Newsletter Preview

2026 SANS Identity Threats Report: Why Attacks Still Work

Exposing Security Blind Spots in GCP Vertex AI

Critical Access Control Risks in Simple Membership CVE-2026-34886

Security Update: Vulnerability Disclosures and Ongoing Hardening - LiteLLM

Broken Authentication and IDOR – A Big but Solvable Problem | Inspectiv

Exploiting Broken Access Control Vulnerability for Bounty

Broken Access Control Testing Software for Web Apps | Penti AI

WSTG Methodology: Web Penetration Testing | Haxoris

OWASP Top 10 #1: Broken Access Control and Security Tips

Primer on Broken Access Control Vulnerabilities and How to Find Them

Horizontal and Vertical Privilege Escalation Explained | Blue Goat Cyber

Broken Access Control - Vertical Privilege Escalation Writeup

Access Control Vulnerabilities and Privilege Escalation | PortSwigger

Learn about Broken Access Control | BugBountyHunter.com

Insecure Direct Object References (IDOR) | PortSwigger

Testing for Privilege Escalation | OWASP WSTG

Testing for Insecure Direct Object References | OWASP WSTG

Top HackerOne Reports - Authorization Bypass

Broken Authentication: Advanced Exploitation Guide | Intigriti

How To Find Broken Access Control Vulnerabilities in the Wild | HackerOne

Authentication (authn) refers to identity, while authorization (authz) has to do with permissions. Learn about the difference between authn vs. authz in more detail.

🆂🅼🅰🅻🅻  🆂🅲🅰🅻🅴  🆁🅰🅸🅳🅸🅽🅶  🅵🅾🆁🅲🅴 The 'Small Scale Raiding Force' (aka No. 62 Commando) was a British Commando unit under the command of the SOEx.com/SOE_Expedition…ttps://t.co/X4i8t1Wwv2 #SSRF #62Commando...

The spirit of the SSRF lives on. In August 2026, we return to the Channel Islands. Fast RIBs, rugged cliffs, and untold history. Follow in the footsteps of 62 Commando. 🏴‍☠️ soeexpeditions.com/ssrf-je...

Top 10 Web Application Vulnerabilities in Indian SaaS Apps

46 Vulnerability Statistics 2026: Key Trends in Discovery, Exploitation and Risk

CVE-2026-5417: Dataease SQLbot SSRF Vulnerability

CVE-2026-34740: Wwbn Avideo SSRF Vulnerability

@RX149427 No details. Lisieux was a vital transport hub for the German military and a waypoint for Allied escape lines. Graham Hayes MC, a commando in SOE's Small Scale Raiding Force, spent several we...

`curl_cffi` is impacted by CVE-2026-33752, a redirect-based SSRF vulnerability allowing internal network access with TLS impersonation bypass. Review applications using `curl_cffi` for URL input valid...

A critical SSRF vulnerability (CVE-2026-31818) affects `Budibase` via its REST Connector, allowing unauthorized access to internal resources. Review configurations. #SSRF #Budibase #AppSecurity pulsep...

A critical SSRF filter bypass (CVE-2026-35459) affects `pyLoad`, enabling access to internal network resources. This is an incomplete fix for CVE-2026-33992. #SSRF #pyLoad #infosec pulsepatch.io/posts...

SSRF Vulnerability Explained: Attack Types & Real-World Examples (2025)

Server-Side Request Forgery (SSRF) | Invicti

The Phantom Pivot: Advanced Red Teaming through SSRF & DNS Rebinding

Mastering SSRF Exploitation in 2025

The newly disclosed CVE-2026-33060 (CKAN MCP Server SSRF) shows a recurring pattern: AI agents granted excessive network access without runtime validation. Fetching metadata/internal IPs shouldn't be ...

Chained SSRF + Indirect Prompt Injection in an AI assistant. → Server fetching arbitrary URLs → Timing oracle revealing internal services → Prompt injection hijacking the AI to recon internal infrastr...

