
2026-04-17How I Found a Critical IDOR Leading to Full Account TakeoverHow I Found a Critical IDOR Leading to Full Account Takeover
2026-04-17Exploiting IDOR Vulnerabilities: Prevent Account TakeoverExploiting IDOR Vulnerabilities: Prevent Account Takeover
2026-04-17A Journey from IDOR to Account Takeover (Payatu)A Journey from IDOR to Account Takeover (Payatu)
2026-04-17Tackling IDOR on UUID based objects (PenTester Nepal)Tackling IDOR on UUID based objects (PenTester Nepal)
2026-04-17How an IDOR Vulnerability Led to User Profile Modification (HackerOne)How an IDOR Vulnerability Led to User Profile Modification (HackerOne)
2026-04-17IDOR: Admin-to-Owner Account Takeover via Password Reset (StudioCMS)IDOR: Admin-to-Owner Account Takeover via Password Reset (StudioCMS)
2026-04-17Exploiting UUIDs in Account Takeover: Pentester's GuideExploiting UUIDs in Account Takeover: Pentester's Guide
2026-04-17Top 25 IDOR Bug Bounty Reports (Cristian Cornea)Top 25 IDOR Bug Bounty Reports (Cristian Cornea)
2026-04-17Day 39: IDOR report - How to write a good bounty write-upDay 39: IDOR report - How to write a good bounty write-up
2026-04-16Chamilo LMS IDOR Leads to Admin Privileges (CVE-2026-40291)Chamilo LMS IDOR Leads to Admin Privileges (CVE-2026-40291)
2026-04-16IDOR Vulnerabilities Explained: A Researcher's Guide to Authorization FlawsIDOR Vulnerabilities Explained: A Researcher's Guide to Authorization Flaws
2026-04-16From IDOR to Account Takeover (ATO)From IDOR to Account Takeover (ATO)
2026-04-16IDOR: A Tale of Account TakeoverIDOR: A Tale of Account Takeover
2026-04-16IDOR Vulnerability Detection Through HTTP Traffic AnalysisIDOR Vulnerability Detection Through HTTP Traffic Analysis
2026-04-16Broken Access Control: Advanced IDOR ExploitationBroken Access Control: Advanced IDOR Exploitation
2026-04-16IDOR Hunting with Burp Suite: A $1,000 Bug Bounty Case StudyIDOR Hunting with Burp Suite: A $1,000 Bug Bounty Case Study
2026-04-16How to Find IDORs Like a ProHow to Find IDORs Like a Pro
2026-04-16Top HackerOne IDOR ReportsTop HackerOne IDOR Reports
2026-04-16IDOR Vulnerabilities Masterclass: Complete Guide from Fundamentals to Advanced ExploitationIDOR Vulnerabilities Masterclass: Complete Guide from Fundamentals to Advanced Exploitation

Supply Chain +34

DateResourceSummary
2026-04-19Shai-Hulud: A Persistent Secret Leaking Campaign — GitGuardianShai-Hulud: A Persistent Secret Leaking Campaign — GitGuardian
2026-04-19Defending Against npm Supply Chain Attacks — SplunkDefending Against npm Supply Chain Attacks — Splunk
2026-04-19Multiple Supply Chain Attacks against npm Packages — Red HatMultiple Supply Chain Attacks against npm Packages — Red Hat
2026-04-19Shai-Hulud Malware: Second-Wave npm Supply Chain AttackShai-Hulud Malware: Second-Wave npm Supply Chain Attack
2026-04-19CISA: Widespread Supply Chain Compromise Impacting npm EcosystemCISA: Widespread Supply Chain Compromise Impacting npm Ecosystem
2026-04-17Closing the Chain: How to reduce SolarWinds/Log4j/XZ risk (arXiv)Closing the Chain: How to reduce SolarWinds/Log4j/XZ risk (arXiv)
2026-04-17SolarWinds Supply Chain Attack (Fortinet)SolarWinds Supply Chain Attack (Fortinet)
2026-04-17ossf/malicious-packages: Reports of malicious open source packagesossf/malicious-packages: Reports of malicious open source packages
2026-04-175 Examples of Dependency Confusion Attacks (Spectral)5 Examples of Dependency Confusion Attacks (Spectral)
2026-04-17What Is a Dependency Confusion Attack? (Aqua Security)What Is a Dependency Confusion Attack? (Aqua Security)
2026-04-17Defender's Perspective: Dep Confusion and Typosquatting (SLSA)Defender's Perspective: Dep Confusion and Typosquatting (SLSA)
2026-04-17SBOMs in 2026: Some Love, Some Hate, Much AmbivalenceSBOMs in 2026: Some Love, Some Hate, Much Ambivalence
2026-04-17Software Bill of Materials (SBOM) (CISA)Software Bill of Materials (SBOM) (CISA)
2026-04-17About SLSA (spec v1.2)About SLSA (spec v1.2)
2026-04-17What is a Software Bill of Materials (SBOM)? (Snyk)What is a Software Bill of Materials (SBOM)? (Snyk)
2026-04-17SBOM Literature Review (arXiv)SBOM Literature Review (arXiv)
2026-04-17SBOM + SLSA: Accelerating SBOM success with SLSASBOM + SLSA: Accelerating SBOM success with SLSA
2026-04-17SLSA - Comprehensive Approach to Supply Chain Security (SBOM Observer)SLSA - Comprehensive Approach to Supply Chain Security (SBOM Observer)
2026-04-17Understanding SBOM: Transparency & Security in Supply Chains (Cycode)Understanding SBOM: Transparency & Security in Supply Chains (Cycode)
2026-04-17What We Know About the NPM Supply Chain Attack (Trend Micro)What We Know About the NPM Supply Chain Attack (Trend Micro)
2026-04-17New Supply Chain Malware Operation Hits npm and PyPINew Supply Chain Malware Operation Hits npm and PyPI
2026-04-17npm Supply Chain Attack: Debug, Chalk + 16 Packages Compromise (Upwind)npm Supply Chain Attack: Debug, Chalk + 16 Packages Compromise (Upwind)
2026-04-17Malicious PyPI, npm, Ruby Packages Exposed (The Hacker News)Malicious PyPI, npm, Ruby Packages Exposed (The Hacker News)
2026-04-17A Closer Look at Software Supply Chain Attacks 2025 (Xygeni)A Closer Look at Software Supply Chain Attacks 2025 (Xygeni)
2026-04-16Learnings from Recent npm Supply Chain Compromises - DatadogLearnings from Recent npm Supply Chain Compromises - Datadog
2026-04-16Inside the Axios Supply Chain Compromise - Elastic Security LabsInside the Axios Supply Chain Compromise - Elastic Security Labs
2026-04-16Lockfile Poisoning: Introducing Malware in Supply Chain - SafeDepLockfile Poisoning: Introducing Malware in Supply Chain - SafeDep
2026-04-16Shai-Hulud 2.0: Most Aggressive NPM Supply Chain Attack of 2025 - Check PointShai-Hulud 2.0: Most Aggressive NPM Supply Chain Attack of 2025 - Check Point
2026-04-16Supply Chain Security: Sigstore and Cosign - GitGuardianSupply Chain Security: Sigstore and Cosign - GitGuardian
2026-04-16GuardDog: CLI Tool to Identify Malicious PyPI and npm PackagesGuardDog: CLI Tool to Identify Malicious PyPI and npm Packages
2026-04-16tj-actions Supply Chain Attack (CVE-2025-30066) - Sysdigtj-actions Supply Chain Attack (CVE-2025-30066) - Sysdig
2026-04-16tj-actions/changed-files Compromised - Semgreptj-actions/changed-files Compromised - Semgrep
2026-04-16Most Notable Supply Chain Attacks of 2025 - KasperskyMost Notable Supply Chain Attacks of 2025 - Kaspersky
2026-04-16GitHub Actions Supply Chain Attacks: tj-actions and reviewdog - HuntersGitHub Actions Supply Chain Attacks: tj-actions and reviewdog - Hunters

