Supply Chain+57
RCE+36
AI+23
API Security+21
SSRF+17
Bug Bounty+16
XSS+12
Python+11
Fuzzing+11
SQLi+10
SSTI+10
Authentication+10
Secrets+10
Mobile+10
AuthZ+10
Recon+10
OSINT+10
GraphQL+10
IDOR+10
Burp Suite+9
Talks+8
JWT+7
Deserialization+6
CSRF+6
XXE+6
Supply Chain +57
| Date | Resource | Summary |
|---|---|---|
| 2026-04-23 | Checkmarx Supply Chain Attack Exploits Docker Images and CI/CD Pipelines | Checkmarx Supply Chain Attack Exploits Docker Images and CI/CD Pipelines https://ift.tt/fPkwYx0 |
| 2026-04-23 | Shai-Hulud: The Third Coming Bitwarden CLI Backdoored in Latest Supply Chain Campaign | Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign https://ift.tt/OsEXhPW |
| 2026-04-23 | Tenable finds Microsoft GitHub flaw risking supply chains | Tenable finds Microsoft GitHub flaw risking supply chains https://ift.tt/VXu8wM2 |
| 2026-04-23 | New Checkmarx supply-chain breach affects KICS analysis tool | New Checkmarx supply-chain breach affects KICS analysis tool https://ift.tt/p2R0T8O |
| 2026-04-23 | Checkmarx Docker Hub repository compromised with malicious images | Checkmarx Docker Hub repository compromised with malicious images https://ift.tt/Cpy7bme |
| 2026-04-23 | Namastex npm packages compromised in CanisterWorm supply chain attack | Namastex npm packages compromised in ‘CanisterWorm’ supply chain attack https://ift.tt/hbNKaTp |
| 2026-04-23 | No Off Season: Three Supply Chain Campaigns Hit npm PyPI and Docker Hub in 48 Hours | No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours https://ift.tt/fIX26Eo |
| 2026-04-23 | No Off Season: Three Supply Chain Campaigns Hit npm PyPI and Docker Hub in 48 Hours | No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours https://ift.tt/JDfPrIS |
| 2026-04-23 | Xinference PyPI Package Compromised With Malicious Code to Steal Cloud Credentials | Xinference PyPI Package Compromised With Malicious Code to Steal Cloud Credentials https://ift.tt/MALwDp9 |
| 2026-04-23 | Malicious Docker Images and VS Code Extensions Compromise Checkmarx Supply Chain | Malicious Docker Images and VS Code Extensions Compromise Checkmarx Supply Chain https://ift.tt/xvOUGSi |
| 2026-04-23 | Checkmarx KICS Docker Repo Hijacked in Malicious Code Injection Attack | Checkmarx KICS Docker Repo Hijacked in Malicious Code Injection Attack https://ift.tt/ocmvb8S |
| 2026-04-23 | Xinference PyPI Breach Exposes Developers to Cloud Credential Theft | Xinference PyPI Breach Exposes Developers to Cloud Credential Theft https://ift.tt/Tqo2NKg |
| 2026-04-23 | axios npm Compromise: The Ultimate Supply Chain Scaries | axios npm Compromise: The Ultimate Supply Chain Scaries https://ift.tt/ZmiRfkp |
| 2026-04-23 | Xinference allegedly hacked by TeamPCP Malicious Package In PyPi | Xinference allegedly hacked by TeamPCP, Malicious Package In PyPi https://ift.tt/vMwcIWt |
| 2026-04-23 | AI Supply-Chain Monitor Identifies Critical Axios Attack | AI Supply-Chain Monitor Identifies Critical Axios Attack https://ift.tt/jMkYqAz |
| 2026-04-23 | Aikido Security Launches Endpoint Protection for Developer Devices as Software Supply Chain Attacks Hit Unprecedented Scale | Aikido Security Launches Endpoint Protection for Developer Devices as Software Supply Chain Attacks Hit Unprecedented Scale https://ift.tt/sLawUZo |
| 2026-04-22 | Another npm supply chain worm is tearing through dev environments | Another npm supply chain worm is tearing through dev environments https://ift.tt/mrPsh3p |
| 2026-04-22 | Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens | Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens https://ift.tt/ch1xmSL |
| 2026-04-22 | Supply Chain Attacks Are Getting WorseHow to Shrink Your Exposure | Supply Chain Attacks Are Getting Worse—How to Shrink Your Exposure https://ift.tt/A90d4Bp |
| 2026-04-22 | Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain | Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain https://ift.tt/uA7BI5U |
| 2026-04-22 | Hypersonic Supply Chain Attacks: One Solution That Didn't Need to Know the Payload | Hypersonic Supply Chain Attacks: One Solution That Didn't Need to Know the Payload https://ift.tt/bKtc9JB |
| 2026-04-22 | Flaw in Microsoft-owned GitHub repository allowed RCE via issue submission | Flaw in Microsoft-owned GitHub repository allowed RCE via issue submission https://ift.tt/gj6ZlMi |
| 2026-04-22 | New npm supply-chain attack self-spreads to steal auth tokens | New npm supply-chain attack self-spreads to steal auth tokens https://ift.tt/jx1785i |
| 2026-04-22 | Axios npm Supply Chain Attack: 83M Downloads Hit | Axios npm Supply Chain Attack: 83M Downloads Hit |
| 2026-04-22 | Axios npm Hijack 2026: Everything You Need to Know | Axios npm Hijack 2026: Everything You Need to Know |
| 2026-04-22 | TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files | TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files |
| 2026-04-22 | litellm: Credential Stealer Hidden in PyPI Wheel | litellm: Credential Stealer Hidden in PyPI Wheel |
| 2026-04-22 | What's Coming to Our GitHub Actions 2026 Security Roadmap | What's Coming to Our GitHub Actions 2026 Security Roadmap |
| 2026-04-22 | Shai-Hulud npm Supply Chain Attack: New Compromised Packages Detected | Shai-Hulud npm Supply Chain Attack: New Compromised Packages Detected |
| 2026-04-22 | LiteLLM and Telnyx Compromised on PyPI: Tracing the TeamPCP Supply Chain Campaign | LiteLLM and Telnyx Compromised on PyPI: Tracing the TeamPCP Supply Chain Campaign |
| 2026-04-22 | Keeping Your GitHub Actions Secure Part 1: Preventing Pwn Requests | Keeping Your GitHub Actions Secure Part 1: Preventing Pwn Requests |
| 2026-04-22 | GitHub Actions Security Pt 1: Attacks & Defenses (Wiz) | GitHub Actions Security Pt 1: Attacks & Defenses (Wiz) |
| 2026-04-22 | Are SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM Data | Are SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM Data https://ift.tt/GMVqgjU |
| 2026-04-22 | Axios supply chain attack deploys multi-OS malware | Axios supply chain attack deploys multi-OS malware https://ift.tt/qVLszCa |
| 2026-04-22 | AI-Driven Endpoints Highlight Expanding Software Supply Chain Risk | AI-Driven Endpoints Highlight Expanding Software Supply Chain Risk https://ift.tt/Op8eSmM |
| 2026-04-22 | Aikido Unveils Endpoint Security as Supply Chain Attacks Hit Developers | Aikido Unveils Endpoint Security as Supply Chain Attacks Hit Developers https://ift.tt/aDBmAct |
| 2026-04-21 | Critical Microsoft GitHub Flaw Highlights Dangers to CI/CD Pipelines: Tenable | Critical Microsoft GitHub Flaw Highlights Dangers to CI/CD Pipelines: Tenable https://ift.tt/nvuCc9x |
| 2026-04-21 | CISA urges security teams to view environments following axios compromise | CISA urges security teams to view environments following axios compromise https://ift.tt/JYRaA0z |
| 2026-04-21 | CISA Warns Axios npm Package Was Compromised in Major Supply Chain Attack | CISA Warns Axios npm Package Was Compromised in Major Supply Chain Attack https://ift.tt/bSQfTkG |