How to Prevent OWASP Software Supply Chain Failures

Axios Compromise on npm Introduces Hidden Malicious Package

NPM Supply Chain Attacks Explained: Dependency Confusion Exploits and Defense

Axios npm Package Compromised in Supply Chain Attack

The 2026 Guide to Software Supply Chain Security

12 Months That Changed Supply Chain Security - 2025 Month by Month

Securing the Software Supply Chain: OpenSSF, SLSA, SBOM, and Sigstore

OWASP Top 10 2025: A03 Software Supply Chain Failures (Beginner's Guide)

SLSA Framework: The Definitive Guide for Securing Your Software Supply Chain

Five Key Flaws Exploited in 2025's Software Supply Chain Incidents

Predictions for Open Source Security in 2025 | OpenSSF

Supply Chain Attacks in Q4 2025: From Isolated Incidents to Systemic Failure Modes

Supply Chain Security in CI: SBOMs, SLSA, and Sigstore

SLSA - Supply-chain Levels for Software Artifacts

A03 Software Supply Chain Failures - OWASP Top 10:2025

Supply chain security focuses on risk management of external suppliers, vendors, logistics, and transportation.

Hacking Android and IOT Apps by Example - DEF CON Training LV 2026

Mobile Application Penetration Testing: iOS and Android

10 Mobile App Security Best Practices for 2026

Grapefruit: Open-source mobile security testing suite

Objection 2026: Runtime Mobile Exploration via Frida

OWASP Mobile Top 10 2024: A Security Guide

OWASP Mobile Top 10 and MobSF

Bypassing Certificate Pinning Using Frida: A Step-by-Step Guide

Hail Frida!! The Universal SSL Pinning Bypass for Android

OWASP Mobile Top 10 (2024) — Bug Bounty Hunter's Guide

Four Ways to Bypass Android SSL Verification and Certificate Pinning | NetSPI

Bypassing Certificate Pinning | OWASP MASTG

Defeating Android Certificate Pinning with Frida

OWASP Mobile Top 10

OWASP Mobile Application Security (MAS)

Mobile device security refers to being free from danger or risk of an asset loss or data loss by using mobile computers and communication hardware.

Protecting Payment, Cart, and Login Endpoints at the Edge

Open Banking API Security: The Complete Guide in 2026

Enhancing REST API Fuzzing with Access Policy Violation Detection

6 Ways to Protect Your Spring Boot APIs from Common Attacks

7 Identity and API Security Tools Modern SaaS Teams Should Evaluate in 2026

InQL - GraphQL Scanner | PortSwigger BApp Store

OWASP API Security Top 10 Explained | Salt Security

How To Prepare For An API Penetration Test

Awesome GraphQL Security - Curated List of Resources

API Testing with Burp Suite: A Practical Guide

Top 6 API Pentesting Tools | Cobalt

API Attack Awareness: BOLA - Why It Tops the OWASP API Top 10

GraphQL API Vulnerabilities | Web Security Academy

API Testing | Web Security Academy

OWASP API Security Top 10

The API Security project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs)

CVE-2026-25101: Bludit Authentication Bypass Vulnerability

Cookies: HTTP State Management Mechanism (RFC 6265bis)

3 Security Failure Modes in Vibe-Coded Apps

CVE-2026-34394: Wwbn Avideo CSRF Vulnerability

Cross-site request forgery (CSRF) - Security - MDN Web Docs

Diamond award for Bexhill and Hastings community group for retirees https://ift.tt/eER5YBr

CSRF Exploitation Techniques — Flaws, Bypasses & SameSite Cookie Mechanics

Lab: SameSite Lax Bypass via Cookie Refresh | PortSwigger

Lab: SameSite Lax Bypass via Method Override | PortSwigger

Advanced Techniques to Bypass CSRF Defenses

Cross-Site Request Forgery (CSRF) Attack Guide | Hackviser

CSRF (Cross Site Request Forgery) | HackTricks

Bypassing SameSite Cookie Restrictions - CSRF | PortSwigger

CSRF & Bypasses | Cobalt

Cross-Site Request Forgery Prevention Cheat Sheet | OWASP

Diamond award for Bexhill and Hastings community group for retirees https://ift.tt/GT76kYD

