Recently Added
The most recent resources added to appsec.fyi, across all topics. Subscribe to the RSS feed to stay updated.
| Date | Topic | Link | Excerpt |
|---|---|---|---|
| 2026-04-23 | SSRF | CVE-2026-33626: A critical SSRF in LMDeploy exploited in under 13 hours. Learn how attackers hijack AI nodes and how to secure your inference cloud now. #CVE202633626 #SSRF #AISecurity #LMDeploy #InfoSec #CyberAttack #CloudSecurity #LLM #PatchNow securityonline.info/cve-2026-33626 pic.x.com/09IZxf21rQ | CVE-2026-33626: A critical SSRF in LMDeploy exploited in under 13 hours. Learn how attackers hijack AI nodes and how to secure your inference cloud now. #CVE202633626 #SSRF #AISecurity #LMDeploy #Info... |
| 2026-04-22 | SSRF | Critical Spring Authorization Server Issue Exposes Systems to XSS and SSRF Attacks | Critical Spring Authorization Server Issue Exposes Systems to XSS and SSRF Attacks https://ift.tt/y4laiIW |
| 2026-04-22 | SSRF | Critical Spring Authorization Server Flaw Enables XSS Privilege Escalation and SSRF | Critical Spring Authorization Server Flaw Enables XSS, Privilege Escalation, and SSRF https://ift.tt/b2pauUc |
| 2026-04-22 | SSTI | SSTI in Bug Bounty: Playing with Handlebars and Breaking Stuff | SSTI in Bug Bounty: Playing with Handlebars and Breaking Stuff |
| 2026-04-22 | SSTI | SSTI: Explanation, Discovery, Exploitation, and Prevention | SSTI: Explanation, Discovery, Exploitation, and Prevention |
| 2026-04-22 | SSTI | SSTI: Breaking Out of Templates | SSTI: Breaking Out of Templates |
| 2026-04-22 | SSTI | Metasploit Module: Tactical RMM Jinja2 SSTI RCE (CVE-2025-69516) | Metasploit Module: Tactical RMM Jinja2 SSTI RCE (CVE-2025-69516) |
| 2026-04-22 | SSTI | Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE | Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE |
| 2026-04-22 | SSTI | CVE-2026-33154: Dynaconf RCE via Insecure Jinja Template Evaluation | CVE-2026-33154: Dynaconf RCE via Insecure Jinja Template Evaluation |
| 2026-04-22 | SSTI | Grav CMS: Security Sandbox Bypass with SSTI | Grav CMS: Security Sandbox Bypass with SSTI |
| 2026-04-22 | SSTI | Grav CMS: RCE via SSTI through Twig Sandbox Bypass | Grav CMS: RCE via SSTI through Twig Sandbox Bypass |
| 2026-04-22 | SSTI | CVE-2026-27641: Flask-Reuploaded Path Traversal Enabling SSTI RCE | CVE-2026-27641: Flask-Reuploaded Path Traversal Enabling SSTI RCE |
| 2026-04-22 | SSTI | A Survey of the Overlooked Dangers of Template Engines (arXiv 2024) | A Survey of the Overlooked Dangers of Template Engines (arXiv 2024) |
| 2026-04-22 | JWT | CVE-2026-32597: PyJWT Information Disclosure Vulnerability | CVE-2026-32597: PyJWT Information Disclosure Vulnerability |
| 2026-04-22 | JWT | Authlib Critical JWT Forgery (CVE-2026-27962) | Authlib Critical JWT Forgery (CVE-2026-27962) |
| 2026-04-22 | JWT | JSON Web Tokens in 2026: The Complete Developer Guide | JSON Web Tokens in 2026: The Complete Developer Guide |
| 2026-04-22 | JWT | Understanding JSON Web Tokens: Complete Guide for Developers | Understanding JSON Web Tokens: Complete Guide for Developers |
| 2026-04-22 | JWT | CVE-2026-34950 fast-jwt: Incomplete Fix for CVE-2023-48223 | CVE-2026-34950 fast-jwt: Incomplete Fix for CVE-2023-48223 |
| 2026-04-22 | JWT | CVE-2026-22817: JWT Algorithm Confusion in Hono | CVE-2026-22817: JWT Algorithm Confusion in Hono |
| 2026-04-22 | JWT | Proof of Concept for CVE-2026-29000 (pac4j-jwt) | Proof of Concept for CVE-2026-29000 (pac4j-jwt) |
| 2026-04-22 | JWT | CVE-2026-23993: JWT Authentication Bypass in HarbourJwt via Unknown alg | CVE-2026-23993: JWT Authentication Bypass in HarbourJwt via Unknown alg |