Deserialization +32

DateResourceSummary
2026-04-19IBM webMethods Integration CVE-2025-36072: Deserialization RCEIBM webMethods Integration CVE-2025-36072: Deserialization RCE
2026-04-19Deserialization Vulnerability — Exploit-DB PaperDeserialization Vulnerability — Exploit-DB Paper
2026-04-19Cisco ISE Insecure Java Deserialization — Cisco DocsCisco ISE Insecure Java Deserialization — Cisco Docs
2026-04-19Insecure Deserialization Vulnerabilities — AcunetixInsecure Deserialization Vulnerabilities — Acunetix
2026-04-19Cisco ISE Insecure Java Deserialization (CVE-2025-20124)Cisco ISE Insecure Java Deserialization (CVE-2025-20124)
2026-04-17CVE-2023-34040: Spring-Kafka Java DeserializationCVE-2023-34040: Spring-Kafka Java Deserialization
2026-04-17Apache Struts vulnerability leads to RCEApache Struts vulnerability leads to RCE
2026-04-17Jackson deserialization vulnerability exploit (3 gadgets, GitHub)Jackson deserialization vulnerability exploit (3 gadgets, GitHub)
2026-04-17Apache Struts2 Code Execution Exploit (Infopercept)Apache Struts2 Code Execution Exploit (Infopercept)
2026-04-17Spring-web Java Deserialization: CVE-2016-1000027 (Contrast)Spring-web Java Deserialization: CVE-2016-1000027 (Contrast)
2026-04-17Exploiting Apache Struts: Writing Better Detections (Gigamon)Exploiting Apache Struts: Writing Better Detections (Gigamon)
2026-04-17Friday the 13th JSON Attacks (Black Hat)Friday the 13th JSON Attacks (Black Hat)
2026-04-17PayloadsAllTheThings: Insecure Deserialization DotNETPayloadsAllTheThings: Insecure Deserialization DotNET
2026-04-17Basic .Net deserialization ObjectDataProvider gadget (HackTricks)Basic .Net deserialization ObjectDataProvider gadget (HackTricks)
2026-04-17Python-Pickle-RCE-Exploit + vulnerable Flask App (GitHub)Python-Pickle-RCE-Exploit + vulnerable Flask App (GitHub)
2026-04-17SOUR PICKLE: Insecure Deserialization with Python PickleSOUR PICKLE: Insecure Deserialization with Python Pickle
2026-04-17PayloadsAllTheThings: Insecure Deserialization PythonPayloadsAllTheThings: Insecure Deserialization Python
2026-04-17Pickle Code Execution Exploitation (Dhound)Pickle Code Execution Exploitation (Dhound)
2026-04-17Python-socketio: Pickle deserialization RCE advisoryPython-socketio: Pickle deserialization RCE advisory
2026-04-17Exploiting deserialization in recent Java versions (OWASP Stuttgart)Exploiting deserialization in recent Java versions (OWASP Stuttgart)
2026-04-17Automated Discovery of Deserialization Gadget Chains (Black Hat)Automated Discovery of Deserialization Gadget Chains (Black Hat)
2026-04-17Prevent insecure deserialization attacks (Veracode)Prevent insecure deserialization attacks (Veracode)
2026-04-17Understanding Insecure Deserialization: Risks and MitigationsUnderstanding Insecure Deserialization: Risks and Mitigations
2026-04-17Bug Bounty Hunting: Insecure DeserializationBug Bounty Hunting: Insecure Deserialization
2026-04-17Insecure Deserialization - Attack Technique (vuln.today)Insecure Deserialization - Attack Technique (vuln.today)
2026-04-16Depickling, Gadgets, and Chains: The Exploit That Unraveled EquifaxDepickling, Gadgets, and Chains: The Exploit That Unraveled Equifax
2026-04-16How to Exploit PHAR Deserialization VulnerabilityHow to Exploit PHAR Deserialization Vulnerability
2026-04-16Insecure Reflection Practices in Java and C#Insecure Reflection Practices in Java and C#
2026-04-16Java Deserialization Tricks - SynacktivJava Deserialization Tricks - Synacktiv
2026-04-16Deep Dive into .NET ViewState DeserializationDeep Dive into .NET ViewState Deserialization
2026-04-16ViewState Deserialization Zero-Day in Sitecore (CVE-2025-53690)ViewState Deserialization Zero-Day in Sitecore (CVE-2025-53690)
2026-04-16The Art of Hide and Seek: Pickle-Based Model Supply Chain PoisoningThe Art of Hide and Seek: Pickle-Based Model Supply Chain Poisoning