Browser-Based Attacks in 2026: What Every Startup Needs to Know

CVE-2025-1647: Bootstrap 3 XSS Vulnerability via DOM Clobbering

CVE-2026-32629: phpMyFAQ XSS Vulnerability

Cross-site leaks (XS-Leaks) - Security - MDN Web Docs

Site-DOM-XSS using Cookie Injection: The AI Hackers are Coming

Awesome Bug Bounty Writeups - Curated List by Bug Type

XSS Exploit Payloads - DOM, Reflected, Stored, and WAF Bypass

Stored XSS Vulnerability WAF Bypass Writeup

Reflected XSS with WAF Bypass — A Creative Payload That Worked

Learn about Cross Site Scripting (XSS) | BugBountyHunter.com

DOM-Based XSS in Single Page Applications (SPAs): A Complete Guide

The Ultimate Guide to Finding and Escalating XSS Bugs | Bugcrowd

How a Cross-Site Scripting Vulnerability Led to Account Takeover | HackerOne

XSS Attacks & Exploitation: The Ultimate Guide | YesWeHack

Cross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | PortSwigger

CISA Warns of Zimbra, SharePoint Flaw Exploits; Cisco Zero-Day Hit in Ransomware Attacks https://ift.tt/vwg96OZ

Remote Code Execution (RCE) Prevention - SecPortal

CVE-2025-12305: Shiyi-blog RCE via Deserialization

CVE-2025-34153: Hyland OnBase RCE via Deserialization

CVE-2025-42928: SAP jConnect RCE via Deserialization

Insecure Deserialization Guide - SecPortal

Unsafe Deserialization in Ruby | SecureFlag

Analyzing Prerequisites of Known Deserialization Vulnerabilities on Java Applications

Insecure Deserialization: The Vulnerability That Gives Attackers RCE

Lab: Exploiting Ruby Deserialization Using a Documented Gadget Chain | PortSwigger

Ruby 2.x Universal RCE Deserialization Gadget Chain | elttam

Insecure Deserialization Explained with Examples

Now You Serial, Now You Don't — Systematically Hunting for Deserialization Exploits | Google Cloud

PayloadsAllTheThings - Java Deserialization Payloads

Insecure Deserialization | OWASP

Exploiting Insecure Deserialization Vulnerabilities | PortSwigger

Zen AI Pentest GitHub Action

Shift Left Security That Developers Actually Keep Enabled

CERT-EU Confirms Trivy Supply Chain Attack Led to Credential Exposure

The Claude Code Security Checklist: What the Source Code Reveals

Hardcoded Secrets in AI-Generated Code: Catch Them Before They Ship

AWS Secrets Manager vs HashiCorp Vault [2026]

AWS Secrets Engine | HashiCorp Vault

Researcher Unearths Thousands of Leaked Secrets in GitHub's "Oops Commits"

How to Detect and Clean Up Leaked Secrets in Your Git Repositories

Secret Scanning Tools 2026: Protect Code and Prevent Credential Leaks

TruffleHog vs. Gitleaks: A Detailed Comparison

Why 28 Million Credentials Leaked on GitHub in 2025 | Snyk

Gitleaks - Find Secrets with Gitleaks

TruffleHog - Find, Verify, and Analyze Leaked Credentials

Website with the collection of all the cheat sheets of the project.

