This week we added 578 new resources across 25 topics on appsec.fyi.

Trending this week: IDOR, SSRF, Burp Suite, AI, Fuzzing

Term of the week: Typosquatting

Registering package names that look like popular ones — reqeusts instead of requests, lodahs instead of lodash. Developers install them by accident and the malicious package runs arbitrary code via post-install scripts. Package registries have started adding protections, but new typosquat campaigns show up weekly.

Browse the full glossary

Recon (+45)

• The 2026 State of Attack Surface Management — ProjectDiscovery The 2026 State of Attack Surface Management — ProjectDiscovery

• The Ultimate Guide to Attack Surface Management Tools in 2025 The Ultimate Guide to Attack Surface Management Tools in 2025

• Top 10 Attack Surface Management Tools for 2026 — Intruder Top 10 Attack Surface Management Tools for 2026 — Intruder

• 12 Attack Surface Management Tools to Know in 2026 12 Attack Surface Management Tools to Know in 2026

• SubFinder: Automating Subdomain Enumeration for Bug Bounty in 2025 SubFinder: Automating Subdomain Enumeration for Bug Bounty in 2025

  40 more →

SSTI (+40)

• Inj3ctlab — SSTI Bug Bounty Labs Writeup Inj3ctlab — SSTI Bug Bounty Labs Writeup

• Server-Side Template Injection — Bug Bounty 2k25 Server-Side Template Injection — Bug Bounty 2k25

• What is SSTI in Flask/Jinja2? — Payatu What is SSTI in Flask/Jinja2? — Payatu

• PayloadsAllTheThings — SSTI README PayloadsAllTheThings — SSTI README

• Find and Exploit Server-Side Template Injection — TCM Security Find and Exploit Server-Side Template Injection — TCM Security

  35 more →

JWT (+38)

• CVE-2025-45768: PyJWT Information Disclosure Vulnerability CVE-2025-45768: PyJWT Information Disclosure Vulnerability

• How JWT Libraries Block Algorithm Confusion: Code Review Lessons How JWT Libraries Block Algorithm Confusion: Code Review Lessons

• JSON Web Token Attacks and Vulnerabilities — Acunetix JSON Web Token Attacks and Vulnerabilities — Acunetix

• Security of JSON Web Tokens (JWT) — Cyber Polygon Security of JSON Web Tokens (JWT) — Cyber Polygon

• Analyzing Broken User Authentication Threats to JWTs — Akamai Analyzing Broken User Authentication Threats to JWTs — Akamai

  33 more →

GraphQL (+35)

• PayloadsAllTheThings — GraphQL Injection PayloadsAllTheThings — GraphQL Injection

• Approaching GraphQL End Points — Bug Bounty Notes Approaching GraphQL End Points — Bug Bounty Notes

• DoS via Mutation Aliasing in GraphQL — HackerOne Disclosure DoS via Mutation Aliasing in GraphQL — HackerOne Disclosure

• GraphQL API Vulnerabilities Learning Path — PortSwigger GraphQL API Vulnerabilities Learning Path — PortSwigger

• GraphQL Introspection Security: Lessons from the Parse Server Vulnerability GraphQL Introspection Security: Lessons from the Parse Server Vulnerability

  30 more →

OSINT (+35)

• OSINT Framework: How to Build a Custom Maltego Transform OSINT Framework: How to Build a Custom Maltego Transform

• Top 10 OSINT Tools, Products & Solutions — SocialLinks Top 10 OSINT Tools, Products & Solutions — SocialLinks

• How to Use OSINT for Investigations — Moody's How to Use OSINT for Investigations — Moody's

• OSINT Industries — Online Investigations Platform OSINT Industries — Online Investigations Platform

• OSINT Tools Security Analysts Should Know for 2025 OSINT Tools Security Analysts Should Know for 2025

  30 more →

IDOR (+34)

• IDOR Vulnerability Exploitation Guide — RedfoxSec IDOR Vulnerability Exploitation Guide — RedfoxSec

• Bykea: IDOR on In-App Hardcoded Zombie — HackerOne Bykea: IDOR on In-App Hardcoded Zombie — HackerOne

• IDOR Vulnerability — HackerOne Report 2633771 IDOR Vulnerability — HackerOne Report 2633771

• Top 235 IDOR Bug Bounty Reports Top 235 IDOR Bug Bounty Reports

• From Reset to Takeover: IDOR in Password Recovery Systems From Reset to Takeover: IDOR in Password Recovery Systems

  29 more →

Supply Chain (+34)

• Shai-Hulud: A Persistent Secret Leaking Campaign — GitGuardian Shai-Hulud: A Persistent Secret Leaking Campaign — GitGuardian