Authentication +32

DateResourceSummary
2026-04-19Bypassing MFA with OAuth Abuse: Pentesting SSO FlowsBypassing MFA with OAuth Abuse: Pentesting SSO Flows
2026-04-19SSO Protocol Security: Critical Vulnerabilities in SAML, OAuth, OIDC, JWT (2025)SSO Protocol Security: Critical Vulnerabilities in SAML, OAuth, OIDC, JWT (2025)
2026-04-19The Art of Breaking OAuth: Real-World Exploits and MisusesThe Art of Breaking OAuth: Real-World Exploits and Misuses
2026-04-19OAuth2-Proxy Authentication Bypass (CVE-2025-54576)OAuth2-Proxy Authentication Bypass (CVE-2025-54576)
2026-04-19OAuth SSO WordPress Plugin JWT Bypass (CVE-2025-9485)OAuth SSO WordPress Plugin JWT Bypass (CVE-2025-9485)
2026-04-17WebAuthn: Complete Guide to Passwordless, FIDO2, Passkeys (TerraZone)WebAuthn: Complete Guide to Passwordless, FIDO2, Passkeys (TerraZone)
2026-04-17What is WebAuthn Standard? Guide to WebAuthn Protocol & APIWhat is WebAuthn Standard? Guide to WebAuthn Protocol & API
2026-04-17Navigating the New Wave of MFA Bypass Attacks in 2025Navigating the New Wave of MFA Bypass Attacks in 2025
2026-04-17Broken authentication: 7 Advanced ways of bypassing 2-FA (Intigriti)Broken authentication: 7 Advanced ways of bypassing 2-FA (Intigriti)
2026-04-17Vulnerabilities in multi-factor authentication (PortSwigger)Vulnerabilities in multi-factor authentication (PortSwigger)
2026-04-17Two-Factor Authentication (2FA): Bypass Scenarios (DeepStrike)Two-Factor Authentication (2FA): Bypass Scenarios (DeepStrike)
2026-04-17Hacking SAML - Vickie LiHacking SAML - Vickie Li
2026-04-17SSO Bypass: How Attackers Circumvent Single Sign-On (Obsidian)SSO Bypass: How Attackers Circumvent Single Sign-On (Obsidian)
2026-04-17CVE-2020-2021 PAN-OS: Authentication Bypass in SAMLCVE-2020-2021 PAN-OS: Authentication Bypass in SAML
2026-04-17HackerOne Report #812064: SAML authentication bypass (Rocket.Chat)HackerOne Report #812064: SAML authentication bypass (Rocket.Chat)
2026-04-17SAML Security (OWASP Cheat Sheet)SAML Security (OWASP Cheat Sheet)
2026-04-17Fun with SAML SSO vulnerabilities and footguns (WorkOS)Fun with SAML SSO vulnerabilities and footguns (WorkOS)
2026-04-17OAuth 2.0 Common Security Flaws and Prevention (APIsec)OAuth 2.0 Common Security Flaws and Prevention (APIsec)
2026-04-17Top 10 OAuth 2.0 Hacking Techniques Part 2Top 10 OAuth 2.0 Hacking Techniques Part 2
2026-04-17Vulnerable-OAuth-2.0-Applications (GitHub)Vulnerable-OAuth-2.0-Applications (GitHub)
2026-04-17OAuth Vulnerabilities Part II (Bug Bounty 2k25)OAuth Vulnerabilities Part II (Bug Bounty 2k25)
2026-04-17Bug-Bounty-Methodology: 2FA testingBug-Bounty-Methodology: 2FA testing
2026-04-17Bug Bounty: Authentication Testing - Brute Force to BypassBug Bounty: Authentication Testing - Brute Force to Bypass
2026-04-17HackerOne Report #209008: Authentication Bypass - AutomatticHackerOne Report #209008: Authentication Bypass - Automattic
2026-04-17Web Security Bug Bounty: Bypassing Authentication via Logical FlawWeb Security Bug Bounty: Bypassing Authentication via Logical Flaw
2026-04-16This OAuth Bug Earned Me $$$$: Account Takeover via Identity InjectionThis OAuth Bug Earned Me $$$$: Account Takeover via Identity Injection
2026-04-16Session Management Vulnerabilities: What Developers Get WrongSession Management Vulnerabilities: What Developers Get Wrong
2026-04-16Bypassing the Protections: MFA Bypass TechniquesBypassing the Protections: MFA Bypass Techniques
2026-04-16Session Hijacking in 2025: Techniques, Attack Examples and DefensesSession Hijacking in 2025: Techniques, Attack Examples and Defenses
2026-04-16The $12,000 2FA Bypass - So Simple, Yet So CriticalThe $12,000 2FA Bypass - So Simple, Yet So Critical
2026-04-16Race Condition Authentication Bypass: Full Account TakeoverRace Condition Authentication Bypass: Full Account Takeover
2026-04-16Token-Based Attacks: How Attackers Bypass MFAToken-Based Attacks: How Attackers Bypass MFA

Secrets +31

DateResourceSummary
2026-04-19Compromised IAM Credentials Power Large AWS Crypto Mining CampaignCompromised IAM Credentials Power Large AWS Crypto Mining Campaign
2026-04-19Pre-Commit Hooks for Secret Detection: Setup in 10 MinutesPre-Commit Hooks for Secret Detection: Setup in 10 Minutes
2026-04-19Understanding Your Organization's Exposure to Secret Leaks — GitHubUnderstanding Your Organization's Exposure to Secret Leaks — GitHub
2026-04-19Exposed Developer Secrets Surge: AI Drives 34% Increase in 2025Exposed Developer Secrets Surge: AI Drives 34% Increase in 2025
2026-04-19GitHub Found 39M Secret Leaks in 2024 — The GitHub BlogGitHub Found 39M Secret Leaks in 2024 — The GitHub Blog
2026-04-17Non-human identities: What they are and how to secure them (Netwrix)Non-human identities: What they are and how to secure them (Netwrix)
2026-04-17Top non-human identity (NHI) platforms of 2025 (Doppler)Top non-human identity (NHI) platforms of 2025 (Doppler)
2026-04-17What Are Non-Human Identities? Complete NHI Security Guide 2025What Are Non-Human Identities? Complete NHI Security Guide 2025
2026-04-17TruffleHog: Deep Dive on Secret Management (Jit)TruffleHog: Deep Dive on Secret Management (Jit)
2026-04-17TruffleHog Open Source v3 vs GitGuardianTruffleHog Open Source v3 vs GitGuardian
2026-04-17git-secret-scanner: Find secrets with TruffleHog & Gitleaksgit-secret-scanner: Find secrets with TruffleHog & Gitleaks
2026-04-17Gitleaks vs TruffleHog 2026 Benchmarks (AppSec Santa)Gitleaks vs TruffleHog 2026 Benchmarks (AppSec Santa)
2026-04-17Rafter: detect-secrets vs gitleaks vs TruffleHogRafter: detect-secrets vs gitleaks vs TruffleHog
2026-04-17SEC02-BP03 Store and use secrets securely (AWS Well-Architected)SEC02-BP03 Store and use secrets securely (AWS Well-Architected)
2026-04-17AWS Secrets Manager: Secure Credential Storage & Best PracticesAWS Secrets Manager: Secure Credential Storage & Best Practices
2026-04-17Practical steps to minimize key exposure using AWS Security (AWS)Practical steps to minimize key exposure using AWS Security (AWS)
2026-04-17AWS API Keys / Secrets / Tokens Exposure RemediationAWS API Keys / Secrets / Tokens Exposure Remediation
2026-04-17Integrating HashiCorp Vault with Kubernetes for Secrets MgmtIntegrating HashiCorp Vault with Kubernetes for Secrets Mgmt
2026-04-17HashiCorp Vault Kubernetes: The Definitive Guide (Plural)HashiCorp Vault Kubernetes: The Definitive Guide (Plural)
2026-04-17A Hands-On Guide to Vault in KubernetesA Hands-On Guide to Vault in Kubernetes
2026-04-17Securing Kubernetes Secrets with HashiCorp Vault (InfraCloud)Securing Kubernetes Secrets with HashiCorp Vault (InfraCloud)
2026-04-17Manage Kubernetes native secrets with Vault Secrets OperatorManage Kubernetes native secrets with Vault Secrets Operator
2026-04-17Secret detection (GitLab Docs)Secret detection (GitLab Docs)
2026-04-17Find secrets with GitHub secret risk assessmentFind secrets with GitHub secret risk assessment
2026-04-17About secret scanning (GitHub Docs)About secret scanning (GitHub Docs)
2026-04-16Do Not Use Secrets in Environment VariablesDo Not Use Secrets in Environment Variables
2026-04-16Environment Variables Don't Keep SecretsEnvironment Variables Don't Keep Secrets
2026-04-16From .env to Leakage: Mishandling of Secrets by Coding AgentsFrom .env to Leakage: Mishandling of Secrets by Coding Agents
2026-04-16Secret Detection in Application SecuritySecret Detection in Application Security
2026-04-1629 Million Leaked Secrets: How AI Coding Tools Are Making It Worse29 Million Leaked Secrets: How AI Coding Tools Are Making It Worse
2026-04-16The State of Secrets Sprawl 2026 - GitGuardian Annual ReportThe State of Secrets Sprawl 2026 - GitGuardian Annual Report

