This week we added 877 new resources across 25 topics on appsec.fyi.

Trending this week: IDOR, SSRF, Burp Suite, AI, Fuzzing

Term of the week: Parameterized Queries

The correct fix for SQL injection. Instead of concatenating user input into SQL strings, you use placeholders that the database driver fills in safely. Also called prepared statements. Every modern language and framework supports them. If you're building SQL strings with string concatenation in 2026, we need to talk.

Browse the full glossary

SSRF (+100)

• Flowise is affected by a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-31829) in its HTTP Node potentially allowing internal network access. Investigate network segmentation and outbound request filtering. #Flowise #SSRF #infosec pulsepatch.io/posts/cve-2026 Flowise is affected by a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-31829) in its HTTP Node, potentially allowing internal network access. Investigate network segmentation and outbou...

• A NO_PROXY hostname normalization bypass (CVE-2025-62718) in Axios could lead to SSRF. Implement strict input validation and monitor for patches. #Axios #SSRF #infosec pulsepatch.io/posts/cve-2025 A NO_PROXY hostname normalization bypass (CVE-2025-62718) in Axios could lead to SSRF. Implement strict input validation and monitor for patches. #Axios #SSRF #infosec pulsepatch.io/posts/cve-2025… ...

• HackerOne: SSRF in Exchange Leads to ROOT (Shopify) HackerOne: SSRF in Exchange Leads to ROOT (Shopify)

• DEF CON 27: Owning the Clout Through SSRF and PDF Generators DEF CON 27: Owning the Clout Through SSRF and PDF Generators

• PentesterLab: SSRF in PDF Generation PentesterLab: SSRF in PDF Generation

  95 more →

RCE (+84)

• U-Office Force Critical RCE via Insecure Deserialization (CVE-2026-3422) U-Office Force Critical RCE via Insecure Deserialization (CVE-2026-3422)

• IBM Langflow Desktop RCE via Insecure Deserialization IBM Langflow Desktop RCE via Insecure Deserialization

• CVE-2026-21858: Ni8mare Enables Unauthenticated RCE in n8n Webhooks CVE-2026-21858: Ni8mare Enables Unauthenticated RCE in n8n Webhooks

• Potentially Critical RCE in OpenSSL (CVE-2025-15467) Potentially Critical RCE in OpenSSL (CVE-2025-15467)

• Wazuh RCE via Deserialization of Untrusted Data (CVE-2026-25769) Wazuh RCE via Deserialization of Untrusted Data (CVE-2026-25769)

  79 more →

Authentication (+50)

• WebAuthn Guide WebAuthn Guide

• OWASP Credential Stuffing Prevention Cheat Sheet OWASP Credential Stuffing Prevention Cheat Sheet

• OAuth/OIDC Real-Life Attack Scenarios OAuth/OIDC Real-Life Attack Scenarios

• OAuth 2.0 Redirect URI Validation Falls Short (ACM) OAuth 2.0 Redirect URI Validation Falls Short (ACM)

• PortSwigger: Hidden OAuth attack vectors PortSwigger: Hidden OAuth attack vectors

  45 more →

SSTI (+49)

• CVE-2022-46166: Spring Boot Admin RCE CVE-2022-46166: Spring Boot Admin RCE

• CVE-2021-43466: Thymeleaf Spring5 RCE CVE-2021-43466: Thymeleaf Spring5 RCE

• Handlebars.js: Safe Usage to Avoid Injection Flaws Handlebars.js: Safe Usage to Avoid Injection Flaws

• HackerOne #164224: SSTI HackerOne #164224: SSTI

• AST Injection: Prototype Pollution to RCE in Handlebars AST Injection: Prototype Pollution to RCE in Handlebars

  44 more →

JWT (+48)

• CVE-2024-33663: Python-jose Algorithm Confusion CVE-2024-33663: Python-jose Algorithm Confusion

• Severe Security Flaw Found in jsonwebtoken Library Severe Security Flaw Found in jsonwebtoken Library

• The Ultimate Guide to JWT Vulnerabilities and Attacks The Ultimate Guide to JWT Vulnerabilities and Attacks