| 2026-04-22 | JWT | draft-ietf-oauth-rfc8725bis: JSON Web Token Best Current Practices | draft-ietf-oauth-rfc8725bis: JSON Web Token Best Current Practices |
| 2026-04-22 | JWT | WakaTime: Session Replay Attack Allows Authentication Bypass via Captured Login Responses Allowing Bypass of 429 Too many attempts for Multiple Failed Logins | Program: WakaTime Severity: high Weakness: Improper Authentication - Generic #Summary An attacker can bypass authentication by capturing a valid login response (including session cookies/tokens) and ... |
| 2026-04-22 | Authentication | OAuth2 Proxy Authentication Bypass via X-Forwarded-Uri (CVE-2026-40575) | OAuth2 Proxy Authentication Bypass via X-Forwarded-Uri (CVE-2026-40575) |
| 2026-04-22 | Authentication | Keycloak SAML Disabled Client SSO Bypass (CVE-2026-3047) | Keycloak SAML Disabled Client SSO Bypass (CVE-2026-3047) |
| 2026-04-22 | Authentication | CVE-2026-2092: Keycloak Auth Bypass Vulnerability | CVE-2026-2092: Keycloak Auth Bypass Vulnerability |
| 2026-04-22 | Authentication | CVE-2026-1529: Bypassing Keycloak Org Security | CVE-2026-1529: Bypassing Keycloak Org Security |
| 2026-04-22 | Authentication | OAUTHBEARER Bypass and Sensitive Logging Leaks Hit Apache Kafka | OAUTHBEARER Bypass and Sensitive Logging Leaks Hit Apache Kafka |
| 2026-04-22 | Authentication | CVE-2025-26788: Passkey Authentication Bypass in StrongKey FIDO Server | CVE-2025-26788: Passkey Authentication Bypass in StrongKey FIDO Server |
| 2026-04-22 | Authentication | Analyzing the rise in device code phishing attacks in 2026 | Analyzing the rise in device code phishing attacks in 2026 |
| 2026-04-22 | Authentication | SAML rough quarter: Five critical vulnerabilities in four months | SAML rough quarter: Five critical vulnerabilities in four months |
| 2026-04-22 | Authentication | CVE-2024-9956: Critical WebAuthentication Vulnerability in Chrome on Android | CVE-2024-9956: Critical WebAuthentication Vulnerability in Chrome on Android |
| 2026-04-22 | Authentication | CVE-2026-34457 Detail (OAuth2 Proxy) - NVD | CVE-2026-34457 Detail (OAuth2 Proxy) - NVD |
| 2026-04-22 | Deserialization | picoCTF Super Serial Writeup: PHP Object Injection Explained Clearly | picoCTF Super Serial Writeup: PHP Object Injection Explained Clearly |
| 2026-04-22 | Deserialization | Deep Dive into Fastjson Deserialization Vulnerabilities | Deep Dive into Fastjson Deserialization Vulnerabilities |
| 2026-04-22 | Deserialization | CVE-2025-24813 PoC: Apache Tomcat Java Deserialization | CVE-2025-24813 PoC: Apache Tomcat Java Deserialization |
| 2026-04-22 | Deserialization | WSUS Deserialization Exploit in the Wild (CVE-2025-59287) | WSUS Deserialization Exploit in the Wild (CVE-2025-59287) |
| 2026-04-22 | Deserialization | Precise and Effective Gadget Chain Mining through Deserialization-Guided Call Graph Construction (USENIX Security 2025) | Precise and Effective Gadget Chain Mining through Deserialization-Guided Call Graph Construction (USENIX Security 2025) |
| 2026-04-22 | Deserialization | Gleipner: A Benchmark for Gadget Chain Detection in Java Deserialization Vulnerabilities | Gleipner: A Benchmark for Gadget Chain Detection in Java Deserialization Vulnerabilities |
| 2026-04-22 | Secrets | UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours | UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours |
| 2026-04-22 | Secrets | The State of Non-Human Identity Security (CSA Survey Report) | The State of Non-Human Identity Security (CSA Survey Report) |
| 2026-04-22 | Secrets | Secrets Management in 2026: Vault, AWS Secrets Manager, and Beyond | Secrets Management in 2026: Vault, AWS Secrets Manager, and Beyond |