| 2026-04-21 | Aikido Security launches Endpoint to secure AI development and mitigate supply chain attacks | Aikido Security launches Endpoint to secure AI development and mitigate supply chain attacks https://ift.tt/pWgtqSF |
| 2026-04-21 | Introducing Endpoint Protection: Security for Developer Devices | Introducing Endpoint Protection: Security for Developer Devices https://ift.tt/2w1NTUs |
| 2026-04-21 | Aikido Security Launches Endpoint Protection for Developer Devices as Software Supply Chain Attacks Hit Unprecedented Scale | Aikido Security Launches Endpoint Protection for Developer Devices as Software Supply Chain Attacks Hit Unprecedented Scale https://ift.tt/UoCFdbH |
| 2026-04-21 | CISA Warns Axios npm Package Was Compromised in Major Supply Chain Attack | CISA Warns Axios npm Package Was Compromised in Major Supply Chain Attack https://ift.tt/eymP7Vs |
| 2026-04-21 | CISA Warns Compromised Axios npm Package Fueled Major Supply Chain Attack | CISA Warns Compromised Axios npm Package Fueled Major Supply Chain Attack https://ift.tt/3Sh8QXg |
| 2026-04-21 | The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables | The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables https://ift.tt/jIBeCuh |
| 2026-04-21 | The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables | The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables https://ift.tt/K8Z5lwR |
| 2026-04-21 | The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables | The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables https://ift.tt/D9r2QqY |
| 2026-04-21 | Astrix Security Highlights Rising Risk in OAuth-Driven Supply Chain Attacks | Astrix Security Highlights Rising Risk in OAuth-Driven Supply Chain Attacks https://ift.tt/pdx7G9Z |
| 2026-04-20 | The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables | The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables https://ift.tt/60RoEYV |
| 2026-04-20 | Vercel incident falls short of a supply chain attack | Vercel incident falls short of a supply chain attack https://ift.tt/mfiYhux |
| 2026-04-20 | Supply Chain Attack Hits Vercel: User Data is Being Sold on BreachForums For $2M | Supply Chain Attack Hits Vercel: User Data is Being Sold on BreachForums For $2M https://ift.tt/4aw2YkZ |
| 2026-04-20 | Why the Axios attack proves AI is mandatory for supply chain security | Why the Axios attack proves AI is mandatory for supply chain security https://ift.tt/AnX6trC |
| 2026-04-20 | Aikido Security Launches Endpoint Protection for Developer Devices as Software Supply Chain Attacks Hit Unprecedented Scale | Aikido Security Launches Endpoint Protection for Developer Devices as Software Supply Chain Attacks Hit Unprecedented Scale https://ift.tt/rNiAjU3 |
| 2026-04-20 | Aikido Endpoint offers developers additional protection against supply chain attacks | Aikido Endpoint offers developers additional protection against supply chain attacks https://ift.tt/8yt0jbA |
| 2026-04-20 | Aikido Security Launches Endpoint Protection for Developer Devices as Software Supply Chain Attacks Hit Unprecedented Scale | Aikido Security Launches Endpoint Protection for Developer Devices as Software Supply Chain Attacks Hit Unprecedented Scale https://ift.tt/sVFAYcE |
| 2026-04-20 | New security agent helps fight software supply chain attacks | New security agent helps fight software supply chain attacks https://ift.tt/tRoy3LB |
| 2026-04-20 | Aikido launches Endpoint to secure AI-native developer workflows | Aikido launches Endpoint to secure AI-native developer workflows https://ift.tt/ULhxSu6 |
RCE +36
| Date | Resource | Summary |
|---|---|---|
| 2026-04-23 | Anthropic's model context protocol includes a critical remote code execution vulnerability | Anthropic's model context protocol includes a critical remote code execution vulnerability https://ift.tt/uJoCxjU |
| 2026-04-22 | Mozilla Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities | Mozilla Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities https://ift.tt/6dEs8aC |
| 2026-04-22 | Terrarium Sandbox: Critical Vulnerability Allows Root Code | Terrarium Sandbox: Critical Vulnerability Allows Root Code https://ift.tt/xt7SA8a |
| 2026-04-22 | Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities | Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities https://ift.tt/oKqHTf5 |
| 2026-04-22 | Critical SGLang Flaw (CVE-2026-5760) Enables RCE via Malicious AI Models | Critical SGLang Flaw (CVE-2026-5760) Enables RCE via Malicious AI Models |
| 2026-04-22 | CVE-2025-68454: Craft CMS Twig SSTI RCE Vulnerability | CVE-2025-68454: Craft CMS Twig SSTI RCE Vulnerability |
| 2026-04-22 | 15,000 Jenkins Servers at Risk from RCE Vulnerability (CVE-2025-53652) | 15,000 Jenkins Servers at Risk from RCE Vulnerability (CVE-2025-53652) |
| 2026-04-22 | React2Shell (CVE-2025-55182): RSC Flight Decoder Remote Code Execution | React2Shell (CVE-2025-55182): RSC Flight Decoder Remote Code Execution |
| 2026-04-22 | Ivanti EPMM: Another Pre-Auth RCE (CVE-2026-1281 and CVE-2026-1340) | Ivanti EPMM: Another Pre-Auth RCE (CVE-2026-1281 and CVE-2026-1340) |
| 2026-04-22 | CVE-2025-57738: Apache Syncope Groovy Injection RCE | CVE-2025-57738: Apache Syncope Groovy Injection RCE |
| 2026-04-22 | Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain | Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain |
| 2026-04-22 | Critical RCE Vulnerability in Anthropic MCP Inspector (CVE-2025-49596) | Critical RCE Vulnerability in Anthropic MCP Inspector (CVE-2025-49596) |
| 2026-04-22 | CVE-2025-24893: XWiki SSTI Unauthenticated RCE Exploit | CVE-2025-24893: XWiki SSTI Unauthenticated RCE Exploit |
| 2026-04-22 | CVE-2026-34197: ActiveMQ RCE via Jolokia API | CVE-2026-34197: ActiveMQ RCE via Jolokia API |
| 2026-04-22 | Google Antigravity in Crosshairs of Security Researchers Cybercriminals | Google Antigravity in Crosshairs of Security Researchers, Cybercriminals https://ift.tt/ZgkxGsP |
| 2026-04-22 | Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution Container Escape | Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape https://ift.tt/1Oulkrs |
| 2026-04-22 | Fake SVG puts 750000 websites at risk: hackers can seize the web server | Fake SVG puts 750,000 websites at risk: hackers can seize the web server https://ift.tt/BwtOzhU |
| 2026-04-22 | Adobe Acrobat Reader: Prototype pollution vulnerability enables remote code execution | Adobe Acrobat Reader: Prototype pollution vulnerability enables remote code execution https://ift.tt/6Vm9ieE |
| 2026-04-21 | 22 BRIDGE:BREAK Flaws Expose 20000 Lantronix and Silex Serial-to-IP Converters | 22 BRIDGE:BREAK Flaws Expose 20,000 Lantronix and Silex Serial-to-IP Converters https://ift.tt/DKsAtmp |
| 2026-04-21 | Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool | Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool https://ift.tt/1QOIZsB |