• HackerOne: Trint insecure client-side JWT generation HackerOne: Trint insecure client-side JWT generation

• HackerOne: Linktree account takeover via improper JWT validation HackerOne: Linktree account takeover via improper JWT validation

  43 more →

XSS (+48)

• Beyond XSS: Mutation XSS Explained Beyond XSS: Mutation XSS Explained

• CVE-2025-26791: DOMPurify Regular Expression Bug for mXSS CVE-2025-26791: DOMPurify Regular Expression Bug for mXSS

• Bypassing DOMPurify Again with Mutation XSS Bypassing DOMPurify Again with Mutation XSS

• Penetration Testing of Electron-based Applications Penetration Testing of Electron-based Applications

• SiYuan Electron RCE via Malicious Note Sync (CVE-2026-39846) SiYuan Electron RCE via Malicious Note Sync (CVE-2026-39846)

  43 more →

Mobile (+45)

• Exploiting Content Providers in Android Applications Exploiting Content Providers in Android Applications

• SQL injection vulnerabilities in Owncloud Android app SQL injection vulnerabilities in Owncloud Android app

• Android, SQL and ContentProviders - Why SQL injections aren't dead yet Android, SQL and ContentProviders - Why SQL injections aren't dead yet

• iOS Universal Links - HackTricks iOS Universal Links - HackTricks

• MASTG-TEST-0070: Testing Universal Links MASTG-TEST-0070: Testing Universal Links

  40 more →

Secrets (+43)

• Terraform Secrets Management Best Practices Terraform Secrets Management Best Practices

• AWS IAM Roles Anywhere Workload Identities AWS IAM Roles Anywhere Workload Identities

• External Secrets Operator: Introduction External Secrets Operator: Introduction

• Google Cloud SIEM Service Account Token Leak Google Cloud SIEM Service Account Token Leak

• Secret Rotation: How It Works Secret Rotation: How It Works

  38 more →

AI (+43)

• LLM Red Teaming Guide (Open Source) - Promptfoo LLM Red Teaming Guide (Open Source) - Promptfoo

• Defining LLM Red Teaming - NVIDIA Technical Blog Defining LLM Red Teaming - NVIDIA Technical Blog

• Large Reasoning Models are Autonomous Jailbreak Agents Large Reasoning Models are Autonomous Jailbreak Agents

• Involuntary Jailbreak: On Self-Prompting Attacks Involuntary Jailbreak: On Self-Prompting Attacks

• Single Line of Code Can Jailbreak 11 AI Models Including ChatGPT, Claude, Gemini Single Line of Code Can Jailbreak 11 AI Models Including ChatGPT, Claude, Gemini

  38 more →

Deserialization (+43)

• Insecure Deserialization: Risks, Examples, and Best Practices Insecure Deserialization: Risks, Examples, and Best Practices

• Deserialization Gadget Chain Definition Deserialization Gadget Chain Definition

• CVE-2026-20963: SharePoint Deserialization RCE Analysis CVE-2026-20963: SharePoint Deserialization RCE Analysis

• SharePoint Zero-Day CVE-2025-53770 Actively Exploited SharePoint Zero-Day CVE-2025-53770 Actively Exploited

• SolarWinds Web Help Desk Deserialization Vulnerability SolarWinds Web Help Desk Deserialization Vulnerability

  38 more →

API Security (+42)

• Exploiting API4: 8 Real-World Unrestricted Resource Consumption Attack Scenarios Exploiting API4: 8 Real-World Unrestricted Resource Consumption Attack Scenarios

• Exploiting Server-Side Request Forgery in an API Exploiting Server-Side Request Forgery in an API

• API Versioning Vulnerabilities: Deprecated Endpoints Still Accepting Requests API Versioning Vulnerabilities: Deprecated Endpoints Still Accepting Requests

• Exploiting JWT Vulnerabilities: Advanced Exploitation Guide Exploiting JWT Vulnerabilities: Advanced Exploitation Guide

• openapi-fuzzer: Black-box Fuzzer for OpenAPI Specifications openapi-fuzzer: Black-box Fuzzer for OpenAPI Specifications

