New short article on a real-world exploitation case rather than pure research, demonstrating how a specific mistake in Next.js can lead to a systematic zero-click SXSS on its latest versions (w/@inzo____): Re:CACHE - Excessive reflection, type confusion, and 0-click SXSS on Next.js zhero-web-sec.github.io/rese…

Damn, what a read

FFFF the axios thing is bad, almost all node.js project use it, we use it. didn't want to install some tool with a bunch of deps just to check if our gcloud/docker images are affected, trivy literally got supply chained two weeks ago lmao built me a small tool. stdlib only, just shells out to docker/gcloud cli. if those are compromised we're all cooked anyway. CHECK YOUR IMAGES. github.com/hacktronai/cull

Again just a quick JS PoC (nothing new, just some PoC to try it): JS Array length of 4294967295, and push vs [][length]=value behavior. Push fails, assignment works but length value isn't increased anymore. Don't really see how this can be abused. insert-script.com/examples/j…

Your chance to be part of a historic event for cryptography education in the Levant is still open! The CFP for Cedarcrypt, the most ambitious and exciting cryptography event in the Levant region in recent memory, has a deadline of April 10 and we still have room in the program. If you've been meaning to submit a talk, workshop, or research presentation, now's the time. We want hands-on workshops, lectures on both foundational and real-world topics, and research talks including work in progress. Topics range from post-quantum crypto and ZK proofs to secure implementation and protocol verification. We're also still actively seeking sponsors. Sponsorship funds student stipends directly — it's how we make the event accessible to grad students and early-career researchers worldwide. If your organization is in this space, let's talk. Accepted speakers get travel support, free registration, and accommodation help. July 13–16, Paphos, Cyprus. Join us in making a real difference in how real-world cryptography is taught in the Levant! Come meet and engage with excited new students! cedarcrypt.org

We take a closer look at the 2nd exploit, and sit down with @_manfp to learn about his research process. youtube.com/watch?v=NT1VCmJF…

Thanks for participating in this challenge! I analyzed the qs parser source code and wrote about the inconsistency between the backend and frontend query parsers, along with two possible solutions. Hope you enjoy it! blog.voorivex.team/when-two-…

Chrome auto decodes all url-encoded, non-special characters in the URL for the user. This can be annoying when you're trying to sneak a payload in that looks a little weird. You can bypass this by adding ÿ anywhere in the URL.

Come be part of Cedarcrypt, our historic new initiative to grow cryptography research, development and representation in the Levant region! For too long, the global cryptography community has concentrated its major events in a handful of locations, leaving entire regions underrepresented in the conversations that shape our digital future. Cedarcrypt is here to change that. This July 13-16, 2026, we're bringing together researchers, practitioners, and students at the American University of Beirut - Mediterraneo campus in Paphos, Cyprus, for four days of intensive learning, knowledge sharing, and community building. From secure messaging protocols to post-quantum cryptography, from zero-knowledge proofs to formal verification, Cedarcrypt aims to cover the full spectrum of applied cryptography. Cedarcrypt is about planting a flag and telling the world that real cryptography work can and does emerge from our region. Cedarcrypt aims to create a space where the next generation of cryptographers from the Levant and beyond can learn from established experts, present their own research, and forge connections that will shape their careers. We need you to make this happen. We're seeking workshop leaders to teach hands-on skills, lecturers to share foundational and cutting-edge knowledge, and researchers to present their latest work. Whether you're a seasoned professor or an early-career researcher with fresh ideas, there's a place for you at Cedarcrypt. This is the first edition of what we intend to become an annual tradition. Come be part of our history! Help us build something that will inspire and empower cryptographers for years to come. Our call for proposals is open: submit your workshop or talk, or simply learn more about Cedarcrypt at cedarcrypt.org!

Happy to publish our first research of the year on the SvelteKit framework, downloaded over 800,000 times per week, which led to CVE-2025-67647 (w/@inzo____): Avoiding the paradox: A native full-read SSRF and one‑shot DoS in SvelteKit zhero-web-sec.github.io/rese… Enjoy the read

Leaking FXAuth Token leading to account takeover ($65,000) ysamm.com/uncategorized/2026… Instagram account takeover via Facebook Pixel script abuse ($32,500) ysamm.com/uncategorized/2026… Multiple XS-leaks disclosing Facebook users in third-party websites ($8,400) ysamm.com/uncategorized/2026…

Quick browser documentation PoCs (nothing new, just some PoCs to try it): Postmessage with null origin and null source- insert-script.com/examples/i… Authorization header and redirects - relevant for client side path traversal insert-script.com/examples/r…

New research just dropped on the Critical Research Lab! Big thanks to @0xn3va, come read it at: lab.ctbb.show/research/langs…

We've published a new blog post by RyotaK @ryotkak He discovered 8 methods to bypass safety mechanisms in Claude Code, leading to arbitrary command execution. We recommend updating to v1.0.93 or later to fix this vulnerability (CVE-2025-66032). flatt.tech/research/posts/pw…

This is such a clever cross-origin leak - HTTP headers are used more and more so I doubt this will be the end of this kind of approach

Cross-Site ETag Length Leak blog.arkark.dev/2025/12/26/e… I just posted the author writeup for impossible-leak in SECCON CTF 14 Quals. As far as I know, this is a new XS-Leak technique! The ETag header can become a side channel :)

Not only can you pollute `then`, but you can also pollute `return`! Both behaviors are specified in the ECMAScript spec.

Part 3 of our Hacking AI Apps series. This time we hacked OpenAI Atlas Browser: A vulnerability that let us control tabs, leak browsing activity, and hijack your Reddit/Facebook accounts by stealing OAuth tokens. hacktron.ai/blog/hacking-ope… Stay tuned for Part 4: Antigravity!

Not only a really interesting chain of bugs - but IMO it shows how LLMs can help at certain parts during an assessment. I can't wait to use it myself. Keep up your good work :-)

release of our new paper (w/ @inzo____) which resulted in CVE-2025-64525: Astro framework and standards weaponization from path-based middleware protection bypass to potential SSRF & XSS full bypass of CVE-2025-61925 on @astrodotbuild zhero-web-sec.github.io/rese…