| 2026-04-21 | Apache Syncope RCE Vulnerability Detailed After Public Exploit Code Release | Apache Syncope RCE Vulnerability Detailed After Public Exploit Code Release https://ift.tt/hT4dgwi |
| 2026-04-21 | Actively exploited Apache ActiveMQ flaw impacts 6400 servers | Actively exploited Apache ActiveMQ flaw impacts 6,400 servers https://ift.tt/TMZ4gHl |
| 2026-04-21 | Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository | Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository, https://ift.tt/V1EDXyM |
| 2026-04-21 | Hackers Could Weaponize GGUF Models to Achieve RCE on SGLang Inference Servers | Hackers Could Weaponize GGUF Models to Achieve RCE on SGLang Inference Servers https://ift.tt/UTpIVmw |
| 2026-04-21 | Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository Exposing CI/CD Pipeline to Unauthorized Code Execution | Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository, Exposing CI/CD Pipeline to Unauthorized Code Execution https://ift.tt/sOHxvXg |
| 2026-04-21 | Critical Anthropics MCP Vulnerability Enables Remote Code Execution Attacks | Critical Anthropic’s MCP Vulnerability Enables Remote Code Execution Attacks https://ift.tt/NgPh5a6 |
| 2026-04-21 | Malicious GGUF Models Could Trigger Remote Code Execution on SGLang Servers | Malicious GGUF Models Could Trigger Remote Code Execution on SGLang Servers https://ift.tt/tE3rbwk |
| 2026-04-21 | SGLang Enables Remote Code Execution via Malicious GGUF Models | SGLang Enables Remote Code Execution via Malicious GGUF Models https://ift.tt/IRetcHV |
| 2026-04-20 | Critical RCE vulnerability in protobuf.js; Exploit code published | Critical RCE vulnerability in protobuf.js; Exploit code published https://ift.tt/LxzVmlR |
| 2026-04-20 | Google Chrome Multiple Vulnerabilities | Google Chrome Multiple Vulnerabilities https://ift.tt/u1NDCGr |
| 2026-04-20 | iTerm2 Flaw Abuses SSH Integration Escape Sequences to Turn Text Into Code Execution | iTerm2 Flaw Abuses SSH Integration Escape Sequences to Turn Text Into Code Execution https://ift.tt/l13PHeM |
| 2026-04-20 | Vulnerability exploitation surges often precede disclosure offering possible early warnings | Vulnerability exploitation surges often precede disclosure, offering possible early warnings https://ift.tt/UAnQyhJ |
| 2026-04-20 | 52M-Download protobuf.js Library Hit by RCE in Schema Handling | 52M-Download protobuf.js Library Hit by RCE in Schema Handling https://ift.tt/i1QdNDX |
| 2026-04-20 | Critical Vulnerability In Flowise Allows Remote Command Execution Via MCP Adapters | Critical Vulnerability In Flowise Allows Remote Command Execution Via MCP Adapters https://ift.tt/NBwdZU2 |
| 2026-04-20 | Cisco ISE Vulnerabilities Enable Remote Code Execution | Cisco ISE Vulnerabilities Enable Remote Code Execution https://ift.tt/I3pcsMW |
| 2026-04-19 | CISA tells feds to patch 13-year-old Apache ActiveMQ bug under active attack | CISA tells feds to patch 13-year-old Apache ActiveMQ bug under active attack https://ift.tt/m82B1ER |
AI +23
| Date | Resource | Summary |
|---|---|---|
| 2026-04-23 | Six AI Vulnerabilities Three Attack Patterns One Dangerous Service Gap | Six AI Vulnerabilities, Three Attack Patterns, One Dangerous Service Gap https://ift.tt/STbWHA5 |
| 2026-04-23 | AI-powered scanner vulnerabilities | AI-powered scanner vulnerabilities https://ift.tt/re6cDjZ |
| 2026-04-23 | Anthropic's model context protocol includes a critical remote code execution vulnerability | Anthropic's model context protocol includes a critical remote code execution vulnerability https://ift.tt/Hfb3ygq |
| 2026-04-22 | Massive compromise hits LiteLLM and the whole AI developers community: how did it happen? | Massive compromise hits LiteLLM and the whole AI developers community: how did it happen? https://ift.tt/kWQ0dJB |
| 2026-04-22 | Three AI coding agents leaked secrets through a single prompt injection. One vendor's system card predicted it | Three AI coding agents leaked secrets through a single prompt injection. One vendor's system card predicted it https://ift.tt/smH86bY |
| 2026-04-22 | You're Simulating the Wrong Attacker: Who Matters in AI Red Teaming | You're Simulating the Wrong Attacker: Who Matters in AI Red Teaming |
| 2026-04-22 | DeepTeam: Open-Source Framework to Red Team LLMs and LLM Systems | DeepTeam: Open-Source Framework to Red Team LLMs and LLM Systems |
| 2026-04-22 | Claude Jailbreaking in 2026: What Repello's Red Teaming Data Shows | Claude Jailbreaking in 2026: What Repello's Red Teaming Data Shows |
| 2026-04-22 | AI-Infra-Guard: Full-Stack AI Red Teaming Platform | AI-Infra-Guard: Full-Stack AI Red Teaming Platform |
| 2026-04-22 | AI Red Teaming Playground Labs (Microsoft) | AI Red Teaming Playground Labs (Microsoft) |
| 2026-04-22 | HackerOne: LLM01: Invisible Prompt Injection | Program: HackerOne Severity: medium Weakness: LLM01: Prompt Injection ## Description Hey team, Hai is vulnerable to invisible prompt injection via Unicode tag characters. ## Reproduction steps 1. ... |
| 2026-04-22 | When AI Meets the Web: Prompt Injection Risks in Third-Party AI Chatbot Plugins | When AI Meets the Web: Prompt Injection Risks in Third-Party AI Chatbot Plugins |
| 2026-04-22 | Prompt Injection Attacks on Agentic Coding Assistants: A Systematic Analysis | Prompt Injection Attacks on Agentic Coding Assistants: A Systematic Analysis |
| 2026-04-22 | Prompt Injection 2.0: Hybrid AI Threats | Prompt Injection 2.0: Hybrid AI Threats |
| 2026-04-22 | Architecting Secure AI Agents: System-Level Defenses Against Indirect Prompt Injection | Architecting Secure AI Agents: System-Level Defenses Against Indirect Prompt Injection |
| 2026-04-22 | Anthropic's Model Context Protocol includes a critical remote code execution vulnerability newly discovered exploit puts 200000 AI servers at risk | Anthropic's Model Context Protocol includes a critical remote code execution vulnerability — newly discovered exploit puts 200,000 AI servers at risk https://ift.tt/KLVv9gP |
| 2026-04-21 | The 'by design' security flaw of Model Context Protocol (MCP) | The 'by design' security flaw of Model Context Protocol (MCP) https://ift.tt/kotl0Is |
| 2026-04-21 | Prompt injection turned Googles Antigravity file search into RCE | Prompt injection turned Google’s Antigravity file search into RCE https://ift.tt/kx2siuv |
| 2026-04-21 | Claude Code Gemini CLI and GitHub Copilot Vulnerable to Prompt Injection via GitHub Comments | Claude Code, Gemini CLI, and GitHub Copilot Vulnerable to Prompt Injection via GitHub Comments https://ift.tt/FS25xif |
| 2026-04-21 | Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution | Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution https://ift.tt/WhCTNuU |
| 2026-04-20 | Vuln in Googles Antigravity AI agent manager could escape sandbox give attackers remote code execution | Vuln in Google’s Antigravity AI agent manager could escape sandbox, give attackers remote code execution https://ift.tt/MnhvV7G |