| 2026-04-22 | Secrets | GitHub Secret Scanning 2026: New Patterns, Push Protection | GitHub Secret Scanning 2026: New Patterns, Push Protection |
| 2026-04-22 | Secrets | Top 10 Non-Human Identity Security Tools and Platforms for 2026 | Top 10 Non-Human Identity Security Tools and Platforms for 2026 |
| 2026-04-22 | Secrets | CVE-2026-5807: HashiCorp Vault DoS via Unauthenticated Root Token Generation | CVE-2026-5807: HashiCorp Vault DoS via Unauthenticated Root Token Generation |
| 2026-04-22 | Secrets | CVE-2026-3605: HashiCorp Vault KVv2 Metadata Policy Bypass (DoS) | CVE-2026-3605: HashiCorp Vault KVv2 Metadata Policy Bypass (DoS) |
| 2026-04-22 | Secrets | AI Is Fueling Secrets Sprawl: GitGuardian Reports 81% Surge of AI-Service Leaks | AI Is Fueling Secrets Sprawl: GitGuardian Reports 81% Surge of AI-Service Leaks |
| 2026-04-22 | Secrets | HCSEC-2026-08: Vault DoS via Unauthenticated Root Token Generation | HCSEC-2026-08: Vault DoS via Unauthenticated Root Token Generation |
| 2026-04-22 | Secrets | HCSEC-2026-05: Vault KVv2 Metadata Policy Bypass DoS | HCSEC-2026-05: Vault KVv2 Metadata Policy Bypass DoS |
| 2026-04-22 | Supply Chain | Axios npm Supply Chain Attack: 83M Downloads Hit | Axios npm Supply Chain Attack: 83M Downloads Hit |
| 2026-04-22 | Supply Chain | Axios npm Hijack 2026: Everything You Need to Know | Axios npm Hijack 2026: Everything You Need to Know |
| 2026-04-22 | Supply Chain | TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files | TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files |
| 2026-04-22 | Supply Chain | litellm: Credential Stealer Hidden in PyPI Wheel | litellm: Credential Stealer Hidden in PyPI Wheel |
| 2026-04-22 | Supply Chain | What's Coming to Our GitHub Actions 2026 Security Roadmap | What's Coming to Our GitHub Actions 2026 Security Roadmap |
| 2026-04-22 | Supply Chain | Shai-Hulud npm Supply Chain Attack: New Compromised Packages Detected | Shai-Hulud npm Supply Chain Attack: New Compromised Packages Detected |
| 2026-04-22 | Supply Chain | LiteLLM and Telnyx Compromised on PyPI: Tracing the TeamPCP Supply Chain Campaign | LiteLLM and Telnyx Compromised on PyPI: Tracing the TeamPCP Supply Chain Campaign |
| 2026-04-22 | Supply Chain | Keeping Your GitHub Actions Secure Part 1: Preventing Pwn Requests | Keeping Your GitHub Actions Secure Part 1: Preventing Pwn Requests |
| 2026-04-22 | Supply Chain | GitHub Actions Security Pt 1: Attacks & Defenses (Wiz) | GitHub Actions Security Pt 1: Attacks & Defenses (Wiz) |
| 2026-04-22 | Mobile | Root/Jailbreak Detection and SSL Pinning in KMM | Root/Jailbreak Detection and SSL Pinning in KMM |
| 2026-04-22 | Mobile | Reversing Android Apps: Bypassing Detection Like a Pro | Reversing Android Apps: Bypassing Detection Like a Pro |
| 2026-04-22 | Mobile | Reverse engineering and modifying Android apps with JADX and Frida | Reverse engineering and modifying Android apps with JADX and Frida |
| 2026-04-22 | Mobile | Common Vulnerabilities and Exposures Examples in Mobile Apps | Common Vulnerabilities and Exposures Examples in Mobile Apps |
| 2026-04-22 | Mobile | Bypassing iOS Frida Detection with LLDB and Frida | Bypassing iOS Frida Detection with LLDB and Frida |
| 2026-04-22 | Mobile | frida-interception-and-unpinning: Scripts to MitM all HTTPS traffic | frida-interception-and-unpinning: Scripts to MitM all HTTPS traffic |
| 2026-04-22 | Mobile | Android Reports and Resources | Android Reports and Resources |
| 2026-04-22 | Mobile | iOS Security Testing - OWASP MASTG | iOS Security Testing - OWASP MASTG |
| 2026-04-22 | Mobile | Android Security Bulletin - March 2026 | Android Security Bulletin - March 2026 |