SSRF +24

DateResourceSummary
2026-04-19CVE-2025-61882 Explained: The Oracle Zero-Day BreachCVE-2025-61882 Explained: The Oracle Zero-Day Breach
2026-04-19Oracle EBS CVE-2025-61882: Pre-auth SSRF Leads to RCEOracle EBS CVE-2025-61882: Pre-auth SSRF Leads to RCE
2026-04-19Oracle EBS Under Fire as Cl0p Exploits CVE-2025-61882Oracle EBS Under Fire as Cl0p Exploits CVE-2025-61882
2026-04-19Oracle E-Business Suite Zero-Day Exploited — Google CloudOracle E-Business Suite Zero-Day Exploited — Google Cloud
2026-04-19Server-Side Request Forgery (SSRF) — Practical GuideServer-Side Request Forgery (SSRF) — Practical Guide
2026-04-18Funny how the more you fuck around the more you find out. Do you see an id? mess around with it can't find the private ip where the http client is running? send a nonexistent host to leak it an enum from there #bugbountytips #SSRF pic.x.com/t0HhOXupGQFunny how the more you fuck around, the more you find out. Do you see an id? mess around with it, can't find the private ip where the http client is running? send a nonexistent host to leak it an enum...
2026-04-17Profile picture upload SSRF Port scan Unauthenticated admin panel Mass PII disclosure. The simplest entry points often hide the biggest impact. medium.com/@sagardhoot56/ #bugbounty #hacking #ssrf #ethicalhacking #infosecProfile picture upload → SSRF → Port scan → Unauthenticated admin panel → Mass PII disclosure. The simplest entry points often hide the biggest impact. medium.com/@sagardhoot56/… #bugbounty #hacking #...
2026-04-17Angular patches a critical 8.7 SSRF flaw in @angular/platform-server. Attackers can hijack SSR origins via URL normalization. Patch v19 v20 or v21 now! #Angular #CyberSecurity #SSRF #WebDev #InfoSec #SSR #VulnerabilityAlert securityonline.info/angular-platfo pic.x.com/8EAUEBNxnfAngular patches a critical 8.7 SSRF flaw in @angular/platform-server. Attackers can hijack SSR origins via URL normalization. Patch v19, v20, or v21 now! #Angular #CyberSecurity #SSRF #WebDev #InfoSec...
2026-04-16Bypassing SSRF Filters Using r3dirBypassing SSRF Filters Using r3dir
2026-04-16The Limitations of Secure SSRF Patches: Advanced BypassesThe Limitations of Secure SSRF Patches: Advanced Bypasses
2026-04-16DNS Rebinding Attacks Against SSRF ProtectionsDNS Rebinding Attacks Against SSRF Protections
2026-04-16Cloud Metadata Dictionary Useful for SSRF TestingCloud Metadata Dictionary Useful for SSRF Testing
2026-04-16PayloadsAllTheThings: Server Side Request ForgeryPayloadsAllTheThings: Server Side Request Forgery
2026-04-16Cloud SSRF ExploitationCloud SSRF Exploitation
2026-04-16Learning SSRF for Fun and BountiesLearning SSRF for Fun and Bounties
2026-04-16SSRF Vulnerability on Major Gaming Company (Wiz Bug Bounty)SSRF Vulnerability on Major Gaming Company (Wiz Bug Bounty)
2026-04-16Five Bounties, One Bug: Exploiting the Same SSRF via Five Unique TechniquesFive Bounties, One Bug: Exploiting the Same SSRF via Five Unique Techniques
2026-04-16CRITICAL VULNERABILITY (CVSS 10.0) in Axios JS library! CVE-2026-40175 is an SSRF flaw that can lead to RCE and full cloud compromise. PoC is public. If you use Axios update to v1.13.2 NOW! #SupplyChain #RCE #SSRF cyber.netsecops.io/articles/critisvm🚨 CRITICAL VULNERABILITY (CVSS 10.0) in Axios JS library! CVE-2026-40175 is an SSRF flaw that can lead to RCE and full cloud compromise. PoC is public. If you use Axios, update to v1.13.2 NOW! 🌐 #Supp...
2026-04-15Most hunters skip SSRF because "it's hard to find." That's exactly why it pays. Look for: URL/IP params Webhooks & PDF generators Anything the server fetches The server becomes your proxy. Internal infra = your target. Hunt smarter. #BugBounty #SSRFpic.x.com/W1hHTiDo5CCMost hunters skip SSRF because "it's hard to find." That's exactly why it pays. Look for: → URL/IP params → Webhooks & PDF generators → Anything the server fetches The server becomes your proxy. Inter...
2026-04-15Inside PostHog: How SSRF a ClickHouse SQL Escaping 0day and Default PostgreSQL Credentials Formed an RCE Chain (ZDI-25-099 ZDI-25-097 ZDI-25-096) #PostHog #RCEChain #SSRF #SQLInjection #Zeroday mehmetince.net/inside-posthogInside PostHog: How SSRF, a ClickHouse SQL Escaping 0day, and Default PostgreSQL Credentials Formed an RCE Chain (ZDI-25-099, ZDI-25-097, ZDI-25-096) #PostHog #RCEChain #SSRF #SQLInjection #Zeroday me...
2026-04-156/6 Key takeaways: - Screenshot/render services = SSRF launchers - window.env in public JS = internal network map - Visual SSRF needs no text reflection measure the image size - Always escalate to internal hostnames not just localhost #BugBounty #SSRF #InfoSec #WebSecurity6/6 Key takeaways: - Screenshot/render services = SSRF launchers - window.env in public JS = internal network map - Visual SSRF needs no text reflection — measure the image size - Always escalate to i...
2026-04-14Found SSRF vulnerability allowed to access admin panel and delete user account. StockAPI Burp Intruder Admin URL Deleted user account (carlos) #SSRF #WebSecurityAcademy #Portswigger #Lab #Vulnerability pic.x.com/EiIMQEUyxQFound SSRF vulnerability allowed to access admin panel and delete user account. StockAPI  Burp Intruder Admin URL Deleted user account (carlos) #SSRF #WebSecurityAcademy #Portswigger #Lab #Vulnerab...
2026-04-14Axios CVE-2025-62718 allows a critical NO_PROXY bypass via hostname normalization errors. Protect your internal network from SSRFpatch or normalize today! #AxiosVulnerability #CyberSecurity #SSRF #InfoSec #NodeJS #WebDev securityonline.info/axios-no-proxy pic.x.com/U8wtJItO2rAxios CVE-2025-62718 allows a critical NO_PROXY bypass via hostname normalization errors. Protect your internal network from SSRF—patch or normalize today! #AxiosVulnerability #CyberSecurity #SSRF #In...
2026-04-13Warning: Critical Path Traversal in the OpenAPIProvider in #FastMCP. CVE-2026-32871 CVSS(4.0): 10. The vulnerability results to an authenticated #SSRF. github.com/advisories/GHS #Patch #Patch #PatchWarning: Critical Path Traversal in the OpenAPIProvider in #FastMCP. CVE-2026-32871 CVSS(4.0): 10. The vulnerability results to an authenticated #SSRF. github.com/advisories/GHS… #Patch #Patch #Patch ...