| 2026-04-20 | Anthropic MCP Hit by Critical Vulnerability Enabling Remote Code Execution | Anthropic MCP Hit by Critical Vulnerability Enabling Remote Code Execution https://ift.tt/4HM1zP0 |
| 2026-04-20 | Critical Anthropic MCP Vulnerability Enables Remote Code Execution Attacks | Critical Anthropic MCP Vulnerability Enables Remote Code Execution Attacks https://ift.tt/sjNEzGL |
API Security +21
| Date | Resource | Summary |
|---|---|---|
| 2026-04-23 | New LMDeploy Vulnerability Exploited in the Wild Just 12 Hours After Public Advisory | New LMDeploy Vulnerability Exploited in the Wild Just 12 Hours After Public Advisory https://ift.tt/txmoBfy |
| 2026-04-23 | Microsoft issues out-of-band patch for critical security flaw in update to ASP.NET Core | Microsoft issues out-of-band patch for critical security flaw in update to ASP.NET Core https://ift.tt/ACNkfaG |
| 2026-04-22 | Microsoft releases emergency patches for critical ASP.NET flaw | Microsoft releases emergency patches for critical ASP.NET flaw https://ift.tt/C9a1UoS |
| 2026-04-22 | A Deep Dive on the Most Critical API Vulnerability: BOLA | A Deep Dive on the Most Critical API Vulnerability: BOLA |
| 2026-04-22 | What Is Broken Object Property Level Authorization? | What Is Broken Object Property Level Authorization? |
| 2026-04-22 | What Is Broken Object Level Authorization? | What Is Broken Object Level Authorization? |
| 2026-04-22 | This Is How I Hacked an API Using Mass Assignment Vulnerability | This Is How I Hacked an API Using Mass Assignment Vulnerability |
| 2026-04-22 | CVE-2026-34839: CORS Vulnerability in Glances REST API | CVE-2026-34839: CORS Vulnerability in Glances REST API |
| 2026-04-22 | API ThreatStats Report 2026 | API ThreatStats Report 2026 |
| 2026-04-22 | VAmPI: Vulnerable REST API with OWASP Top 10 Vulnerabilities | VAmPI: Vulnerable REST API with OWASP Top 10 Vulnerabilities |
| 2026-04-22 | API4:2023 Unrestricted Resource Consumption | API4:2023 Unrestricted Resource Consumption |
| 2026-04-22 | 1H 2026 State of AI and API Security Report (Salt) | 1H 2026 State of AI and API Security Report (Salt) |
| 2026-04-22 | PortSwigger Lab: Exploiting a Mass Assignment Vulnerability | PortSwigger Lab: Exploiting a Mass Assignment Vulnerability |
| 2026-04-21 | Lovable left thousands of projects exposed for 48 days and the vibe coding security crisis is only getting worse | Lovable left thousands of projects exposed for 48 days, and the vibe coding security crisis is only getting worse https://ift.tt/LVCAuWM |
| 2026-04-21 | Lovable AI App Builder Reportedly Exposes Thousands of Project Data via API Flaw | Lovable AI App Builder Reportedly Exposes Thousands of Project Data via API Flaw https://ift.tt/rUbhJN8 |
| 2026-04-21 | Vibe coding upstart Lovable denies data leak cites 'intentional behavior' then throws HackerOne under the bus | Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus https://ift.tt/oy8L9Ec |
| 2026-04-21 | Lovables API flaw exposed private project data from the $6.6 billion AI app builder used by Nvidia and Microsoft teams | Lovable’s API flaw exposed private project data from the $6.6 billion AI app builder used by Nvidia and Microsoft teams https://ift.tt/E5xzyKD |
| 2026-04-21 | Lovable AI App Builder Hit by Reported API Flaw Exposing Thousands of Projects | Lovable AI App Builder Hit by Reported API Flaw Exposing Thousands of Projects https://ift.tt/asxTLXh |
| 2026-04-21 | Lovable Left Thousands of Projects Exposed for 48 Days And Still Hasn't Fixed It | Lovable Left Thousands of Projects Exposed for 48 Days — And Still Hasn't Fixed It https://ift.tt/jFxufgQ |
| 2026-04-21 | API Security Risks Rise as AI Adoption Accelerates | API Security Risks Rise as AI Adoption Accelerates https://ift.tt/oL4A7vV |
| 2026-04-20 | Lovable AI App Builder Reportedly Exposes Customer Data From Projects via Unpatched API Flaw | Lovable AI App Builder Reportedly Exposes Customer Data From Projects via Unpatched API Flaw https://ift.tt/U5uy4dg |
SSRF +17
| Date | Resource | Summary |
|---|---|---|
| 2026-04-24 | LMDeploy SSRF alert CVE-2026-33626 exploited within hours Attackers can access internal services & cloud metadata. Update now & restrict outbound requests.vulert.com/blog/lmdeploy-p #CyberSecurity #SSRF #AIsecurity #Vulert | 🚨 LMDeploy SSRF alert CVE-2026-33626 exploited within hours ⚠️ Attackers can access internal services & cloud metadata. Update now & restrict outbound requests.vulert.com/blog/lmdeploy-…p #CyberSecuri... |
| 2026-04-24 | LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure | LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure https://ift.tt/8wBTJAc |
| 2026-04-23 | Attackers Exploit LMDeploy Flaw in the Wild Within 12 Hours of Advisory | Attackers Exploit LMDeploy Flaw in the Wild Within 12 Hours of Advisory https://ift.tt/xWknlfA |
| 2026-04-23 | CVE-2026-33626 exposes an SSRF in LMDeploys vision-language image loader. Attackers accessed AWS IMDS scanned local services and confirmed egress within 12 hours. Update to v0.12.3 and enforce IMDSv2. #LMDeploy #SSRF #USA ift.tt/PVn3XMk | CVE-2026-33626 exposes an SSRF in LMDeploy’s vision-language image loader. Attackers accessed AWS IMDS, scanned local services, and confirmed egress within 12 hours. Update to v0.12.3 and enforce IMDS... |
| 2026-04-23 | CVE-2026-33626: A critical SSRF in LMDeploy exploited in under 13 hours. Learn how attackers hijack AI nodes and how to secure your inference cloud now. #CVE202633626 #SSRF #AISecurity #LMDeploy #InfoSec #CyberAttack #CloudSecurity #LLM #PatchNow securityonline.info/cve-2026-33626 pic.x.com/09IZxf21rQ | CVE-2026-33626: A critical SSRF in LMDeploy exploited in under 13 hours. Learn how attackers hijack AI nodes and how to secure your inference cloud now. #CVE202633626 #SSRF #AISecurity #LMDeploy #Info... |
| 2026-04-22 | Critical Spring Authorization Server Issue Exposes Systems to XSS and SSRF Attacks | Critical Spring Authorization Server Issue Exposes Systems to XSS and SSRF Attacks https://ift.tt/y4laiIW |
| 2026-04-22 | Critical Spring Authorization Server Flaw Enables XSS Privilege Escalation and SSRF | Critical Spring Authorization Server Flaw Enables XSS, Privilege Escalation, and SSRF https://ift.tt/b2pauUc |
| 2026-04-22 | LibreChat SSRF Bypass via IPv6 Mapped Address Confusion | LibreChat SSRF Bypass via IPv6 Mapped Address Confusion |
| 2026-04-22 | SSRF Vulnerability: Bypassing Protection with DNS Rebinding Attack | SSRF Vulnerability: Bypassing Protection with DNS Rebinding Attack |
| 2026-04-22 | is-localhost-ip 2.0.0 SSRF via Restrictions Bypass (CVE-2025-9960) | is-localhost-ip 2.0.0 SSRF via Restrictions Bypass (CVE-2025-9960) |
| 2026-04-22 | See-SURF: Tool to Find Potential Vulnerable SSRF Parameters | See-SURF: Tool to Find Potential Vulnerable SSRF Parameters |
| 2026-04-22 | Hacking Next.js Targets: Advanced SSRF Exploitation Guide | Hacking Next.js Targets: Advanced SSRF Exploitation Guide |