Best AI Security Tools in 2026

Navigating Amazon Bedrock's Multi-Agent Applications

OWASP Top 10 for Agents 2026

Google Workspace's Continuous Approach to Mitigating Prompt Injection

Prompt Injection Attacks in LLMs: What Developers Need to Know in 2026

Prompt Injection Attacks in LLMs: Vulnerabilities, Exploitation & Defense

How AI Red Teaming Fixes Vulnerabilities in Your AI Systems

What Is Prompt Injection in AI? Examples & Prevention | EC-Council

Prompt Injection Attacks in 2025: Risks, Defenses & Testing

Red Teaming the Mind of the Machine: Evaluation of Prompt Injection and Jailbreak Vulnerabilities

Practical LLM Security Advice from the NVIDIA AI Red Team

OWASP Top 10 for LLMs 2025 | DeepTeam Red Teaming Framework

Continuously Hardening ChatGPT Against Prompt Injection | OpenAI

Red Teaming LLMs Exposes a Harsh Truth About the AI Security Arms Race

LLM01:2025 Prompt Injection | OWASP Gen AI Security

Masriyan/Aegis: Windows Attack Surface Discovery Tool

External Attack Surface Management (EASM)

Using OWASP Amass with Netlas Module

The Complete Beginner's Guide to Bug Bounty Reconnaissance

How I Built an Automated Recon Pipeline for Bug Bounty Hunting

A Comprehensive Guide to Android Penetration Testing | Redfox Security

A Step-by-Step Android Penetration Testing Guide | Hack The Box

Mobile App Pentest Cheatsheet

GarudRecon - Automated Domain Recon with XSS, SQLi, LFI, RCE Detection

Automating Subdomain Enumeration to Discover Critical Vulnerabilities

SubdomainX: All-in-One Subdomain Enumeration and Reconnaissance Tool

How to Use Amass for Subdomain Enumeration and Recon Like a Pro

Subfinder Complete Guide 2025: Subdomain Enumeration Mastery

Automate Recon and Detect Subdomain Takeovers with Amass, Subfinder, Nuclei

Reconnaissance 102: Subdomain Enumeration | ProjectDiscovery

Getting Started as a Penetration Tester in NZ (2026 Edition)

shuvonsec/claude-bug-bounty: AI Bug Bounty Framework

Disclosed: $4.3m Paid in HackerOne LHEs, PortSwigger Top 10 Released

HackerOne Hacktivity

How Bug Bounty Hunters Are Using Claude Code

API Penetration Testing: Combined Checklist + Scenario List

The Tools I Use for Bug Bounty Hunting

Bug Bounty Hunting in 2025: A Real World Guide

Full Bug Bounty Hunting Methodology - Recon (DEF CON 32 Workshop)

The Best Bug Bounty Recon Methodology (2024) | Hive Five

2025 Bug Bounty Methodology, Toolsets and Persistent Recon

Comprehensive Bug Bounty Hunting Methodology (2024 Edition)

From Recon to Report: Complete Bug Bounty Workflow for 2025

Recon for Bug Bounty: 8 Essential Tools | Intigriti

Bug Bounty Hunting Methodology 2025

Metasploit Wrap-Up 04/03/2026

Multiple Vulnerabilities in Progress ShareFile Could Allow for Remote Code Execution

Critical RCE Vulnerability in F5 BIG-IP Under Exploitation

CVE-2026-20131 Cisco FMC RCE Vulnerability

Emerging Threat: CVE-2026-27876 Grafana Remote Code Execution via SQL Expressions

SSTI (Server-Side Template Injection) to RCE Walkthrough

SSTI Leading to Remote Code Execution (RCE)

OpenOlat Velocity Template Injection Leads to RCE

A Pentester's Guide to SSTI | Cobalt

RCE with Server-Side Template Injection

Rejetto HTTP File Server SSTI RCE (CVE-2024-23692) | Invicti

WPML Plugin RCE via Twig SSTI (CVE-2024-6386)