XSS +16

DateResourceSummary
2026-04-19Bypassing Signature-Based XSS Filters: Modifying HTMLBypassing Signature-Based XSS Filters: Modifying HTML
2026-04-19XSS Bypass Techniques — Cyber GitaXSS Bypass Techniques — Cyber Gita
2026-04-19Advanced XSS Filter Bypass Methods Using Payload SplittingAdvanced XSS Filter Bypass Methods Using Payload Splitting
2026-04-19XSS Payload Bypass Technique: A Practical GuideXSS Payload Bypass Technique: A Practical Guide
2026-04-19Intigriti July 2025 XSS Challenge — Jorian WoltjerIntigriti July 2025 XSS Challenge — Jorian Woltjer
2026-04-17Multiple Cross-Site Scripting (XSS) Vulnerabilities in MailcowMultiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow https://ift.tt/ufEgtyJ
2026-04-16Prototype Pollution Primer for Pentesters and ProgrammersPrototype Pollution Primer for Pentesters and Programmers
2026-04-16Bypassing DOMPurify with Good Old XMLBypassing DOMPurify with Good Old XML
2026-04-16Exploring the DOMPurify Library: Bypasses and FixesExploring the DOMPurify Library: Bypasses and Fixes
2026-04-16Content Security Policy Bypass Techniques CollectionContent Security Policy Bypass Techniques Collection
2026-04-16CSPBypass: Tool to Bypass Content Security PoliciesCSPBypass: Tool to Bypass Content Security Policies
2026-04-16PayloadsAllTheThings: XSS Injection Cheat SheetPayloadsAllTheThings: XSS Injection Cheat Sheet
2026-04-16Advanced XSS Exploitation: Bypassing CSP and DOM SanitizationAdvanced XSS Exploitation: Bypassing CSP and DOM Sanitization
2026-04-16CVE-2025-63418: Weaponizing the Browser Console - DOM-based XSS Deep DiveCVE-2025-63418: Weaponizing the Browser Console - DOM-based XSS Deep Dive
2026-04-16bypassXSS: A Curated Collection of Advanced XSS Bypass TechniquesbypassXSS: A Curated Collection of Advanced XSS Bypass Techniques
2026-04-16Cross-Site Scripting (XSS) Practical CTF GuideCross-Site Scripting (XSS) Practical CTF Guide

Mobile +15

DateResourceSummary
2026-04-19Zero-Day Vulnerabilities in Apple WebKit — CSA SingaporeZero-Day Vulnerabilities in Apple WebKit — CSA Singapore
2026-04-19Update Apple Devices: Actively Exploited CVE-2025-14174 & CVE-2025-43529Update Apple Devices: Actively Exploited CVE-2025-14174 & CVE-2025-43529
2026-04-19CVE-2025-14174: Apple WebKit Memory Corruption Zero-DayCVE-2025-14174: Apple WebKit Memory Corruption Zero-Day
2026-04-19Two Serious Vulnerabilities in Latest Android Security UpdateTwo Serious Vulnerabilities in Latest Android Security Update
2026-04-19LANDFALL: New Commercial-Grade Android Spyware (CVE-2025-21042)LANDFALL: New Commercial-Grade Android Spyware (CVE-2025-21042)
2026-04-16Awesome Android Reverse Engineering: Curated ListAwesome Android Reverse Engineering: Curated List
2026-04-16Android App Reverse Engineering 101Android App Reverse Engineering 101
2026-04-16Exploiting Android Fingerprint AuthenticationExploiting Android Fingerprint Authentication
2026-04-16Android Keystore Pitfalls and Best PracticesAndroid Keystore Pitfalls and Best Practices
2026-04-16Frida's Impact on Mobile Security and How to Fight BackFrida's Impact on Mobile Security and How to Fight Back
2026-04-16From an Android Hook to RCE: $5000 BountyFrom an Android Hook to RCE: $5000 Bounty
2026-04-16iOS Reverse Engineering: Defeating Anti-Debug and Extracting Hidden FlagiOS Reverse Engineering: Defeating Anti-Debug and Extracting Hidden Flag
2026-04-16DarkSword iOS Exploit Chain Adopted by Multiple Threat Actors - GoogleDarkSword iOS Exploit Chain Adopted by Multiple Threat Actors - Google
2026-04-16Inside DarkSword: A New iOS Exploit Kit - iVerifyInside DarkSword: A New iOS Exploit Kit - iVerify
2026-04-16DarkSword iOS Exploit Kit: 6 Flaws and 3 Zero-Days for Full TakeoverDarkSword iOS Exploit Kit: 6 Flaws and 3 Zero-Days for Full Takeover

API Security +15

DateResourceSummary
2026-04-19BOLA API Attack & Prevention — StackHawkBOLA API Attack & Prevention — StackHawk
2026-04-19Broken Object-Level Authorization (BOLA): What It Is and How to Prevent ItBroken Object-Level Authorization (BOLA): What It Is and How to Prevent It
2026-04-19OWASP Top 10 API Security Risks and How to Mitigate Them — PyntOWASP Top 10 API Security Risks and How to Mitigate Them — Pynt
2026-04-19OWASP Top 10 2025: Latest Changes and EnhancementsOWASP Top 10 2025: Latest Changes and Enhancements
2026-04-19OWASP API Security Top 10 Vulnerabilities — 2025OWASP API Security Top 10 Vulnerabilities — 2025
2026-04-16MCP Access Control: OPA vs Cedar - NatomaMCP Access Control: OPA vs Cedar - Natoma
2026-04-16Stateful REST API Fuzzing with RESTlerStateful REST API Fuzzing with RESTler
2026-04-16Inside Modern API Attacks: 2026 API ThreatStats Report - WallarmInside Modern API Attacks: 2026 API ThreatStats Report - Wallarm
2026-04-16OWASP API Security Testing FrameworkOWASP API Security Testing Framework
2026-04-16Kong API Gateway Misconfigurations Case Study - Trend MicroKong API Gateway Misconfigurations Case Study - Trend Micro
2026-04-16API Security Testing: Tools and Techniques - API7.aiAPI Security Testing: Tools and Techniques - API7.ai
2026-04-16BOLA and BFLA: The API Vulnerabilities That Silently Expose DataBOLA and BFLA: The API Vulnerabilities That Silently Expose Data
2026-04-16API Penetration Testing: Complete GuideAPI Penetration Testing: Complete Guide
2026-04-16How to Protect APIs from OWASP Authorization Risks: BOLA, BOPLA and BFLA - 42CrunchHow to Protect APIs from OWASP Authorization Risks: BOLA, BOPLA and BFLA - 42Crunch
2026-04-16Securing the Gates: Mastering BOLA and BFLA in API SecuritySecuring the Gates: Mastering BOLA and BFLA in API Security