| 2026-04-22 | Mobile | Android Security Bulletin - April 2026 | Android Security Bulletin - April 2026 |
| 2026-04-22 | API Security | A Deep Dive on the Most Critical API Vulnerability: BOLA | A Deep Dive on the Most Critical API Vulnerability: BOLA |
| 2026-04-22 | API Security | What Is Broken Object Property Level Authorization? | What Is Broken Object Property Level Authorization? |
| 2026-04-22 | API Security | What Is Broken Object Level Authorization? | What Is Broken Object Level Authorization? |
| 2026-04-22 | API Security | This Is How I Hacked an API Using Mass Assignment Vulnerability | This Is How I Hacked an API Using Mass Assignment Vulnerability |
| 2026-04-22 | API Security | CVE-2026-34839: CORS Vulnerability in Glances REST API | CVE-2026-34839: CORS Vulnerability in Glances REST API |
| 2026-04-22 | API Security | API ThreatStats Report 2026 | API ThreatStats Report 2026 |
| 2026-04-22 | API Security | VAmPI: Vulnerable REST API with OWASP Top 10 Vulnerabilities | VAmPI: Vulnerable REST API with OWASP Top 10 Vulnerabilities |
| 2026-04-22 | API Security | API4:2023 Unrestricted Resource Consumption | API4:2023 Unrestricted Resource Consumption |
| 2026-04-22 | API Security | 1H 2026 State of AI and API Security Report (Salt) | 1H 2026 State of AI and API Security Report (Salt) |
| 2026-04-22 | API Security | PortSwigger Lab: Exploiting a Mass Assignment Vulnerability | PortSwigger Lab: Exploiting a Mass Assignment Vulnerability |
| 2026-04-22 | AuthZ | Rights Management Approaches: ACL, RBAC, ABAC, ReBAC | Rights Management Approaches: ACL, RBAC, ABAC, ReBAC |
| 2026-04-22 | AuthZ | OPA, Cedar, OpenFGA: Why Are Policy Languages Trending Right Now? | OPA, Cedar, OpenFGA: Why Are Policy Languages Trending Right Now? |
| 2026-04-22 | AuthZ | OPA vs OpenFGA: A Technical Comparison of Policy Engines | OPA vs OpenFGA: A Technical Comparison of Policy Engines |
| 2026-04-22 | AuthZ | Implementing Google Zanzibar: A Demonstration of Its Basics | Implementing Google Zanzibar: A Demonstration of Its Basics |
| 2026-04-22 | AuthZ | How to Protect Your API with OpenFGA: ReBAC Concepts to Practical Usage | How to Protect Your API with OpenFGA: ReBAC Concepts to Practical Usage |
| 2026-04-22 | AuthZ | How Google Drive Models Authorization: A Look into Zanzibar | How Google Drive Models Authorization: A Look into Zanzibar |
| 2026-04-22 | AuthZ | Common Bug Bounty Vulnerabilities: A Technical Deep Dive for Hunters in 2026 | Common Bug Bounty Vulnerabilities: A Technical Deep Dive for Hunters in 2026 |
| 2026-04-22 | AuthZ | CVE-2026-32877 - Red Hat Security Advisory | CVE-2026-32877 - Red Hat Security Advisory |
| 2026-04-22 | AuthZ | CVE 2026: When Identity Breaks and Legacy Code Bites Back | CVE 2026: When Identity Breaks and Legacy Code Bites Back |
| 2026-04-22 | AuthZ | What is Google Zanzibar? | What is Google Zanzibar? |
| 2026-04-22 | AI | You're Simulating the Wrong Attacker: Who Matters in AI Red Teaming | You're Simulating the Wrong Attacker: Who Matters in AI Red Teaming |
| 2026-04-22 | AI | DeepTeam: Open-Source Framework to Red Team LLMs and LLM Systems | DeepTeam: Open-Source Framework to Red Team LLMs and LLM Systems |
| 2026-04-22 | AI | Claude Jailbreaking in 2026: What Repello's Red Teaming Data Shows | Claude Jailbreaking in 2026: What Repello's Red Teaming Data Shows |
| 2026-04-22 | AI | AI-Infra-Guard: Full-Stack AI Red Teaming Platform | AI-Infra-Guard: Full-Stack AI Red Teaming Platform |
| 2026-04-22 | AI | AI Red Teaming Playground Labs (Microsoft) | AI Red Teaming Playground Labs (Microsoft) |