• Defending Against npm Supply Chain Attacks — Splunk Defending Against npm Supply Chain Attacks — Splunk

• Multiple Supply Chain Attacks against npm Packages — Red Hat Multiple Supply Chain Attacks against npm Packages — Red Hat

• Shai-Hulud Malware: Second-Wave npm Supply Chain Attack Shai-Hulud Malware: Second-Wave npm Supply Chain Attack

• CISA: Widespread Supply Chain Compromise Impacting npm Ecosystem CISA: Widespread Supply Chain Compromise Impacting npm Ecosystem

  29 more →

Deserialization (+32)

• IBM webMethods Integration CVE-2025-36072: Deserialization RCE IBM webMethods Integration CVE-2025-36072: Deserialization RCE

• Deserialization Vulnerability — Exploit-DB Paper Deserialization Vulnerability — Exploit-DB Paper

• Cisco ISE Insecure Java Deserialization — Cisco Docs Cisco ISE Insecure Java Deserialization — Cisco Docs

• Insecure Deserialization Vulnerabilities — Acunetix Insecure Deserialization Vulnerabilities — Acunetix

• Cisco ISE Insecure Java Deserialization (CVE-2025-20124) Cisco ISE Insecure Java Deserialization (CVE-2025-20124)

  27 more →

Authentication (+32)

• Bypassing MFA with OAuth Abuse: Pentesting SSO Flows Bypassing MFA with OAuth Abuse: Pentesting SSO Flows

• SSO Protocol Security: Critical Vulnerabilities in SAML, OAuth, OIDC, JWT (2025) SSO Protocol Security: Critical Vulnerabilities in SAML, OAuth, OIDC, JWT (2025)

• The Art of Breaking OAuth: Real-World Exploits and Misuses The Art of Breaking OAuth: Real-World Exploits and Misuses

• OAuth2-Proxy Authentication Bypass (CVE-2025-54576) OAuth2-Proxy Authentication Bypass (CVE-2025-54576)

• OAuth SSO WordPress Plugin JWT Bypass (CVE-2025-9485) OAuth SSO WordPress Plugin JWT Bypass (CVE-2025-9485)

  27 more →

Secrets (+31)

• Compromised IAM Credentials Power Large AWS Crypto Mining Campaign Compromised IAM Credentials Power Large AWS Crypto Mining Campaign

• Pre-Commit Hooks for Secret Detection: Setup in 10 Minutes Pre-Commit Hooks for Secret Detection: Setup in 10 Minutes

• Understanding Your Organization's Exposure to Secret Leaks — GitHub Understanding Your Organization's Exposure to Secret Leaks — GitHub

• Exposed Developer Secrets Surge: AI Drives 34% Increase in 2025 Exposed Developer Secrets Surge: AI Drives 34% Increase in 2025

• GitHub Found 39M Secret Leaks in 2024 — The GitHub Blog GitHub Found 39M Secret Leaks in 2024 — The GitHub Blog

  26 more →

SSRF (+24)

• CVE-2025-61882 Explained: The Oracle Zero-Day Breach CVE-2025-61882 Explained: The Oracle Zero-Day Breach

• Oracle EBS CVE-2025-61882: Pre-auth SSRF Leads to RCE Oracle EBS CVE-2025-61882: Pre-auth SSRF Leads to RCE

• Oracle EBS Under Fire as Cl0p Exploits CVE-2025-61882 Oracle EBS Under Fire as Cl0p Exploits CVE-2025-61882

• Oracle E-Business Suite Zero-Day Exploited — Google Cloud Oracle E-Business Suite Zero-Day Exploited — Google Cloud

• Server-Side Request Forgery (SSRF) — Practical Guide Server-Side Request Forgery (SSRF) — Practical Guide

  19 more →

XSS (+16)

• Bypassing Signature-Based XSS Filters: Modifying HTML Bypassing Signature-Based XSS Filters: Modifying HTML

• XSS Bypass Techniques — Cyber Gita XSS Bypass Techniques — Cyber Gita

• Advanced XSS Filter Bypass Methods Using Payload Splitting Advanced XSS Filter Bypass Methods Using Payload Splitting

• XSS Payload Bypass Technique: A Practical Guide XSS Payload Bypass Technique: A Practical Guide

• Intigriti July 2025 XSS Challenge — Jorian Woltjer Intigriti July 2025 XSS Challenge — Jorian Woltjer

  11 more →

Mobile (+15)

• Zero-Day Vulnerabilities in Apple WebKit — CSA Singapore Zero-Day Vulnerabilities in Apple WebKit — CSA Singapore

• Update Apple Devices: Actively Exploited CVE-2025-14174 & CVE-2025-43529 Update Apple Devices: Actively Exploited CVE-2025-14174 & CVE-2025-43529