AI +15

DateResourceSummary
2026-04-19MCP Tool Poisoning — How It Works & How To Fight ItMCP Tool Poisoning — How It Works & How To Fight It
2026-04-19Model Context Protocol Has Prompt Injection Security ProblemsModel Context Protocol Has Prompt Injection Security Problems
2026-04-19Vulnerability of LLMs to Prompt Injection in Medical Advice — JAMAVulnerability of LLMs to Prompt Injection in Medical Advice — JAMA
2026-04-19Prompt Injection Attack Against LLM-Integrated Applications — arXivPrompt Injection Attack Against LLM-Integrated Applications — arXiv
2026-04-19Prompt Injection Attacks in LLMs and AI Agent Systems: A Comprehensive ReviewPrompt Injection Attacks in LLMs and AI Agent Systems: A Comprehensive Review
2026-04-16Bypassing LLM Guardrails: Evasion Attacks against Prompt Injection DetectionBypassing LLM Guardrails: Evasion Attacks against Prompt Injection Detection
2026-04-16EchoGram: Bypassing AI Guardrails via Token Flip Attacks - HiddenLayerEchoGram: Bypassing AI Guardrails via Token Flip Attacks - HiddenLayer
2026-04-16MCP Security: Tool Poisoning Attacks - Invariant LabsMCP Security: Tool Poisoning Attacks - Invariant Labs
2026-04-16Poison Everywhere: No Output from Your MCP Server Is Safe - CyberArkPoison Everywhere: No Output from Your MCP Server Is Safe - CyberArk
2026-04-16The Embedded Threat in Your LLM: Poisoning RAG PipelinesThe Embedded Threat in Your LLM: Poisoning RAG Pipelines
2026-04-16EchoLeak: First Real-World Zero-Click Prompt Injection ExploitEchoLeak: First Real-World Zero-Click Prompt Injection Exploit
2026-04-16When LLMs Autonomously Attack - CMU ResearchWhen LLMs Autonomously Attack - CMU Research
2026-04-16The Dark Side of LLMs: Agent-based Attacks for Complete Computer TakeoverThe Dark Side of LLMs: Agent-based Attacks for Complete Computer Takeover
2026-04-16MCP Tools: Attack Vectors and Defense Recommendations - Elastic Security LabsMCP Tools: Attack Vectors and Defense Recommendations - Elastic Security Labs
2026-04-16MCP Safety Audit: LLMs with MCP Allow Major Security ExploitsMCP Safety Audit: LLMs with MCP Allow Major Security Exploits

AuthZ +15

DateResourceSummary
2026-04-19Broken Access Control: The Quiet Killer in Web ApplicationsBroken Access Control: The Quiet Killer in Web Applications
2026-04-19OWASP Top 10 2025: IAAA Failures TryHackMe WriteupOWASP Top 10 2025: IAAA Failures TryHackMe Writeup
2026-04-19Broken Access Control: The Silent Web VulnerabilityBroken Access Control: The Silent Web Vulnerability
2026-04-19Broken Access Control: The 40% Surge in 2025Broken Access Control: The 40% Surge in 2025
2026-04-19OWASP Top 10 2025 — A01 Broken Access ControlOWASP Top 10 2025 — A01 Broken Access Control
2026-04-16Enhancing OAuth 2.0 Security with PKCE: Deep DiveEnhancing OAuth 2.0 Security with PKCE: Deep Dive
2026-04-16Attacks via OAuth Authorization Code InjectionAttacks via OAuth Authorization Code Injection
2026-04-16Security Benchmarking Authorization Policy Engines: Rego, Cedar, OpenFGASecurity Benchmarking Authorization Policy Engines: Rego, Cedar, OpenFGA
2026-04-16Privilege Escalation by JWT Token ManipulationPrivilege Escalation by JWT Token Manipulation
2026-04-16JWTs Under the Microscope: Exploiting Auth Weaknesses - TraceableJWTs Under the Microscope: Exploiting Auth Weaknesses - Traceable
2026-04-16Privilege Escalation via IDOR and ACL Bypass in SaaSPrivilege Escalation via IDOR and ACL Bypass in SaaS
2026-04-16Organization Takeover via Privilege Escalation (IDOR)Organization Takeover via Privilege Escalation (IDOR)
2026-04-16Horizontal Privilege Escalation via IDORHorizontal Privilege Escalation via IDOR
2026-04-16Fine-Grained Authorization: Technical Guide for MicroservicesFine-Grained Authorization: Technical Guide for Microservices
2026-04-16RBAC vs ABAC vs ReBAC: How to Choose Access Control ModelsRBAC vs ABAC vs ReBAC: How to Choose Access Control Models

Burp Suite +15

DateResourceSummary
2026-04-19Pentest-Mapper: Burp Extension for Pentesters & Bug BountyPentest-Mapper: Burp Extension for Pentesters & Bug Bounty
2026-04-19Burp Suite Extension: Copy For — Black Hills InfoSecBurp Suite Extension: Copy For — Black Hills InfoSec
2026-04-19Burp AI — PortSwiggerBurp AI — PortSwigger
2026-04-19Pentest Mapper: Burp Extension for Application PentestingPentest Mapper: Burp Extension for Application Pentesting
2026-04-19Pentest Mapper — PortSwigger BApp StorePentest Mapper — PortSwigger BApp Store
2026-04-16Burp Suite Professional Testing HandbookBurp Suite Professional Testing Handbook
2026-04-16Bambdas Collection for Burp Suite Professional and CommunityBambdas Collection for Burp Suite Professional and Community
2026-04-16Turbo Intruder: Embracing the Billion-Request AttackTurbo Intruder: Embracing the Billion-Request Attack
2026-04-16BurpSuite for Pentester - Vulnerability Hunting CheatsheetBurpSuite for Pentester - Vulnerability Hunting Cheatsheet
2026-04-16Weaponize Your Burp - Bug Bounty Hunting AutomationWeaponize Your Burp - Bug Bounty Hunting Automation
2026-04-16Smart Automation with Burp Suite - YesWeHackSmart Automation with Burp Suite - YesWeHack
2026-04-16A Guide to Build Burp Suite Extensions Using Montoya API and JavaA Guide to Build Burp Suite Extensions Using Montoya API and Java
2026-04-16Power Up Pen Tests: Create Burp Suite Extensions with Montoya APIPower Up Pen Tests: Create Burp Suite Extensions with Montoya API
2026-04-16Burp Suite Extensions - Overview and Introduction with KotlinBurp Suite Extensions - Overview and Introduction with Kotlin
2026-04-16Creating Burp Extensions: A Beginner's Guide - Black Hills InfoSecCreating Burp Extensions: A Beginner's Guide - Black Hills InfoSec