| 2026-04-22 | AI | HackerOne: LLM01: Invisible Prompt Injection | Program: HackerOne Severity: medium Weakness: LLM01: Prompt Injection ## Description Hey team, Hai is vulnerable to invisible prompt injection via Unicode tag characters. ## Reproduction steps 1. ... |
| 2026-04-22 | AI | When AI Meets the Web: Prompt Injection Risks in Third-Party AI Chatbot Plugins | When AI Meets the Web: Prompt Injection Risks in Third-Party AI Chatbot Plugins |
| 2026-04-22 | AI | Prompt Injection Attacks on Agentic Coding Assistants: A Systematic Analysis | Prompt Injection Attacks on Agentic Coding Assistants: A Systematic Analysis |
| 2026-04-22 | AI | Prompt Injection 2.0: Hybrid AI Threats | Prompt Injection 2.0: Hybrid AI Threats |
| 2026-04-22 | AI | Architecting Secure AI Agents: System-Level Defenses Against Indirect Prompt Injection | Architecting Secure AI Agents: System-Level Defenses Against Indirect Prompt Injection |
| 2026-04-22 | Fuzzing | Jazzer: Coverage-guided, in-process fuzzing for the JVM | Jazzer: Coverage-guided, in-process fuzzing for the JVM |
| 2026-04-22 | Fuzzing | Fuzzing 100+ open source projects with OSS-Fuzz - lessons learned | Fuzzing 100+ open source projects with OSS-Fuzz - lessons learned |
| 2026-04-22 | Fuzzing | Large Language Model guided Protocol Fuzzing (NDSS) | Large Language Model guided Protocol Fuzzing (NDSS) |
| 2026-04-22 | Fuzzing | Detect Go's silent arithmetic bugs with go-panikint | Detect Go's silent arithmetic bugs with go-panikint |
| 2026-04-22 | Fuzzing | Denial of Fuzzing: Rust in the Windows kernel | Denial of Fuzzing: Rust in the Windows kernel |
| 2026-04-22 | Fuzzing | Bringing Fuzz Testing to Kotlin with kotlinx.fuzz | Bringing Fuzz Testing to Kotlin with kotlinx.fuzz |
| 2026-04-22 | Fuzzing | Advanced binary fuzzing using AFL++-QEMU and libprotobuf | Advanced binary fuzzing using AFL++-QEMU and libprotobuf |
| 2026-04-22 | Fuzzing | deepSURF: Detecting Memory Safety Vulnerabilities in Rust Through Fuzzing LLM-Augmented Harnesses | deepSURF: Detecting Memory Safety Vulnerabilities in Rust Through Fuzzing LLM-Augmented Harnesses |
| 2026-04-22 | Fuzzing | Fixing Security Vulnerabilities with AI in OSS-Fuzz | Fixing Security Vulnerabilities with AI in OSS-Fuzz |
| 2026-04-22 | Fuzzing | A Survey of Network Protocol Fuzzing: Model, Techniques and Directions | A Survey of Network Protocol Fuzzing: Model, Techniques and Directions |
| 2026-04-22 | Recon | ars0n-framework-v2: Bug Bounty Hunting Framework | ars0n-framework-v2: Bug Bounty Hunting Framework |
| 2026-04-22 | Recon | Uncover Hidden Assets with Bug Bounty Recon: Fuzzing and JS Analysis | Uncover Hidden Assets with Bug Bounty Recon: Fuzzing and JS Analysis |
| 2026-04-22 | Recon | Subdomain Takeover: Proof Creation for Bug Bounties | Subdomain Takeover: Proof Creation for Bug Bounties |
| 2026-04-22 | Recon | Shodan and Censys for beginners: How to find more vulnerabilities | Shodan and Censys for beginners: How to find more vulnerabilities |
| 2026-04-22 | Recon | Hunting down subdomain takeover vulnerabilities | Hunting down subdomain takeover vulnerabilities |
| 2026-04-22 | Recon | FFuF Fuzzer Guide: Fuzz Faster u Fool for Bug Bounty Hunters | FFuF Fuzzer Guide: Fuzz Faster u Fool for Bug Bounty Hunters |
| 2026-04-22 | Recon | Open Source Intelligence Gathering: Techniques, Automation, and Visualization | Open Source Intelligence Gathering: Techniques, Automation, and Visualization |
| 2026-04-22 | Recon | OWASP Test for Subdomain Takeover | OWASP Test for Subdomain Takeover |
| 2026-04-22 | Recon | Maximizing Security Outcomes: The Role of ASM in Bug Bounty Programs | Maximizing Security Outcomes: The Role of ASM in Bug Bounty Programs |
| 2026-04-22 | Recon | Building a Fast One-Shot Recon Script for Bug Bounty | Building a Fast One-Shot Recon Script for Bug Bounty |