| 2026-04-22 | Catflix CTF: Exploiting SSRFs in Next.js Middleware | Catflix CTF: Exploiting SSRFs in Next.js Middleware |
| 2026-04-22 | SSRF Guard Bypass via Full-Form IPv4-Mapped IPv6 Literal | SSRF Guard Bypass via Full-Form IPv4-Mapped IPv6 Literal |
| 2026-04-22 | Next.js Improper Middleware Redirect Handling Leads to SSRF (CVE-2025-57822) | Next.js Improper Middleware Redirect Handling Leads to SSRF (CVE-2025-57822) |
| 2026-04-22 | Craft CMS Cloud Metadata SSRF Protection Bypass via IPv6 Resolution | Craft CMS Cloud Metadata SSRF Protection Bypass via IPv6 Resolution |
| 2026-04-22 | Axios Unrestricted Cloud Metadata Exfiltration via Header Injection Chain (CVE-2026-40175) | Axios Unrestricted Cloud Metadata Exfiltration via Header Injection Chain (CVE-2026-40175) |
Bug Bounty +16
| Date | Resource | Summary |
|---|---|---|
| 2026-04-23 | AI Sparks Bug-Bounty Surge in Crypto but Low-Quality Reports Grow | AI Sparks Bug-Bounty Surge in Crypto, but Low-Quality Reports Grow https://ift.tt/ImqYgUJ |
| 2026-04-22 | Whos Really to Blame When a White Hat Goes Gray? | Who’s Really to Blame When a White Hat Goes Gray? https://ift.tt/GRys4eB |
| 2026-04-22 | Nextcloud ends bug bounty program due to too many low-quality reports | Nextcloud ends bug bounty program due to too many low-quality reports https://ift.tt/Qpl1nJ2 |
| 2026-04-22 | The Unofficial HackerOne Disclosure Timeline | The Unofficial HackerOne Disclosure Timeline |
| 2026-04-22 | Publicly Disclosed HackerOne Bug Bounty Findings | Publicly Disclosed HackerOne Bug Bounty Findings |
| 2026-04-22 | GraphQL - PortSwigger Lab Writeup | GraphQL - PortSwigger Lab Writeup |
| 2026-04-22 | BugBoard: Searchable Bug Bounty Writeups | BugBoard: Searchable Bug Bounty Writeups |
| 2026-04-22 | AI Vulnerability Deep Dive: Prompt Injection (Bugcrowd) | AI Vulnerability Deep Dive: Prompt Injection (Bugcrowd) |
| 2026-04-22 | A Guide to the Hidden Threat of Prompt Injection (Bugcrowd) | A Guide to the Hidden Threat of Prompt Injection (Bugcrowd) |
| 2026-04-22 | Writeups for Hack The Box Bug Bounty CTF 2025 | Writeups for Hack The Box Bug Bounty CTF 2025 |
| 2026-04-22 | Bug-Bounty-Methodology: JWT and Other Vulnerability Classes | Bug-Bounty-Methodology: JWT and Other Vulnerability Classes |
| 2026-04-22 | Bug Bounty Writeups: Available Programs and Writeups | Bug Bounty Writeups: Available Programs and Writeups |
| 2026-04-22 | Awesome Google VRP Writeups | Awesome Google VRP Writeups |
| 2026-04-22 | AI Sparks Bug-Bounty Surge in Crypto but Low-Quality Reports Grow | AI Sparks Bug-Bounty Surge in Crypto, but Low-Quality Reports Grow https://ift.tt/huVd7WD |
| 2026-04-20 | Meta and PortSwigger drive offensive security further to find what others miss | Meta and PortSwigger drive offensive security further to find what others miss https://ift.tt/gc5osvx |
| 2026-04-20 | Dark web forum hosts $10000 article contest on vulnerability exploitation | Dark web forum hosts $10,000 article contest on vulnerability exploitation https://ift.tt/Mc8sEPr |
XSS +12
| Date | Resource | Summary |
|---|---|---|
| 2026-04-24 | Over 10000 Zimbra Servers Vulnerable to XSS Attacks | Over 10,000 Zimbra Servers Vulnerable to XSS Attacks https://ift.tt/UNZfrVk |
| 2026-04-24 | Over 10000 Zimbra servers vulnerable to ongoing XSS attacks | Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks https://ift.tt/Ay2mKgb |
| 2026-04-22 | Mass-Assignment to Stored XSS and CSP Bypass in a Chatbot Platform | Mass-Assignment to Stored XSS and CSP Bypass in a Chatbot Platform |
| 2026-04-22 | Full Disclosure: DOM-Based XSS And Failures In Bug Bounty Hunting | Full Disclosure: DOM-Based XSS And Failures In Bug Bounty Hunting |
| 2026-04-22 | Cross-Site Scripting (XSS) Is Surging: 4 New CVEs This Week | Cross-Site Scripting (XSS) Is Surging: 4 New CVEs This Week |
| 2026-04-22 | CVE-2025-26244: Stored XSS in DeimosC2 Leading to Privilege Escalation | CVE-2025-26244: Stored XSS in DeimosC2 Leading to Privilege Escalation |
| 2026-04-22 | CVE-2025-25461: SeedDMS Stored XSS | CVE-2025-25461: SeedDMS Stored XSS |
| 2026-04-22 | Finding DOM Polyglot XSS in PayPal the Easy Way | Finding DOM Polyglot XSS in PayPal the Easy Way |
| 2026-04-22 | Cisco IOS XE Web Authentication Reflected XSS Advisory | Cisco IOS XE Web Authentication Reflected XSS Advisory |
| 2026-04-22 | CVE-2025-66412: Angular Stored XSS via SVG Animation and MathML Attributes | CVE-2025-66412: Angular Stored XSS via SVG Animation and MathML Attributes |
| 2026-04-22 | CVE-2025-0133: PAN-OS Reflected XSS in GlobalProtect Gateway | CVE-2025-0133: PAN-OS Reflected XSS in GlobalProtect Gateway |
| 2026-04-22 | Synthesizing XSS Polyglots with Monte Carlo Tree Search (arXiv 2025) | Synthesizing XSS Polyglots with Monte Carlo Tree Search (arXiv 2025) |
Python +11
| Date | Resource | Summary |
|---|---|---|
| 2026-04-23 | wapiti-scanner/wapiti: Web vulnerability scanner written in Python3 | Web vulnerability scanner written in Python3 |
| 2026-04-22 | CVE-2025-68664: Critical LangChain Flaw Enables Secret Extraction | CVE-2025-68664: Critical LangChain Flaw Enables Secret Extraction |
| 2026-04-22 | Bandit Python: Free SAST in 10 Seconds (2026 Review) | Bandit Python: Free SAST in 10 Seconds (2026 Review) |
| 2026-04-22 | CVE-2026-22607: Fickling Python RCE Vulnerability | CVE-2026-22607: Fickling Python RCE Vulnerability |
| 2026-04-22 | CVE-2026-21226: Azure Core Python Library RCE Vulnerability | CVE-2026-21226: Azure Core Python Library RCE Vulnerability |
| 2026-04-22 | SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files | SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files |
| 2026-04-22 | Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure | Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure |
| 2026-04-22 | Critical SQL Injection Vulnerability in Django (CVE-2025-64459) | Critical SQL Injection Vulnerability in Django (CVE-2025-64459) |
| 2026-04-22 | CERT-FR Warns of Python/CPython RCE Vulnerabilities (CVE-2026-4786, CVE-2026-6100) | CERT-FR Warns of Python/CPython RCE Vulnerabilities (CVE-2026-4786, CVE-2026-6100) |
| 2026-04-22 | Malicious PyPI Packages Deliver SilentSync RAT | Malicious PyPI Packages Deliver SilentSync RAT |
| 2026-04-22 | Bearer: SAST Tool to Discover, Filter, and Prioritize Security and Privacy Risks | Bearer: SAST Tool to Discover, Filter, and Prioritize Security and Privacy Risks |
Fuzzing +11
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | Jazzer: Coverage-guided, in-process fuzzing for the JVM | Jazzer: Coverage-guided, in-process fuzzing for the JVM |
| 2026-04-22 | Fuzzing 100+ open source projects with OSS-Fuzz - lessons learned | Fuzzing 100+ open source projects with OSS-Fuzz - lessons learned |
| 2026-04-22 | Large Language Model guided Protocol Fuzzing (NDSS) | Large Language Model guided Protocol Fuzzing (NDSS) |
| 2026-04-22 | Detect Go's silent arithmetic bugs with go-panikint | Detect Go's silent arithmetic bugs with go-panikint |