SQLi +15

DateResourceSummary
2026-04-19Unauthenticated SQL Injection in GUI — Fortinet PSIRTUnauthenticated SQL Injection in GUI — Fortinet PSIRT
2026-04-19CVE-2025-1094 WebSocket and SQL Injection Exploit ScriptCVE-2025-1094 WebSocket and SQL Injection Exploit Script
2026-04-19CVE-2025-1094: PostgreSQL psql SQL Injection (Fixed) — Rapid7CVE-2025-1094: PostgreSQL psql SQL Injection (Fixed) — Rapid7
2026-04-19PostgreSQL CVE-2025-1094: Quoting APIs SQL InjectionPostgreSQL CVE-2025-1094: Quoting APIs SQL Injection
2026-04-19CVE-2025-26794: Blind SQL Injection in Exim 4.98 — WriteupCVE-2025-26794: Blind SQL Injection in Exim 4.98 — Writeup
2026-04-16SQLMap Cheat Sheet: Commands, Options, and Advanced FeaturesSQLMap Cheat Sheet: Commands, Options, and Advanced Features
2026-04-16Identifying SQL Injections in a GraphQL APIIdentifying SQL Injections in a GraphQL API
2026-04-16SQL Injection Cheat Sheet - InvictiSQL Injection Cheat Sheet - Invicti
2026-04-16Exploiting Time-Based SQL Injections: Data ExfiltrationExploiting Time-Based SQL Injections: Data Exfiltration
2026-04-16Second-Order SQL Injection with Stored Procedures and DNS-Based EgressSecond-Order SQL Injection with Stored Procedures and DNS-Based Egress
2026-04-16When the Database Won't Talk: A Deep Dive into Blind SQLiWhen the Database Won't Talk: A Deep Dive into Blind SQLi
2026-04-16Advanced Boolean-Based SQLi Filter Bypass TechniquesAdvanced Boolean-Based SQLi Filter Bypass Techniques
2026-04-16WAF Bypass Techniques for SQL InjectionWAF Bypass Techniques for SQL Injection
2026-04-16Exploiting Second-Order SQL Injection to Retrieve the FlagExploiting Second-Order SQL Injection to Retrieve the Flag
2026-04-16Exploiting SQL Injection Vulnerability - Bug Bounty WriteupExploiting SQL Injection Vulnerability - Bug Bounty Writeup

XXE +15

DateResourceSummary
2026-04-19IBM Business Automation Workflow XXE (CVE-2025-13096)IBM Business Automation Workflow XXE (CVE-2025-13096)
2026-04-19XXE Vulnerability Guide 2025: How XML Attacks Still ThreatenXXE Vulnerability Guide 2025: How XML Attacks Still Threaten
2026-04-19XXE Injection in langchain-community (CVE-2025-6984)XXE Injection in langchain-community (CVE-2025-6984)
2026-04-19Critical Apache Tika CVE-2025-66516: XXE VulnerabilityCritical Apache Tika CVE-2025-66516: XXE Vulnerability
2026-04-19XXE in GeoServer WFS Service (CVE-2025-30220)XXE in GeoServer WFS Service (CVE-2025-30220)
2026-04-16XXElixir: Tool for Testing XXE via XLSX File Upload PoisoningXXElixir: Tool for Testing XXE via XLSX File Upload Poisoning
2026-04-16Exploiting XXE via File Uploads (SVG, XLSX, DOCX)Exploiting XXE via File Uploads (SVG, XLSX, DOCX)
2026-04-16XXE-OOB-Exfiltrator: Multi-line Content Exfiltration via External DTDXXE-OOB-Exfiltrator: Multi-line Content Exfiltration via External DTD
2026-04-16Blind XXE Attacks: Out of Band Interaction Techniques to Exfiltrate DataBlind XXE Attacks: Out of Band Interaction Techniques to Exfiltrate Data
2026-04-16Exploiting Out-Of-Band XXE on WildfireExploiting Out-Of-Band XXE on Wildfire
2026-04-16Out-of-Band XML External Entity (OOB XXE)Out-of-Band XML External Entity (OOB XXE)
2026-04-16Top HackerOne XXE ReportsTop HackerOne XXE Reports
2026-04-16How to Find XXE Bugs: Severe, Missed, and MisunderstoodHow to Find XXE Bugs: Severe, Missed, and Misunderstood
2026-04-16A Deep Dive Into XXE Injection (Synack)A Deep Dive Into XXE Injection (Synack)
2026-04-16Top 25 XXE Bug Bounty ReportsTop 25 XXE Bug Bounty Reports

RCE +14

DateResourceSummary
2026-04-19CVE-2025-22457: Ivanti Connect Secure VPN Zero-Day RCECVE-2025-22457: Ivanti Connect Secure VPN Zero-Day RCE
2026-04-19Advisory: Actively Exploited Unauthenticated RCE in Ivanti Connect Secure (CVE-2025-0282)Advisory: Actively Exploited Unauthenticated RCE in Ivanti Connect Secure (CVE-2025-0282)
2026-04-19Command Injection in Jenkins via Git Parameter (CVE-2025-53652)Command Injection in Jenkins via Git Parameter (CVE-2025-53652)
2026-04-190xMarcio/cve: Latest CVEs with PoC Exploits0xMarcio/cve: Latest CVEs with PoC Exploits
2026-04-19Microsoft WSUS RCE (CVE-2025-59287) Actively ExploitedMicrosoft WSUS RCE (CVE-2025-59287) Actively Exploited
2026-04-16Empirical Study on RCE in ML Model Hosting EcosystemsEmpirical Study on RCE in ML Model Hosting Ecosystems
2026-04-16Method Confusion in Go SSTIs Lead to File Read and RCEMethod Confusion in Go SSTIs Lead to File Read and RCE
2026-04-16SmarterTools SmarterMail Pre-Auth RCE (CVE-2025-52691)SmarterTools SmarterMail Pre-Auth RCE (CVE-2025-52691)
2026-04-16Dissecting and Exploiting CVE-2025-62507: RCE in RedisDissecting and Exploiting CVE-2025-62507: RCE in Redis
2026-04-16Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120)Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120)
2026-04-16Exploitation Walkthrough - Ivanti Connect Secure RCE (CVE-2025-0282)Exploitation Walkthrough - Ivanti Connect Secure RCE (CVE-2025-0282)
2026-04-16React2Shell Deep Dive: CVE-2025-55182 Exploit MechanicsReact2Shell Deep Dive: CVE-2025-55182 Exploit Mechanics
2026-04-16Remote Code Execution in Ghost CMS (CVE-2026-29053)Remote Code Execution in Ghost CMS (CVE-2026-29053)
2026-04-16Ni8mare: Unauthenticated Remote Code Execution in n8n (CVE-2026-21858)Ni8mare: Unauthenticated Remote Code Execution in n8n (CVE-2026-21858)

Fuzzing +14

DateResourceSummary
2026-04-19Generative Fuzzer-Driven Vulnerability Detection in IoT NetworksGenerative Fuzzer-Driven Vulnerability Detection in IoT Networks
2026-04-19Automating Fuzz Driver Generation for Deep Learning Libraries with LLMsAutomating Fuzz Driver Generation for Deep Learning Libraries with LLMs
2026-04-19Fuzz to the Future: Uncovering Occluded Future VulnerabilitiesFuzz to the Future: Uncovering Occluded Future Vulnerabilities
2026-04-19EdgeFuzz: A Middleware-Based Security Testing ToolEdgeFuzz: A Middleware-Based Security Testing Tool
2026-04-19Software Fuzzing: The Cornerstone of Automated Vulnerability DiscoverySoftware Fuzzing: The Cornerstone of Automated Vulnerability Discovery
2026-04-16Fuzzing | Testing Handbook - AppSec GuideFuzzing | Testing Handbook - AppSec Guide
2026-04-16API Fuzzing for Security Testing: Complete GuideAPI Fuzzing for Security Testing: Complete Guide
2026-04-16Recent Fuzzing Papers CollectionRecent Fuzzing Papers Collection
2026-04-16Awesome-Fuzzing: Curated List of Fuzzing ResourcesAwesome-Fuzzing: Curated List of Fuzzing Resources
2026-04-16KernelGPT: Enhanced Kernel Fuzzing via LLMsKernelGPT: Enhanced Kernel Fuzzing via LLMs
2026-04-16ksmbd: Fuzzing Improvements and Vulnerability Discoveryksmbd: Fuzzing Improvements and Vulnerability Discovery
2026-04-16AFL++ Fuzzing in DepthAFL++ Fuzzing in Depth
2026-04-16The Fuzzing Book: Generating Software TestsThe Fuzzing Book: Generating Software Tests
2026-04-16Fuzzing101: A Step-by-Step Fuzzing TutorialFuzzing101: A Step-by-Step Fuzzing Tutorial