| 2026-04-22 | Talks | DEF CON 33 Talks - YouTube Playlist | DEF CON 33 Talks - YouTube Playlist |
| 2026-04-22 | Talks | DEF CON 33 Call Index | DEF CON 33 Call Index |
| 2026-04-22 | Talks | Black Hat USA 2025 Briefings Schedule | Black Hat USA 2025 Briefings Schedule |
| 2026-04-22 | Talks | Black Hat USA 2025 - YouTube Playlist | Black Hat USA 2025 - YouTube Playlist |
| 2026-04-22 | Talks | Black Hat Official YouTube Channel | Black Hat Official YouTube Channel |
| 2026-04-22 | Talks | DEF CON 33 AppSec Village | DEF CON 33 AppSec Village |
| 2026-04-22 | Talks | DEF CON 33 Aerospace Village Talk Schedule | DEF CON 33 Aerospace Village Talk Schedule |
| 2026-04-22 | Talks | About NDC Security 2026 | About NDC Security 2026 |
| 2026-04-22 | Talks | USENIX Security '26 Call for Papers | USENIX Security '26 Call for Papers |
| 2026-04-22 | Talks | USENIX Security '26 Symposium | USENIX Security '26 Symposium |
| 2026-04-22 | Bug Bounty | The Unofficial HackerOne Disclosure Timeline | The Unofficial HackerOne Disclosure Timeline |
| 2026-04-22 | Bug Bounty | Publicly Disclosed HackerOne Bug Bounty Findings | Publicly Disclosed HackerOne Bug Bounty Findings |
| 2026-04-22 | Bug Bounty | GraphQL - PortSwigger Lab Writeup | GraphQL - PortSwigger Lab Writeup |
| 2026-04-22 | Bug Bounty | BugBoard: Searchable Bug Bounty Writeups | BugBoard: Searchable Bug Bounty Writeups |
| 2026-04-22 | Bug Bounty | AI Vulnerability Deep Dive: Prompt Injection (Bugcrowd) | AI Vulnerability Deep Dive: Prompt Injection (Bugcrowd) |
| 2026-04-22 | Bug Bounty | A Guide to the Hidden Threat of Prompt Injection (Bugcrowd) | A Guide to the Hidden Threat of Prompt Injection (Bugcrowd) |
| 2026-04-22 | Bug Bounty | Writeups for Hack The Box Bug Bounty CTF 2025 | Writeups for Hack The Box Bug Bounty CTF 2025 |
| 2026-04-22 | Bug Bounty | Bug-Bounty-Methodology: JWT and Other Vulnerability Classes | Bug-Bounty-Methodology: JWT and Other Vulnerability Classes |
| 2026-04-22 | Bug Bounty | Bug Bounty Writeups: Available Programs and Writeups | Bug Bounty Writeups: Available Programs and Writeups |
| 2026-04-22 | Bug Bounty | Awesome Google VRP Writeups | Awesome Google VRP Writeups |
| 2026-04-22 | RCE | Critical SGLang Flaw (CVE-2026-5760) Enables RCE via Malicious AI Models | Critical SGLang Flaw (CVE-2026-5760) Enables RCE via Malicious AI Models |
| 2026-04-22 | RCE | CVE-2025-68454: Craft CMS Twig SSTI RCE Vulnerability | CVE-2025-68454: Craft CMS Twig SSTI RCE Vulnerability |
| 2026-04-22 | RCE | 15,000 Jenkins Servers at Risk from RCE Vulnerability (CVE-2025-53652) | 15,000 Jenkins Servers at Risk from RCE Vulnerability (CVE-2025-53652) |
| 2026-04-22 | RCE | React2Shell (CVE-2025-55182): RSC Flight Decoder Remote Code Execution | React2Shell (CVE-2025-55182): RSC Flight Decoder Remote Code Execution |
| 2026-04-22 | RCE | Ivanti EPMM: Another Pre-Auth RCE (CVE-2026-1281 and CVE-2026-1340) | Ivanti EPMM: Another Pre-Auth RCE (CVE-2026-1281 and CVE-2026-1340) |
| 2026-04-22 | RCE | CVE-2025-57738: Apache Syncope Groovy Injection RCE | CVE-2025-57738: Apache Syncope Groovy Injection RCE |
| 2026-04-22 | RCE | Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain | Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain |
| 2026-04-22 | RCE | Critical RCE Vulnerability in Anthropic MCP Inspector (CVE-2025-49596) | Critical RCE Vulnerability in Anthropic MCP Inspector (CVE-2025-49596) |
| 2026-04-22 | RCE | CVE-2025-24893: XWiki SSTI Unauthenticated RCE Exploit | CVE-2025-24893: XWiki SSTI Unauthenticated RCE Exploit |
| 2026-04-22 | RCE | CVE-2026-34197: ActiveMQ RCE via Jolokia API | CVE-2026-34197: ActiveMQ RCE via Jolokia API |