| 2026-04-22 | Denial of Fuzzing: Rust in the Windows kernel | Denial of Fuzzing: Rust in the Windows kernel |
| 2026-04-22 | Bringing Fuzz Testing to Kotlin with kotlinx.fuzz | Bringing Fuzz Testing to Kotlin with kotlinx.fuzz |
| 2026-04-22 | Advanced binary fuzzing using AFL++-QEMU and libprotobuf | Advanced binary fuzzing using AFL++-QEMU and libprotobuf |
| 2026-04-22 | deepSURF: Detecting Memory Safety Vulnerabilities in Rust Through Fuzzing LLM-Augmented Harnesses | deepSURF: Detecting Memory Safety Vulnerabilities in Rust Through Fuzzing LLM-Augmented Harnesses |
| 2026-04-22 | Fixing Security Vulnerabilities with AI in OSS-Fuzz | Fixing Security Vulnerabilities with AI in OSS-Fuzz |
| 2026-04-22 | A Survey of Network Protocol Fuzzing: Model, Techniques and Directions | A Survey of Network Protocol Fuzzing: Model, Techniques and Directions |
| 2026-04-22 | Anthropic AI Finds 271 Vulnerabilities in Firefox | Anthropic AI Finds 271 Vulnerabilities in Firefox https://ift.tt/61geSjc |
SQLi +10
| Date | Resource | Summary |
|---|---|---|
| 2026-04-23 | LangChain framework hit by several worrying security issues here's what we know | LangChain framework hit by several worrying security issues — here's what we know https://ift.tt/XaO0IvB |
| 2026-04-22 | CVE-2025-1094: PostgreSQL SQL Injection Vulnerability | CVE-2025-1094: PostgreSQL SQL Injection Vulnerability |
| 2026-04-22 | SQLMap Tamper Collection: Modern WAF Bypass Scripts (Cloudflare, AWS, Azure) | SQLMap Tamper Collection: Modern WAF Bypass Scripts (Cloudflare, AWS, Azure) |
| 2026-04-22 | SQL Injection and Postgres: An Adventure to Eventual RCE | SQL Injection and Postgres: An Adventure to Eventual RCE |
| 2026-04-22 | Pentesting PostgreSQL with SQL Injections | Pentesting PostgreSQL with SQL Injections |
| 2026-04-22 | NoSQL Injection: Advanced Exploitation Guide | NoSQL Injection: Advanced Exploitation Guide |
| 2026-04-22 | Exploits Explained: NoSQL Injection Returns Private Information | Exploits Explained: NoSQL Injection Returns Private Information |
| 2026-04-22 | CVE-2025-52694 PoC: Critical SQL Injection in Advantech IoTSuite/SaaS-Composer | CVE-2025-52694 PoC: Critical SQL Injection in Advantech IoTSuite/SaaS-Composer |
| 2026-04-22 | MCP Vulnerability Case Study: SQL Injection in the Postgres MCP Server | MCP Vulnerability Case Study: SQL Injection in the Postgres MCP Server |
| 2026-04-22 | BWAFSQLi: Bypassing Web Application Firewall with Adversarial SQL Injections | BWAFSQLi: Bypassing Web Application Firewall with Adversarial SQL Injections |
SSTI +10
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | SSTI in Bug Bounty: Playing with Handlebars and Breaking Stuff | SSTI in Bug Bounty: Playing with Handlebars and Breaking Stuff |
| 2026-04-22 | SSTI: Explanation, Discovery, Exploitation, and Prevention | SSTI: Explanation, Discovery, Exploitation, and Prevention |
| 2026-04-22 | SSTI: Breaking Out of Templates | SSTI: Breaking Out of Templates |
| 2026-04-22 | Metasploit Module: Tactical RMM Jinja2 SSTI RCE (CVE-2025-69516) | Metasploit Module: Tactical RMM Jinja2 SSTI RCE (CVE-2025-69516) |
| 2026-04-22 | Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE | Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE |
| 2026-04-22 | CVE-2026-33154: Dynaconf RCE via Insecure Jinja Template Evaluation | CVE-2026-33154: Dynaconf RCE via Insecure Jinja Template Evaluation |
| 2026-04-22 | Grav CMS: Security Sandbox Bypass with SSTI | Grav CMS: Security Sandbox Bypass with SSTI |
| 2026-04-22 | Grav CMS: RCE via SSTI through Twig Sandbox Bypass | Grav CMS: RCE via SSTI through Twig Sandbox Bypass |
| 2026-04-22 | CVE-2026-27641: Flask-Reuploaded Path Traversal Enabling SSTI RCE | CVE-2026-27641: Flask-Reuploaded Path Traversal Enabling SSTI RCE |
| 2026-04-22 | A Survey of the Overlooked Dangers of Template Engines (arXiv 2024) | A Survey of the Overlooked Dangers of Template Engines (arXiv 2024) |
Authentication +10
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | OAuth2 Proxy Authentication Bypass via X-Forwarded-Uri (CVE-2026-40575) | OAuth2 Proxy Authentication Bypass via X-Forwarded-Uri (CVE-2026-40575) |
| 2026-04-22 | Keycloak SAML Disabled Client SSO Bypass (CVE-2026-3047) | Keycloak SAML Disabled Client SSO Bypass (CVE-2026-3047) |
| 2026-04-22 | CVE-2026-2092: Keycloak Auth Bypass Vulnerability | CVE-2026-2092: Keycloak Auth Bypass Vulnerability |
| 2026-04-22 | CVE-2026-1529: Bypassing Keycloak Org Security | CVE-2026-1529: Bypassing Keycloak Org Security |
| 2026-04-22 | OAUTHBEARER Bypass and Sensitive Logging Leaks Hit Apache Kafka | OAUTHBEARER Bypass and Sensitive Logging Leaks Hit Apache Kafka |
| 2026-04-22 | CVE-2025-26788: Passkey Authentication Bypass in StrongKey FIDO Server | CVE-2025-26788: Passkey Authentication Bypass in StrongKey FIDO Server |
| 2026-04-22 | Analyzing the rise in device code phishing attacks in 2026 | Analyzing the rise in device code phishing attacks in 2026 |
| 2026-04-22 | SAML rough quarter: Five critical vulnerabilities in four months | SAML rough quarter: Five critical vulnerabilities in four months |
| 2026-04-22 | CVE-2024-9956: Critical WebAuthentication Vulnerability in Chrome on Android | CVE-2024-9956: Critical WebAuthentication Vulnerability in Chrome on Android |
| 2026-04-22 | CVE-2026-34457 Detail (OAuth2 Proxy) - NVD | CVE-2026-34457 Detail (OAuth2 Proxy) - NVD |
Secrets +10
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours | UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours |
| 2026-04-22 | The State of Non-Human Identity Security (CSA Survey Report) | The State of Non-Human Identity Security (CSA Survey Report) |
| 2026-04-22 | Secrets Management in 2026: Vault, AWS Secrets Manager, and Beyond | Secrets Management in 2026: Vault, AWS Secrets Manager, and Beyond |
| 2026-04-22 | GitHub Secret Scanning 2026: New Patterns, Push Protection | GitHub Secret Scanning 2026: New Patterns, Push Protection |
| 2026-04-22 | Top 10 Non-Human Identity Security Tools and Platforms for 2026 | Top 10 Non-Human Identity Security Tools and Platforms for 2026 |
| 2026-04-22 | CVE-2026-5807: HashiCorp Vault DoS via Unauthenticated Root Token Generation | CVE-2026-5807: HashiCorp Vault DoS via Unauthenticated Root Token Generation |
| 2026-04-22 | CVE-2026-3605: HashiCorp Vault KVv2 Metadata Policy Bypass (DoS) | CVE-2026-3605: HashiCorp Vault KVv2 Metadata Policy Bypass (DoS) |
| 2026-04-22 | AI Is Fueling Secrets Sprawl: GitGuardian Reports 81% Surge of AI-Service Leaks | AI Is Fueling Secrets Sprawl: GitGuardian Reports 81% Surge of AI-Service Leaks |
| 2026-04-22 | HCSEC-2026-08: Vault DoS via Unauthenticated Root Token Generation | HCSEC-2026-08: Vault DoS via Unauthenticated Root Token Generation |
| 2026-04-22 | HCSEC-2026-05: Vault KVv2 Metadata Policy Bypass DoS | HCSEC-2026-05: Vault KVv2 Metadata Policy Bypass DoS |
Mobile +10