PayloadsAllTheThings - Server Side Template Injection

SSTI: Advanced Exploitation Guide | Intigriti

SSTI Exploitation with RCE Everywhere | YesWeHack

The State of Trusted Open Source Report

Rapid Exploitation and Clever Malware in the Supply Chain — Last Week in AppSec

CrewAI contains multiple vulnerabilities including SSRF, RCE

CVE-2026-33873: Langflow Agentic Assistant RCE Vulnerability

CVE-2026-34519: AIOHTTP XSS Vulnerability

A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI

Exposing 4 Critical Vulnerabilities in Python PickleScan | Sonatype

Python SAST Tools: Free & Paid Solutions for Secure Code Analysis

10 Common Security Gotchas in Python and How to Avoid Them

Insecure Deserialization in Python | Semgrep

PyTorch Users at Risk: 3 Zero-Day PickleScan Vulnerabilities | JFrog

PickleScan - Security Scanner Detecting Suspicious Python Pickle Files

Python Secure Coding Guidelines

Bandit: Python Static Application Security Testing Guide

Python Security Vulnerabilities | Top Issues | Aikido

AI-enabled Workflows and Deeper Intelligence

10 Best Threat Intelligence Tools In 2026

OSINT Intelligence Briefing - March 31, 2026

Open Source Intelligence (OSINT): AI-Powered Image Geo-Location

Top 15 OSINT Tools For Cybersecurity In 2026

Bug Bounty 101: Top 10 Reconnaissance Tools | Netlas

Top 7 OSINT Tools Every Cybersecurity Professional Should Know

Top 10 OSINT Tools Everyone Should Know | SMIIT CyberAI

Top 10 OSINT Tools in 2025 Cyber Analysts Trust

10 Best Open Source Intelligence (OSINT) Tools Of 2025

What is OSINT? Tools, Techniques and Framework Explained

15 Best OSINT Tools in 2026 | Lampyre

Open Source Intelligence Tools and Resources Collection

OSINT for Threat Enrichment: Deep Dive with Maltego, SpiderFoot, IntelX, Recon-ng

Top 15 Free OSINT Tools To Collect Data From Open Sources

SQL Injection (SQLi) Guide - SecPortal

CVE-2026-27697: Basercms SQLi Vulnerability

CVE-2026-5197: Student Membership System SQLi Vulnerability

WAF Testing Guide: How to Validate Web Application Firewalls

Bug Bounty Bootcamp #29: Boolean Blind SQL Injection Part 2

12 Questions and Answers About Insecure Deserialization

How to Perform SQL Injection in Web Apps

What is SQL Injection? How to Prevent SQL Injection | Fortinet

Bypassing WAFs in 2025: New Techniques and Evasion Tactics

7 Types of SQL Injection Attacks & How to Prevent Them

SQLi Payloads - Classic, Blind, Error-Based, Time-Based, WAF Bypass

SQL Injection for Bug Bounty Hunters | YesWeHack

Exploiting an SQL Injection with WAF Bypass

SQL Injection Bypassing WAF | OWASP

PayloadsAllTheThings - SQL Injection

Cybersecurity Deep Dive: The Complete Guide to Protecting Modern Applications

How Does StackHawk Work?

GraphQL Security Vulnerabilities Guide - SecPortal

Vespasian: It Sees What Static Analysis Can't - API Endpoint Discovery

GraphQL Security: How I Found and Exploited Critical IDOR and Authorization Bypass

GraphQL Security Testing Guide (2026)

GraphQL Security Complete Guide | Payload Playground

GraphQL Vulnerabilities and Common Attacks Seen in the Wild | Imperva

GraphQL API Vulnerabilities, Common Attacks & Security Tips

Hacking GraphQL Endpoints in Bug Bounty Programs | YesWeHack

PayloadsAllTheThings - GraphQL Injection

GraphQL | HackTricks

GraphQL Cheat Sheet | OWASP

GraphQL Security from a Pentester's Perspective | AFINE

Web Application Penetration Testing: A 2026 Guide

Xalgorix: The Most Powerful Open-Source AI Pentesting Agent

Mapping DAST Evidence to SOC 2 and ISO 27001 Workflows

Fuzzing REST APIs in Industry: Necessary Features and Lessons Learned

MALF: A Multi-Agent LLM Framework for Intelligent Fuzzing

Automating App Security with Advanced Fuzz Testing Techniques

Coverage Guided vs Blackbox Fuzzing | ClusterFuzz

Make Fuzzing First-Class in CI/CD: Coverage-Guided Testing in 2025

How to Use Fuzzing in Security Research | Keysight

Fuzz Testing: A Beginner's Guide | Better Stack

libFuzzer and AFL++ | ClusterFuzz

libFuzzer - A Library for Coverage-Guided Fuzz Testing | LLVM

AFL - American Fuzzy Lop: A Security-Oriented Fuzzer

Coverage Guided Fuzzing - Extending Instrumentation to Hunt Down Bugs Faster

HTB COAE: Introducing the new standard for AI Red Teaming

OWASP Impact Report 2025

AI Agent Security Masterclass: Attacking and Defending Autonomous AI Systems - DEF CON Training