| 2026-04-22 | CSRF | CVE-2025-12821: WordPress NewsBlogger CSRF Allowing RCE | CVE-2025-12821: WordPress NewsBlogger CSRF Allowing RCE |
| 2026-04-22 | CSRF | Manipulating User Email: A CSRF PoC From TCM Academy | Manipulating User Email: A CSRF PoC From TCM Academy |
| 2026-04-22 | CSRF | Bypassing CSRF Token Validation Techniques | Bypassing CSRF Token Validation Techniques |
| 2026-04-22 | CSRF | TZCERT Advisory: Critical WordPress Account Takeover (CVE-2025-3746) | TZCERT Advisory: Critical WordPress Account Takeover (CVE-2025-3746) |
| 2026-04-22 | CSRF | CVE-2026-40925: CSRF in WWBN AVideo Configuration Endpoint | CVE-2026-40925: CSRF in WWBN AVideo Configuration Endpoint |
| 2026-04-22 | CSRF | CSRF in 2025: Not Dead, Just Different | CSRF in 2025: Not Dead, Just Different |
| 2026-04-22 | CSRF | Lab: SameSite Strict Bypass via Client-Side Redirect | Lab: SameSite Strict Bypass via Client-Side Redirect |
| 2026-04-22 | CSRF | Internet Bug Bounty: Argo CD CSRF leads to Kubernetes cluster compromise | Program: Internet Bug Bounty Severity: high Weakness: Cross-Site Request Forgery (CSRF) GHSA: https://github.com/argoproj/argo-cd/security/advisories/GHSA-92mw-q256-5vwg It's been publicly known for... |
| 2026-04-22 | Burp Suite | SulphurAPI: Burp Suite extension for automating OWASP API Top 10 detection | SulphurAPI: Burp Suite extension for automating OWASP API Top 10 detection |
| 2026-04-22 | Burp Suite | Awesome Burp Extensions 2025 | Awesome Burp Extensions 2025 |
| 2026-04-22 | Burp Suite | Top 10 Web Hacking Techniques of 2025: Call for Nominations | Top 10 Web Hacking Techniques of 2025: Call for Nominations |
| 2026-04-22 | Burp Suite | The future of Bambdas | The future of Bambdas |
| 2026-04-22 | Burp Suite | The Future of Security Testing: AI-Powered Extensibility in Burp | The Future of Security Testing: AI-Powered Extensibility in Burp |
| 2026-04-22 | Burp Suite | Filtering the WebSockets history with scripts | Filtering the WebSockets history with scripts |
| 2026-04-22 | Burp Suite | Filtering the HTTP history with scripts (Bambdas) | Filtering the HTTP history with scripts (Bambdas) |
| 2026-04-22 | Burp Suite | Developing AI features in Burp extensions | Developing AI features in Burp extensions |
| 2026-04-22 | Burp Suite | Burp AI - PortSwigger Documentation | Burp AI - PortSwigger Documentation |
| 2026-04-22 | Burp Suite | Bambdas - PortSwigger Documentation | Bambdas - PortSwigger Documentation |
| 2026-04-22 | Python | CVE-2025-68664: Critical LangChain Flaw Enables Secret Extraction | CVE-2025-68664: Critical LangChain Flaw Enables Secret Extraction |
| 2026-04-22 | Python | Bandit Python: Free SAST in 10 Seconds (2026 Review) | Bandit Python: Free SAST in 10 Seconds (2026 Review) |
| 2026-04-22 | Python | CVE-2026-22607: Fickling Python RCE Vulnerability | CVE-2026-22607: Fickling Python RCE Vulnerability |
| 2026-04-22 | Python | CVE-2026-21226: Azure Core Python Library RCE Vulnerability | CVE-2026-21226: Azure Core Python Library RCE Vulnerability |
| 2026-04-22 | Python | SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files | SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files |
| 2026-04-22 | Python | Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure | Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure |
| 2026-04-22 | Python | Critical SQL Injection Vulnerability in Django (CVE-2025-64459) | Critical SQL Injection Vulnerability in Django (CVE-2025-64459) |
| 2026-04-22 | Python | CERT-FR Warns of Python/CPython RCE Vulnerabilities (CVE-2026-4786, CVE-2026-6100) | CERT-FR Warns of Python/CPython RCE Vulnerabilities (CVE-2026-4786, CVE-2026-6100) |