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | Root/Jailbreak Detection and SSL Pinning in KMM | Root/Jailbreak Detection and SSL Pinning in KMM |
| 2026-04-22 | Reversing Android Apps: Bypassing Detection Like a Pro | Reversing Android Apps: Bypassing Detection Like a Pro |
| 2026-04-22 | Reverse engineering and modifying Android apps with JADX and Frida | Reverse engineering and modifying Android apps with JADX and Frida |
| 2026-04-22 | Common Vulnerabilities and Exposures Examples in Mobile Apps | Common Vulnerabilities and Exposures Examples in Mobile Apps |
| 2026-04-22 | Bypassing iOS Frida Detection with LLDB and Frida | Bypassing iOS Frida Detection with LLDB and Frida |
| 2026-04-22 | frida-interception-and-unpinning: Scripts to MitM all HTTPS traffic | frida-interception-and-unpinning: Scripts to MitM all HTTPS traffic |
| 2026-04-22 | Android Reports and Resources | Android Reports and Resources |
| 2026-04-22 | iOS Security Testing - OWASP MASTG | iOS Security Testing - OWASP MASTG |
| 2026-04-22 | Android Security Bulletin - March 2026 | Android Security Bulletin - March 2026 |
| 2026-04-22 | Android Security Bulletin - April 2026 | Android Security Bulletin - April 2026 |
AuthZ +10
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | Rights Management Approaches: ACL, RBAC, ABAC, ReBAC | Rights Management Approaches: ACL, RBAC, ABAC, ReBAC |
| 2026-04-22 | OPA, Cedar, OpenFGA: Why Are Policy Languages Trending Right Now? | OPA, Cedar, OpenFGA: Why Are Policy Languages Trending Right Now? |
| 2026-04-22 | OPA vs OpenFGA: A Technical Comparison of Policy Engines | OPA vs OpenFGA: A Technical Comparison of Policy Engines |
| 2026-04-22 | Implementing Google Zanzibar: A Demonstration of Its Basics | Implementing Google Zanzibar: A Demonstration of Its Basics |
| 2026-04-22 | How to Protect Your API with OpenFGA: ReBAC Concepts to Practical Usage | How to Protect Your API with OpenFGA: ReBAC Concepts to Practical Usage |
| 2026-04-22 | How Google Drive Models Authorization: A Look into Zanzibar | How Google Drive Models Authorization: A Look into Zanzibar |
| 2026-04-22 | Common Bug Bounty Vulnerabilities: A Technical Deep Dive for Hunters in 2026 | Common Bug Bounty Vulnerabilities: A Technical Deep Dive for Hunters in 2026 |
| 2026-04-22 | CVE-2026-32877 - Red Hat Security Advisory | CVE-2026-32877 - Red Hat Security Advisory |
| 2026-04-22 | CVE 2026: When Identity Breaks and Legacy Code Bites Back | CVE 2026: When Identity Breaks and Legacy Code Bites Back |
| 2026-04-22 | What is Google Zanzibar? | What is Google Zanzibar? |
Recon +10
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | ars0n-framework-v2: Bug Bounty Hunting Framework | ars0n-framework-v2: Bug Bounty Hunting Framework |
| 2026-04-22 | Uncover Hidden Assets with Bug Bounty Recon: Fuzzing and JS Analysis | Uncover Hidden Assets with Bug Bounty Recon: Fuzzing and JS Analysis |
| 2026-04-22 | Subdomain Takeover: Proof Creation for Bug Bounties | Subdomain Takeover: Proof Creation for Bug Bounties |
| 2026-04-22 | Shodan and Censys for beginners: How to find more vulnerabilities | Shodan and Censys for beginners: How to find more vulnerabilities |
| 2026-04-22 | Hunting down subdomain takeover vulnerabilities | Hunting down subdomain takeover vulnerabilities |
| 2026-04-22 | FFuF Fuzzer Guide: Fuzz Faster u Fool for Bug Bounty Hunters | FFuF Fuzzer Guide: Fuzz Faster u Fool for Bug Bounty Hunters |
| 2026-04-22 | Open Source Intelligence Gathering: Techniques, Automation, and Visualization | Open Source Intelligence Gathering: Techniques, Automation, and Visualization |
| 2026-04-22 | OWASP Test for Subdomain Takeover | OWASP Test for Subdomain Takeover |
| 2026-04-22 | Maximizing Security Outcomes: The Role of ASM in Bug Bounty Programs | Maximizing Security Outcomes: The Role of ASM in Bug Bounty Programs |
| 2026-04-22 | Building a Fast One-Shot Recon Script for Bug Bounty | Building a Fast One-Shot Recon Script for Bug Bounty |
OSINT +10
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | Master Google Dorking: Advanced Techniques for OSINT and Ethical Hacking | Master Google Dorking: Advanced Techniques for OSINT and Ethical Hacking |
| 2026-04-22 | Lessons from Building an Online Toolkit to Aid Open-Source Investigations | Lessons from Building an Online Toolkit to Aid Open-Source Investigations |
| 2026-04-22 | IntelTechniques Books (Michael Bazzell) | IntelTechniques Books (Michael Bazzell) |
| 2026-04-22 | Epieos: The Ultimate OSINT Tool | Epieos: The Ultimate OSINT Tool |
| 2026-04-22 | Bellingcat's Online Investigation Toolkit | Bellingcat's Online Investigation Toolkit |
| 2026-04-22 | Automating Google Dorking: From Manual OSINT Technique to Continuous Monitoring | Automating Google Dorking: From Manual OSINT Technique to Continuous Monitoring |
| 2026-04-22 | mosint: An automated e-mail OSINT tool | mosint: An automated e-mail OSINT tool |
| 2026-04-22 | Telegram-OSINT: In-depth repository of Telegram OSINT resources | Telegram-OSINT: In-depth repository of Telegram OSINT resources |
| 2026-04-22 | Email-Username-OSINT Toolbox | Email-Username-OSINT Toolbox |
| 2026-04-22 | Awesome OSINT for Everything | Awesome OSINT for Everything |
GraphQL +10
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | CVE-2025-59845: CSRF Vulnerability in Apollo Studio Embeddable Explorer and Sandbox | CVE-2025-59845: CSRF Vulnerability in Apollo Studio Embeddable Explorer and Sandbox |
| 2026-04-22 | CVE-2025-31496: GraphQL Query Vulnerability in Apollo Compiler Leading to DoS | CVE-2025-31496: GraphQL Query Vulnerability in Apollo Compiler Leading to DoS |
| 2026-04-22 | The 16-Hour Window: Catching a GraphQL Authorization Flaw | The 16-Hour Window: Catching a GraphQL Authorization Flaw |
| 2026-04-22 | GraphQLer: Context-Aware GraphQL API Fuzzing Tool | GraphQLer: Context-Aware GraphQL API Fuzzing Tool |
| 2026-04-22 | Exploiting GraphQL Query Depth | Exploiting GraphQL Query Depth |
| 2026-04-22 | Exploiting Broken Authentication Control in GraphQL | Exploiting Broken Authentication Control in GraphQL |
| 2026-04-22 | Didn't Notice Your Rate Limiting: GraphQL Batching Attack | Didn't Notice Your Rate Limiting: GraphQL Batching Attack |
| 2026-04-22 | Avoid GraphQL Denial-of-Service Attacks through Batching and Aliasing | Avoid GraphQL Denial-of-Service Attacks through Batching and Aliasing |
| 2026-04-22 | API Threat Research: GraphQL Authorization Flaws in a FinTech Platform | API Threat Research: GraphQL Authorization Flaws in a FinTech Platform |
| 2026-04-22 | Apollo Router Query Planner Excessive Resource Consumption via Named Fragment Expansion (CVE-2025-32034) | Apollo Router Query Planner Excessive Resource Consumption via Named Fragment Expansion (CVE-2025-32034) |
IDOR +10
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | New Types of Hacking: IDOR Attacks Evolved | New Types of Hacking: IDOR Attacks Evolved |