  37 more →

Fuzzing (+41)

• Getting Started with Python Fuzzing Using Atheris Getting Started with Python Fuzzing Using Atheris

• Unleashing Medusa: Smart Contract Fuzzing Unleashing Medusa: Smart Contract Fuzzing

• Mastering Boofuzz: From Basics to Advanced Mastering Boofuzz: From Basics to Advanced

• cargo-fuzz - Testing Handbook cargo-fuzz - Testing Handbook

• LLM-Based Harness Synthesis for Unfuzzed Projects LLM-Based Harness Synthesis for Unfuzzed Projects

  36 more →

Supply Chain (+40)

• DPRK Threat Actor Compromises Axios NPM Package DPRK Threat Actor Compromises Axios NPM Package

• 16 Minutes to Impact: npm crypto-draining malware 16 Minutes to Impact: npm crypto-draining malware

• Widespread npm Supply Chain Attack: Billions at Risk Widespread npm Supply Chain Attack: Billions at Risk

• npm Supply Chain Attack: debug, chalk, and Beyond npm Supply Chain Attack: debug, chalk, and Beyond

• The Nx s1ngularity Attack: Inside the Credential Leak The Nx s1ngularity Attack: Inside the Credential Leak

  35 more →

AuthZ (+39)

• RBAC vs ABAC vs PBAC - Styra RBAC vs ABAC vs PBAC - Styra

• Policy as Code: Fine-Grained Authorization Policy as Code: Fine-Grained Authorization

• Policy Engine Showdown: OPA vs OpenFGA vs Cedar Policy Engine Showdown: OPA vs OpenFGA vs Cedar

• ReBAC Authorization Academy - Oso ReBAC Authorization Academy - Oso

• RBAC vs ABAC vs PBAC - Oso RBAC vs ABAC vs PBAC - Oso

  34 more →

Talks (+19)

• BSidesSLC 2026 BSidesSLC 2026

• Approov Events and Conferences Approov Events and Conferences

• OWASP Global AppSec USA 2025 - CFP OWASP Global AppSec USA 2025 - CFP

• OWASP Global AppSec EU 2025 - GenAI Focus OWASP Global AppSec EU 2025 - GenAI Focus

• OWASP Global AppSec EU 2025 (Barcelona) OWASP Global AppSec EU 2025 (Barcelona)

  14 more →

Python (+18)

• Python CVE Details Python CVE Details

• Python Security Vulnerabilities CVE Database Python Security Vulnerabilities CVE Database

• Picklescan Allows RCE via Malicious Pickle File Picklescan Allows RCE via Malicious Pickle File

• CVE-2025-56005: PLY RCE Vulnerability CVE-2025-56005: PLY RCE Vulnerability

• Multi-Stage Malware Attack on Python Package Index Multi-Stage Malware Attack on Python Package Index

  13 more →

Bug Bounty (+16)

• Automate Recon and Detect Subdomain Takeovers Automate Recon and Detect Subdomain Takeovers

• Writeups - Pentester Land Writeups - Pentester Land

• The Unfiltered 2025 Guide to Web Pentesting & Bug Bounties The Unfiltered 2025 Guide to Web Pentesting & Bug Bounties

• Bug Bounty Hunter Software in 2026: What Belongs in Your Stack Bug Bounty Hunter Software in 2026: What Belongs in Your Stack

• How I'd Start Bug Bounty Hunting in 2026: A 90-Day Plan How I'd Start Bug Bounty Hunting in 2026: A 90-Day Plan

  11 more →

Recon (+15)

• Recon Roundup: Ultimate Reconnaissance Guide Recon Roundup: Ultimate Reconnaissance Guide

• From Recon to Report: Complete Workflow 2025 From Recon to Report: Complete Workflow 2025

• Mastering Recon in Bug Bounty: Advanced Techniques 2025 Mastering Recon in Bug Bounty: Advanced Techniques 2025

• 0-Day Hunting Guide: Recon Techniques Nobody Talks About 0-Day Hunting Guide: Recon Techniques Nobody Talks About

• Recon to Master: Complete Bug Bounty Checklist Recon to Master: Complete Bug Bounty Checklist