Black Hat USA 2026 Training Schedule

DEF CON 32 Registration via Black Hat USA 2024

Black Hat Briefings - Wikipedia

Security Summer Camp: Black Hat 2025, DEF CON, and Others

Black Hat USA 2024, BSidesLV and DEF CON 32: Hacker Summer Camp Guide

Black Hat Conference: Cutting-Edge Cybersecurity Insights

Black Hat 2025: Latest News and Insights | CSO Online

Black Hat 2025 & DEF CON 33: The Attendees' Guide | Splunk

Black Hat USA 2025 & DEF CON 33

Black Hat USA 2024

DEF CON Hacking Conference

Debian: CVE-2026-23739: Asterisk Security Update

CVE-2025-11035: Jinher OA XXE Vulnerability

CVE-2025-54254: Adobe Experience Manager Forms XXE Vulnerability

CVE-2026-29924: XXE Vulnerability

CVE-2026-34401: XXE in Wwbn Avideo

Advanced XXE Exploitation: File Disclosure, Blind OOB, and RCE

What is XXE (XML External Entity) | Examples & Prevention | Imperva

XML External Entities (XXE) | Pentesting Notes

XML External Entity (XXE) Processing | OWASP

Blind XXE: Exfiltrating Data Out-of-Band in 2025

Comprehensive Guide to XXE Exploitation: Advanced Data Exfiltration and RCE

XML External Entity: The Ultimate Bug Bounty Guide to XXE | YesWeHack

XML External Entity (XXE) Attack Guide | Hackviser

What is a Blind XXE Attack? | PortSwigger

Web Application Security Testing: A Step-by-Step Learning Guide

CVE-2026-33030: Nginx UI Authorization Bypass

BugQuest 2026: 31 Days of Broken Access Control

Nginx UI IDOR Allows Cross-User Resource Access

IDOR | HackTricks

IDOR Attack Guide | Hackviser

Real Bug Bounty Report: IDOR Used to Exploit a Banking Application

Reddit Bug Bounty: Exploiting an IDOR Vulnerability in Dubsmash's API

IDOR: The $1 Billion Authorization Bug

IDOR Vulnerability: Analysis, Impact, Mitigation | Huntress

How to Find IDOR Vulnerabilities: The Bug Bounty Hunter's Practical Guide

Insecure Direct Object References (IDOR) | Intigriti Hackademy

IDOR in 2025: Why Broken Access Control Still Rules the Vulnerability Charts

IDOR: A Complete Guide to Exploiting Advanced IDOR Vulnerabilities | Intigriti

Zero-Day Incident Response: First 72 Hours

Top 7 Online Penetration Testing Tools in 2026

Toolchain: Nmap, Burp Suite, and Metasploit - A Practical Workflow Guide

Top 10 Burp Suite Extensions Every Pentester Should Use

Installing Extensions from BApp Store | PortSwigger

3 Powerful Burp Suite Extensions Every Pentester Should Use

BApp Store | PortSwigger

Burp Suite Professional BApps: Maximizing Pentester Productivity

Burp Bounty - Scan Check Builder Extension

Burp Suite - Top Extensions | KSEC ARK Pentesting Knowledge Base

Top 10 Must-Have Burp Suite Extensions for Web Application Security (2024)

Top 10 Pentesting Tools and Extensions in Burp Suite | PortSwigger

Top 20 Useful Burp Suite Extensions for Web Application Pentesting