| 2026-04-22 | Python | Malicious PyPI Packages Deliver SilentSync RAT | Malicious PyPI Packages Deliver SilentSync RAT |
| 2026-04-22 | Python | Bearer: SAST Tool to Discover, Filter, and Prioritize Security and Privacy Risks | Bearer: SAST Tool to Discover, Filter, and Prioritize Security and Privacy Risks |
| 2026-04-22 | OSINT | Master Google Dorking: Advanced Techniques for OSINT and Ethical Hacking | Master Google Dorking: Advanced Techniques for OSINT and Ethical Hacking |
| 2026-04-22 | OSINT | Lessons from Building an Online Toolkit to Aid Open-Source Investigations | Lessons from Building an Online Toolkit to Aid Open-Source Investigations |
| 2026-04-22 | OSINT | IntelTechniques Books (Michael Bazzell) | IntelTechniques Books (Michael Bazzell) |
| 2026-04-22 | OSINT | Epieos: The Ultimate OSINT Tool | Epieos: The Ultimate OSINT Tool |
| 2026-04-22 | OSINT | Bellingcat's Online Investigation Toolkit | Bellingcat's Online Investigation Toolkit |
| 2026-04-22 | OSINT | Automating Google Dorking: From Manual OSINT Technique to Continuous Monitoring | Automating Google Dorking: From Manual OSINT Technique to Continuous Monitoring |
| 2026-04-22 | OSINT | mosint: An automated e-mail OSINT tool | mosint: An automated e-mail OSINT tool |
| 2026-04-22 | OSINT | Telegram-OSINT: In-depth repository of Telegram OSINT resources | Telegram-OSINT: In-depth repository of Telegram OSINT resources |
| 2026-04-22 | OSINT | Email-Username-OSINT Toolbox | Email-Username-OSINT Toolbox |
| 2026-04-22 | OSINT | Awesome OSINT for Everything | Awesome OSINT for Everything |
| 2026-04-22 | SQLi | CVE-2025-1094: PostgreSQL SQL Injection Vulnerability | CVE-2025-1094: PostgreSQL SQL Injection Vulnerability |
| 2026-04-22 | SQLi | A Pentester's Guide to NoSQL Injection | A Pentester's Guide to NoSQL Injection |
| 2026-04-22 | SQLi | SQLMap Tamper Collection: Modern WAF Bypass Scripts (Cloudflare, AWS, Azure) | SQLMap Tamper Collection: Modern WAF Bypass Scripts (Cloudflare, AWS, Azure) |
| 2026-04-22 | SQLi | SQL Injection and Postgres: An Adventure to Eventual RCE | SQL Injection and Postgres: An Adventure to Eventual RCE |
| 2026-04-22 | SQLi | Pentesting PostgreSQL with SQL Injections | Pentesting PostgreSQL with SQL Injections |
| 2026-04-22 | SQLi | NoSQL Injection: Advanced Exploitation Guide | NoSQL Injection: Advanced Exploitation Guide |
| 2026-04-22 | SQLi | Exploits Explained: NoSQL Injection Returns Private Information | Exploits Explained: NoSQL Injection Returns Private Information |
| 2026-04-22 | SQLi | CVE-2025-52694 PoC: Critical SQL Injection in Advantech IoTSuite/SaaS-Composer | CVE-2025-52694 PoC: Critical SQL Injection in Advantech IoTSuite/SaaS-Composer |
| 2026-04-22 | SQLi | MCP Vulnerability Case Study: SQL Injection in the Postgres MCP Server | MCP Vulnerability Case Study: SQL Injection in the Postgres MCP Server |
| 2026-04-22 | SQLi | BWAFSQLi: Bypassing Web Application Firewall with Adversarial SQL Injections | BWAFSQLi: Bypassing Web Application Firewall with Adversarial SQL Injections |
| 2026-04-22 | SSRF | LibreChat SSRF Bypass via IPv6 Mapped Address Confusion | LibreChat SSRF Bypass via IPv6 Mapped Address Confusion |
| 2026-04-22 | SSRF | SSRF Vulnerability: Bypassing Protection with DNS Rebinding Attack | SSRF Vulnerability: Bypassing Protection with DNS Rebinding Attack |
| 2026-04-22 | SSRF | is-localhost-ip 2.0.0 SSRF via Restrictions Bypass (CVE-2025-9960) | is-localhost-ip 2.0.0 SSRF via Restrictions Bypass (CVE-2025-9960) |
| 2026-04-22 | SSRF | See-SURF: Tool to Find Potential Vulnerable SSRF Parameters | See-SURF: Tool to Find Potential Vulnerable SSRF Parameters |