• CVE-2025-14174: Apple WebKit Memory Corruption Zero-Day CVE-2025-14174: Apple WebKit Memory Corruption Zero-Day

• Two Serious Vulnerabilities in Latest Android Security Update Two Serious Vulnerabilities in Latest Android Security Update

• LANDFALL: New Commercial-Grade Android Spyware (CVE-2025-21042) LANDFALL: New Commercial-Grade Android Spyware (CVE-2025-21042)

  10 more →

API Security (+15)

• BOLA API Attack & Prevention — StackHawk BOLA API Attack & Prevention — StackHawk

• Broken Object-Level Authorization (BOLA): What It Is and How to Prevent It Broken Object-Level Authorization (BOLA): What It Is and How to Prevent It

• OWASP Top 10 API Security Risks and How to Mitigate Them — Pynt OWASP Top 10 API Security Risks and How to Mitigate Them — Pynt

• OWASP Top 10 2025: Latest Changes and Enhancements OWASP Top 10 2025: Latest Changes and Enhancements

• OWASP API Security Top 10 Vulnerabilities — 2025 OWASP API Security Top 10 Vulnerabilities — 2025

  10 more →

AI (+15)

• MCP Tool Poisoning — How It Works & How To Fight It MCP Tool Poisoning — How It Works & How To Fight It

• Model Context Protocol Has Prompt Injection Security Problems Model Context Protocol Has Prompt Injection Security Problems

• Vulnerability of LLMs to Prompt Injection in Medical Advice — JAMA Vulnerability of LLMs to Prompt Injection in Medical Advice — JAMA

• Prompt Injection Attack Against LLM-Integrated Applications — arXiv Prompt Injection Attack Against LLM-Integrated Applications — arXiv

• Prompt Injection Attacks in LLMs and AI Agent Systems: A Comprehensive Review Prompt Injection Attacks in LLMs and AI Agent Systems: A Comprehensive Review

  10 more →

AuthZ (+15)

• Broken Access Control: The Quiet Killer in Web Applications Broken Access Control: The Quiet Killer in Web Applications

• OWASP Top 10 2025: IAAA Failures TryHackMe Writeup OWASP Top 10 2025: IAAA Failures TryHackMe Writeup

• Broken Access Control: The Silent Web Vulnerability Broken Access Control: The Silent Web Vulnerability

• Broken Access Control: The 40% Surge in 2025 Broken Access Control: The 40% Surge in 2025

• OWASP Top 10 2025 — A01 Broken Access Control OWASP Top 10 2025 — A01 Broken Access Control

  10 more →

Burp Suite (+15)

• Pentest-Mapper: Burp Extension for Pentesters & Bug Bounty Pentest-Mapper: Burp Extension for Pentesters & Bug Bounty

• Burp Suite Extension: Copy For — Black Hills InfoSec Burp Suite Extension: Copy For — Black Hills InfoSec

• Burp AI — PortSwigger Burp AI — PortSwigger

• Pentest Mapper: Burp Extension for Application Pentesting Pentest Mapper: Burp Extension for Application Pentesting

• Pentest Mapper — PortSwigger BApp Store Pentest Mapper — PortSwigger BApp Store

  10 more →

SQLi (+15)

• Unauthenticated SQL Injection in GUI — Fortinet PSIRT Unauthenticated SQL Injection in GUI — Fortinet PSIRT

• CVE-2025-1094 WebSocket and SQL Injection Exploit Script CVE-2025-1094 WebSocket and SQL Injection Exploit Script

• CVE-2025-1094: PostgreSQL psql SQL Injection (Fixed) — Rapid7 CVE-2025-1094: PostgreSQL psql SQL Injection (Fixed) — Rapid7

• PostgreSQL CVE-2025-1094: Quoting APIs SQL Injection PostgreSQL CVE-2025-1094: Quoting APIs SQL Injection

• CVE-2025-26794: Blind SQL Injection in Exim 4.98 — Writeup CVE-2025-26794: Blind SQL Injection in Exim 4.98 — Writeup

  10 more →

XXE (+15)

• IBM Business Automation Workflow XXE (CVE-2025-13096) IBM Business Automation Workflow XXE (CVE-2025-13096)

• XXE Vulnerability Guide 2025: How XML Attacks Still Threaten XXE Vulnerability Guide 2025: How XML Attacks Still Threaten

• XXE Injection in langchain-community (CVE-2025-6984) XXE Injection in langchain-community (CVE-2025-6984)

• Critical Apache Tika CVE-2025-66516: XXE Vulnerability Critical Apache Tika CVE-2025-66516: XXE Vulnerability