| 2026-04-22 | Hunting for IDOR and BAC in B2B Apps with Burp Authorize | Hunting for IDOR and BAC in B2B Apps with Burp Authorize |
| 2026-04-22 | IDOR in the Wild: What CVE-2025-13526 Teaches Security Engineers | IDOR in the Wild: What CVE-2025-13526 Teaches Security Engineers |
| 2026-04-22 | CVE-2025-14371: TaxoPress IDOR / Object-Level Authorization Bypass | CVE-2025-14371: TaxoPress IDOR / Object-Level Authorization Bypass |
| 2026-04-22 | IDOR-Scanner: Burp Suite Extension for Automated IDOR Detection | IDOR-Scanner: Burp Suite Extension for Automated IDOR Detection |
| 2026-04-22 | GraphQL IDOR Vulnerabilities: What They Are and How to Fix | GraphQL IDOR Vulnerabilities: What They Are and How to Fix |
| 2026-04-22 | CVE-2025-64431: IDOR in ZITADEL Organization API Allows Cross-Tenant Tampering | CVE-2025-64431: IDOR in ZITADEL Organization API Allows Cross-Tenant Tampering |
| 2026-04-22 | OpenCTI GraphQL IDOR Allows Workspace Content Deletion | OpenCTI GraphQL IDOR Allows Workspace Content Deletion |
| 2026-04-22 | CVE-2025-2271: IDOR Vulnerability Detail | CVE-2025-2271: IDOR Vulnerability Detail |
| 2026-04-22 | CVE-2025-1270: IDOR in h6web by Anapi Group | CVE-2025-1270: IDOR in h6web by Anapi Group |
Burp Suite +9
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | SulphurAPI: Burp Suite extension for automating OWASP API Top 10 detection | SulphurAPI: Burp Suite extension for automating OWASP API Top 10 detection |
| 2026-04-22 | Awesome Burp Extensions 2025 | Awesome Burp Extensions 2025 |
| 2026-04-22 | Top 10 Web Hacking Techniques of 2025: Call for Nominations | Top 10 Web Hacking Techniques of 2025: Call for Nominations |
| 2026-04-22 | The Future of Security Testing: AI-Powered Extensibility in Burp | The Future of Security Testing: AI-Powered Extensibility in Burp |
| 2026-04-22 | Filtering the WebSockets history with scripts | Filtering the WebSockets history with scripts |
| 2026-04-22 | Filtering the HTTP history with scripts (Bambdas) | Filtering the HTTP history with scripts (Bambdas) |
| 2026-04-22 | Developing AI features in Burp extensions | Developing AI features in Burp extensions |
| 2026-04-22 | Burp AI - PortSwigger Documentation | Burp AI - PortSwigger Documentation |
| 2026-04-22 | Bambdas - PortSwigger Documentation | Bambdas - PortSwigger Documentation |
Talks +8
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | DEF CON 33 Talks - YouTube Playlist | DEF CON 33 Talks - YouTube Playlist |
| 2026-04-22 | DEF CON 33 Call Index | DEF CON 33 Call Index |
| 2026-04-22 | Black Hat USA 2025 Briefings Schedule | Black Hat USA 2025 Briefings Schedule |
| 2026-04-22 | Black Hat USA 2025 - YouTube Playlist | Black Hat USA 2025 - YouTube Playlist |
| 2026-04-22 | Black Hat Official YouTube Channel | Black Hat Official YouTube Channel |
| 2026-04-22 | DEF CON 33 AppSec Village | DEF CON 33 AppSec Village |
| 2026-04-22 | DEF CON 33 Aerospace Village Talk Schedule | DEF CON 33 Aerospace Village Talk Schedule |
| 2026-04-22 | About NDC Security 2026 | About NDC Security 2026 |
JWT +7
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | CVE-2026-32597: PyJWT Information Disclosure Vulnerability | CVE-2026-32597: PyJWT Information Disclosure Vulnerability |
| 2026-04-22 | Authlib Critical JWT Forgery (CVE-2026-27962) | Authlib Critical JWT Forgery (CVE-2026-27962) |
| 2026-04-22 | CVE-2026-34950 fast-jwt: Incomplete Fix for CVE-2023-48223 | CVE-2026-34950 fast-jwt: Incomplete Fix for CVE-2023-48223 |
| 2026-04-22 | CVE-2026-22817: JWT Algorithm Confusion in Hono | CVE-2026-22817: JWT Algorithm Confusion in Hono |
| 2026-04-22 | Proof of Concept for CVE-2026-29000 (pac4j-jwt) | Proof of Concept for CVE-2026-29000 (pac4j-jwt) |
| 2026-04-22 | CVE-2026-23993: JWT Authentication Bypass in HarbourJwt via Unknown alg | CVE-2026-23993: JWT Authentication Bypass in HarbourJwt via Unknown alg |
| 2026-04-22 | draft-ietf-oauth-rfc8725bis: JSON Web Token Best Current Practices | draft-ietf-oauth-rfc8725bis: JSON Web Token Best Current Practices |
Deserialization +6
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | picoCTF Super Serial Writeup: PHP Object Injection Explained Clearly | picoCTF Super Serial Writeup: PHP Object Injection Explained Clearly |
| 2026-04-22 | Deep Dive into Fastjson Deserialization Vulnerabilities | Deep Dive into Fastjson Deserialization Vulnerabilities |
| 2026-04-22 | CVE-2025-24813 PoC: Apache Tomcat Java Deserialization | CVE-2025-24813 PoC: Apache Tomcat Java Deserialization |
| 2026-04-22 | WSUS Deserialization Exploit in the Wild (CVE-2025-59287) | WSUS Deserialization Exploit in the Wild (CVE-2025-59287) |
| 2026-04-22 | Precise and Effective Gadget Chain Mining through Deserialization-Guided Call Graph Construction (USENIX Security 2025) | Precise and Effective Gadget Chain Mining through Deserialization-Guided Call Graph Construction (USENIX Security 2025) |
| 2026-04-22 | Gleipner: A Benchmark for Gadget Chain Detection in Java Deserialization Vulnerabilities | Gleipner: A Benchmark for Gadget Chain Detection in Java Deserialization Vulnerabilities |
CSRF +6
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | CVE-2025-12821: WordPress NewsBlogger CSRF Allowing RCE | CVE-2025-12821: WordPress NewsBlogger CSRF Allowing RCE |
| 2026-04-22 | Manipulating User Email: A CSRF PoC From TCM Academy | Manipulating User Email: A CSRF PoC From TCM Academy |
| 2026-04-22 | Bypassing CSRF Token Validation Techniques | Bypassing CSRF Token Validation Techniques |
| 2026-04-22 | CVE-2026-40925: CSRF in WWBN AVideo Configuration Endpoint | CVE-2026-40925: CSRF in WWBN AVideo Configuration Endpoint |
| 2026-04-22 | CSRF in 2025: Not Dead, Just Different | CSRF in 2025: Not Dead, Just Different |
| 2026-04-22 | Internet Bug Bounty: Argo CD CSRF leads to Kubernetes cluster compromise | Program: Internet Bug Bounty Severity: high Weakness: Cross-Site Request Forgery (CSRF) GHSA: https://github.com/argoproj/argo-cd/security/advisories/GHSA-92mw-q256-5vwg It's been publicly known for... |
XXE +6
| Date | Resource | Summary |
|---|---|---|
| 2026-04-22 | GeoServer 2025 XXE Vulnerability (CVE-2025-58360) Explained | GeoServer 2025 XXE Vulnerability (CVE-2025-58360) Explained |
| 2026-04-22 | Critical Apache Tika Vulnerability Leads to XXE Injection | Critical Apache Tika Vulnerability Leads to XXE Injection |
| 2026-04-22 | CVE-2025-30220: GeoServer WFS Service XML External Entity | CVE-2025-30220: GeoServer WFS Service XML External Entity |
| 2026-04-22 | CVE-2025-27136: LocalS3 CreateBucketConfiguration XXE Injection | CVE-2025-27136: LocalS3 CreateBucketConfiguration XXE Injection |
| 2026-04-22 | CVE-2024-30043: Exploiting XXE on SharePoint via Confused URL Parsing (PoC) | CVE-2024-30043: Exploiting XXE on SharePoint via Confused URL Parsing (PoC) |
| 2026-04-22 | CVE-2025-66516: Detecting and Defending Against Apache Tika XXE | CVE-2025-66516: Detecting and Defending Against Apache Tika XXE |