Python +14

DateResourceSummary
2026-04-19PyPI Supply Chain Attack: Colorama and Colorizr Name ConfusionPyPI Supply Chain Attack: Colorama and Colorizr Name Confusion
2026-04-19Compromised LiteLLM PyPI Package Delivers Credential StealerCompromised LiteLLM PyPI Package Delivers Credential Stealer
2026-04-19LiteLLM PyPI Package Compromised in TeamPCP Supply Chain AttackLiteLLM PyPI Package Compromised in TeamPCP Supply Chain Attack
2026-04-19Malicious PyPI Package — LiteLLM Supply Chain CompromiseMalicious PyPI Package — LiteLLM Supply Chain Compromise
2026-04-19The PyPI Supply Chain Attacks of 2025The PyPI Supply Chain Attacks of 2025
2026-04-16PYPI Security: How to Prevent Supply Chain Attacks in Python ProjectsPYPI Security: How to Prevent Supply Chain Attacks in Python Projects
2026-04-16Python Tools for Penetration TestersPython Tools for Penetration Testers
2026-04-16Escalating Deserialization Attacks in PythonEscalating Deserialization Attacks in Python
2026-04-16Exploiting Python Pickles - David HamannExploiting Python Pickles - David Hamann
2026-04-16Attack on Software Supply Chains Using Fake Python InfrastructureAttack on Software Supply Chains Using Fake Python Infrastructure
2026-04-16Defense in Depth: A Practical Guide to Python Supply Chain SecurityDefense in Depth: A Practical Guide to Python Supply Chain Security
2026-04-16How Python Pickle Deserialization Security Exploit WorksHow Python Pickle Deserialization Security Exploit Works
2026-04-16Insecure Deserialization in Python: Attack Techniques and Secure CodingInsecure Deserialization in Python: Attack Techniques and Secure Coding
2026-04-16The Complete Guide on Python for Cyber SecurityThe Complete Guide on Python for Cyber Security

CSRF +12

DateResourceSummary
2026-04-19CVE-2025-9611: Microsoft Playwright MCP Server CSRF FlawCVE-2025-9611: Microsoft Playwright MCP Server CSRF Flaw
2026-04-19CVE-2025-23797: WP Options Editor CSRF VulnerabilityCVE-2025-23797: WP Options Editor CSRF Vulnerability
2026-04-19AVideo CSRF — CVE-2025-3100 (Critical)AVideo CSRF — CVE-2025-3100 (Critical)
2026-04-19Authlib (Python) CSRF (Cache-Backed OAuth State) — CVE-2025-68158Authlib (Python) CSRF (Cache-Backed OAuth State) — CVE-2025-68158
2026-04-19Web Security Academy: CSRF SameSite Lax Bypass via Method OverrideWeb Security Academy: CSRF SameSite Lax Bypass via Method Override
2026-04-16Top CSRF HackerOne ReportsTop CSRF HackerOne Reports
2026-04-16Modern CSRF Mitigation in Single Page ApplicationsModern CSRF Mitigation in Single Page Applications
2026-04-16CSRF in the Age of JSONCSRF in the Age of JSON
2026-04-16How Does CSRF Lead to Account Takeover?How Does CSRF Lead to Account Takeover?
2026-04-16Top 25 CSRF Bug Bounty ReportsTop 25 CSRF Bug Bounty Reports
2026-04-16The Bug Bounty Guide to Exploiting CSRF Vulnerabilities - YesWeHackThe Bug Bounty Guide to Exploiting CSRF Vulnerabilities - YesWeHack
2026-04-16CSRF: Advanced Exploitation Guide - IntigritiCSRF: Advanced Exploitation Guide - Intigriti

Talks +12

DateResourceSummary
2026-04-19DEF CON 33 Hacking Conference 2025 — USFDEF CON 33 Hacking Conference 2025 — USF
2026-04-19DEF CON 33 (2025) — Security.WorldDEF CON 33 (2025) — Security.World
2026-04-19What to Expect from BSides, Black Hat, and DEF CON 2025What to Expect from BSides, Black Hat, and DEF CON 2025
2026-04-19DEF CON 2025 — Open Source Security FoundationDEF CON 2025 — Open Source Security Foundation
2026-04-19DEFCON Conference — Official YouTubeDEFCON Conference — Official YouTube
2026-04-16XBOW at Black Hat & DEF CON: AI Agents for Offensive SecurityXBOW at Black Hat & DEF CON: AI Agents for Offensive Security
2026-04-165 Takeaways from Black Hat x DEF CON 20255 Takeaways from Black Hat x DEF CON 2025
2026-04-16Black Hat USA 2025 Briefings ScheduleBlack Hat USA 2025 Briefings Schedule
2026-04-16Cybersecurity Slides CollectionCybersecurity Slides Collection
2026-04-16InfoCon: Hacking and Security Conference ArchivesInfoCon: Hacking and Security Conference Archives
2026-04-16DEFCON Media Server: Complete Conference Video ArchiveDEFCON Media Server: Complete Conference Video Archive
2026-04-16DEF CON 33 Archive: Videos, Slides, and White PapersDEF CON 33 Archive: Videos, Slides, and White Papers

Bug Bounty +11

DateResourceSummary
2026-04-19HackerOne Paid $81 Million in Bug Bounties Over the Past YearHackerOne Paid $81 Million in Bug Bounties Over the Past Year
2026-04-199 Top Bug Bounty Programs Launched in 2025 — CSO Online9 Top Bug Bounty Programs Launched in 2025 — CSO Online
2026-04-19Bug-bounty Writeups Repository — fardeen-ahmedBug-bounty Writeups Repository — fardeen-ahmed
2026-04-19Google's Bug Bounty Program Hits All-Time High — $17M in 2025Google's Bug Bounty Program Hits All-Time High — $17M in 2025
2026-04-19Top Bugs That Actually Paid Bounties in 2025Top Bugs That Actually Paid Bounties in 2025
2026-04-16BugHunterMethodology: A Comprehensive Bug Bounty MethodologyBugHunterMethodology: A Comprehensive Bug Bounty Methodology
2026-04-16PortSwigger's Top 10 Web Hacking Techniques of 2025PortSwigger's Top 10 Web Hacking Techniques of 2025
2026-04-16Automating Bug Bounties with NucleiAutomating Bug Bounties with Nuclei
2026-04-16Advanced Techniques & Use Cases of Nuclei for Bug BountyAdvanced Techniques & Use Cases of Nuclei for Bug Bounty
2026-04-16Crafting Your Bug Bounty Methodology: A Complete GuideCrafting Your Bug Bounty Methodology: A Complete Guide
2026-04-16Top Vulnerabilities for Pentest & Bug Bounty in 2025Top Vulnerabilities for Pentest & Bug Bounty in 2025