• XXE in GeoServer WFS Service (CVE-2025-30220) XXE in GeoServer WFS Service (CVE-2025-30220)

  10 more →

RCE (+14)

• CVE-2025-22457: Ivanti Connect Secure VPN Zero-Day RCE CVE-2025-22457: Ivanti Connect Secure VPN Zero-Day RCE

• Advisory: Actively Exploited Unauthenticated RCE in Ivanti Connect Secure (CVE-2025-0282) Advisory: Actively Exploited Unauthenticated RCE in Ivanti Connect Secure (CVE-2025-0282)

• Command Injection in Jenkins via Git Parameter (CVE-2025-53652) Command Injection in Jenkins via Git Parameter (CVE-2025-53652)

• 0xMarcio/cve: Latest CVEs with PoC Exploits 0xMarcio/cve: Latest CVEs with PoC Exploits

• Microsoft WSUS RCE (CVE-2025-59287) Actively Exploited Microsoft WSUS RCE (CVE-2025-59287) Actively Exploited

  9 more →

Fuzzing (+14)

• Generative Fuzzer-Driven Vulnerability Detection in IoT Networks Generative Fuzzer-Driven Vulnerability Detection in IoT Networks

• Automating Fuzz Driver Generation for Deep Learning Libraries with LLMs Automating Fuzz Driver Generation for Deep Learning Libraries with LLMs

• Fuzz to the Future: Uncovering Occluded Future Vulnerabilities Fuzz to the Future: Uncovering Occluded Future Vulnerabilities

• EdgeFuzz: A Middleware-Based Security Testing Tool EdgeFuzz: A Middleware-Based Security Testing Tool

• Software Fuzzing: The Cornerstone of Automated Vulnerability Discovery Software Fuzzing: The Cornerstone of Automated Vulnerability Discovery

  9 more →

Python (+14)

• PyPI Supply Chain Attack: Colorama and Colorizr Name Confusion PyPI Supply Chain Attack: Colorama and Colorizr Name Confusion

• Compromised LiteLLM PyPI Package Delivers Credential Stealer Compromised LiteLLM PyPI Package Delivers Credential Stealer

• LiteLLM PyPI Package Compromised in TeamPCP Supply Chain Attack LiteLLM PyPI Package Compromised in TeamPCP Supply Chain Attack

• Malicious PyPI Package — LiteLLM Supply Chain Compromise Malicious PyPI Package — LiteLLM Supply Chain Compromise

• The PyPI Supply Chain Attacks of 2025 The PyPI Supply Chain Attacks of 2025

  9 more →

CSRF (+12)

• CVE-2025-9611: Microsoft Playwright MCP Server CSRF Flaw CVE-2025-9611: Microsoft Playwright MCP Server CSRF Flaw

• CVE-2025-23797: WP Options Editor CSRF Vulnerability CVE-2025-23797: WP Options Editor CSRF Vulnerability

• AVideo CSRF — CVE-2025-3100 (Critical) AVideo CSRF — CVE-2025-3100 (Critical)

• Authlib (Python) CSRF (Cache-Backed OAuth State) — CVE-2025-68158 Authlib (Python) CSRF (Cache-Backed OAuth State) — CVE-2025-68158

• Web Security Academy: CSRF SameSite Lax Bypass via Method Override Web Security Academy: CSRF SameSite Lax Bypass via Method Override

  7 more →

Talks (+12)

• DEF CON 33 Hacking Conference 2025 — USF DEF CON 33 Hacking Conference 2025 — USF

• DEF CON 33 (2025) — Security.World DEF CON 33 (2025) — Security.World

• What to Expect from BSides, Black Hat, and DEF CON 2025 What to Expect from BSides, Black Hat, and DEF CON 2025

• DEF CON 2025 — Open Source Security Foundation DEF CON 2025 — Open Source Security Foundation

• DEFCON Conference — Official YouTube DEFCON Conference — Official YouTube

  7 more →

Bug Bounty (+11)

• HackerOne Paid $81 Million in Bug Bounties Over the Past Year HackerOne Paid $81 Million in Bug Bounties Over the Past Year

• 9 Top Bug Bounty Programs Launched in 2025 — CSO Online 9 Top Bug Bounty Programs Launched in 2025 — CSO Online

• Bug-bounty Writeups Repository — fardeen-ahmed Bug-bounty Writeups Repository — fardeen-ahmed

• Google's Bug Bounty Program Hits All-Time High — $17M in 2025 Google's Bug Bounty Program Hits All-Time High — $17M in 2025

• Top Bugs That Actually Paid Bounties in 2025 Top Bugs That Actually Paid Bounties in 2025

  6 more →

Browse all resources at appsec.fyi | Changelog | Explore Topics