  10 more →

OSINT (+15)

• OWASP OSINT Resources OWASP OSINT Resources

• OSINT Framework - GeeksforGeeks OSINT Framework - GeeksforGeeks

• Top 10 OSINT Tools and Software for 2026 Top 10 OSINT Tools and Software for 2026

• How to Conduct Investigations Using OSINT & Maltego How to Conduct Investigations Using OSINT & Maltego

• 8 Best OSINT Tools (Paid & Free) in 2025 8 Best OSINT Tools (Paid & Free) in 2025

  10 more →

Burp Suite (+14)

• Burp Suite Certified Practitioner Guide 2026 Burp Suite Certified Practitioner Guide 2026

• Top 10 Burp Extensions Every Pentester Should Use Top 10 Burp Extensions Every Pentester Should Use

• Burp AI in 2026: Real Workflow Changes Burp AI in 2026: Real Workflow Changes

• Burp Suite Reviews 2026 Burp Suite Reviews 2026

• Burp Suite Professional 2026.1 Release Burp Suite Professional 2026.1 Release

  9 more →

XXE (+14)

• XXE in Apache Struts CVE-2025-68493 XXE in Apache Struts CVE-2025-68493

• PortSwigger Blind XXE Lab Write-up PortSwigger Blind XXE Lab Write-up

• Out-of-Band XXE Attack with Sensitive Data Exfiltration Out-of-Band XXE Attack with Sensitive Data Exfiltration

• Advanced XXE Exploitation: File Disclosure, Blind OOB, and RCE Advanced XXE Exploitation: File Disclosure, Blind OOB, and RCE

• XXE Injection Overview XXE Injection Overview

  9 more →

CSRF (+13)

• Web Application Security: Anti-CSRF & Cookie SameSite Options Web Application Security: Anti-CSRF & Cookie SameSite Options

• CSRF Protection - Clerk Docs CSRF Protection - Clerk Docs

• Preventing CSRF with the SameSite Cookie Attribute Preventing CSRF with the SameSite Cookie Attribute

• CSRF Attacks: Bypassing SameSite Cookies CSRF Attacks: Bypassing SameSite Cookies

• Advanced CSRF: How to Bypass SameSite Cookie Protections Advanced CSRF: How to Bypass SameSite Cookie Protections

  8 more →

GraphQL (+13)

• Common Attacks on REST APIs and GraphQL APIs Common Attacks on REST APIs and GraphQL APIs

• GraphQL API Security: Common Vulnerabilities and Exploits GraphQL API Security: Common Vulnerabilities and Exploits

• GraphQL Security Testing: Introspection Abuse, Injection, and DoS GraphQL Security Testing: Introspection Abuse, Injection, and DoS

• Hacking (and Securing) GraphQL Hacking (and Securing) GraphQL

• GraphQL API Vulnerabilities - PortSwigger GraphQL API Vulnerabilities - PortSwigger

  8 more →

IDOR (+13)

• IDOR - PortSwigger Web Security IDOR - PortSwigger Web Security

• IDOR - OWASP Foundation IDOR - OWASP Foundation

• Learn about IDOR - BugBountyHunter.com Learn about IDOR - BugBountyHunter.com

• How-To: Find IDOR Vulnerabilities for Large Bounty Rewards How-To: Find IDOR Vulnerabilities for Large Bounty Rewards

• Bug Bounty Hunting: Insecure Direct Object References Bug Bounty Hunting: Insecure Direct Object References

  8 more →

SQLi (+12)

• SQL Injection in 2026: It Took One Apostrophe SQL Injection in 2026: It Took One Apostrophe

• How to Learn SQL Injection Step by Step How to Learn SQL Injection Step by Step

• Advanced SQL Injection Techniques in Modern Web Apps Advanced SQL Injection Techniques in Modern Web Apps

• Bypassing WAF with Adversarial SQL Bypassing WAF with Adversarial SQL

• WAF Bypass Using JSON-Based SQL Injection Attacks WAF Bypass Using JSON-Based SQL Injection Attacks

  7 more →

Browse all resources at appsec.fyi | Changelog | Explore Topics