Found a full-blown CSP bypass on the current version of Firefox (69). Not working on the beta version. PoC: abrasax.club/?payload=<object data="javascript:alert(1)"></object> #bugbounty

Saiu o Elytron Talks #02! Fui o host do papo com o @0xTeles e o fepame sobre como o Bug Bounty cria profissionais pra ataques reais. 👇 youtube.com/watch?v=bnv2URNt…

Next.js v16.2.5 fixes a bunch of vulnerabilities reported by @HacktronAI. Patch ASAP, especially if you’re running self-hosted Next.js that SSRF might affect you CVE-2026-44574: Middleware / Proxy bypass via dynamic route parameter injection CVE-2026-44578: SSRF in applications using WebSocket upgrades CVE-2026-44581: XSS in App Router applications using CSP nonces

Historias que seu avo nunca lhe contou sobre firebase - @vrechson & @Highustavo Imagens sao dificeis - Thumbor 0days - @caioluders SunCodeQL - Resolvendo a Complexidade do Frontend com SAST - m4z4r0p3 m4qu1n4 d0 mund0.ANS - gld

🚨: This is Tatiana Sampaio, a Brazilian scientist who restored movement in six paraplegic patients.

We found a RCE in Google's AI code editor Antigravity - $10000 Bounty Link to the blog in comments:

I began looking into browser security issues again in 2026 and while reviewing extension permission APIs, I noticed that the default declarativeNetRequest API (which only requires permission to block content on all pages) can be leveraged into a side-channel attack. This permission ends up allowing an extension to infer the full URL of open tabs without requesting the chrome.tabs permission, and it can also leak the full URL of cross-origin redirects. Unfortunately, fixing this issue has been deemed unrealistic by Chrome, and the risk has been accepted, so it is worth keeping this in mind when granting content-blocking permissions to browser extensions. The complete public report can be found at issues.chromium.org/issues/4….

Leaking FXAuth Token leading to account takeover ($65,000) ysamm.com/uncategorized/2026… Instagram account takeover via Facebook Pixel script abuse ($32,500) ysamm.com/uncategorized/2026… Multiple XS-leaks disclosing Facebook users in third-party websites ($8,400) ysamm.com/uncategorized/2026…

🟥 Positive Hack Talks → São Paulo 🇧🇷 Dec 10th, 2025 🗣️ Speakers — submit papers (flights/hotel covered). CFP link in thread 👇 💻 Cybersecurity community — join our most community-driven event. ➡️ phtalks.ptsecurity.com/saopa… Free · 8 talks · limited spots #PHTalks

🚨 CFP aberto — Bug Bounty Village @ H2HC 2025 🚨 Achou um bug insano, bypass criativo ou tem case real de pentest/bug bounty? Manda sua talk! 👉 docs.google.com/forms/d/e/1F… #H2HC #BugBounty #Call4Papers #HackerCulture

The future looks wild. We’re just getting started 🚀 Personally, I’m grateful to be building this with the greatest team @zeyu1337 @rootxharsh @LiveOverflow @haqpl, @ungrad_engineer, and @ElectrovoltSec team . Read the full blog here: hacktron.ai/blog/introducing…

Securing @gumroad with Hacktron AI Three months ago, Hacktron was still early. @HacktronAI and @rootxharsh were finding 0-days targeting specific vulnerabilities on OSS software. Then we ran a full pentest-style scan on a big open-source project. The results were insane. 🧵

Nice to meet with such brilliant team!

We tested a pre-release version of o3 and found that it frequently fabricates actions it never took, and then elaborately justifies these actions when confronted. We were surprised, so we dug deeper 🔎🧵(1/) x.com/OpenAI/status/19125493…

Brazil made history last weekend, and of course, ELT was a part of it! Thanks @GaneshICMC , @boitatech , @gris_ufrj and #hawksec_unifei for partnership! We got 17th place, the best brazilian result, at #DEFCONCTF Quals as "pwn de queijo"! Thanks @hackaflag for hosting us!

#genuary7 #genuary2025 Use software that is not intended to create art or images. youtube.com/watch?v=lTuvI9R3… Bad apple but its HTTP in Burp Suite

Seeing paulosyibelo.com/2024/12/dou… in PortSwigger's top 10 made me remember a trick I found a few years ago, where if a button has an ID attribute, you can trick users into submitting it by holding enter (or space). Guess lots of places are affected 😅 PoC: lbherrera.me

We're thrilled to share that we'll be joining @h2hconference this December in Brazil, and we want YOU to be a part of it! 🎉 Our Call for Papers is officially open! sessionize.com/rtv-hackers-2… We can't wait to see what you've got and to connect with all of you in person. See you there for an unforgettable time! 🙌✨ #H2HConference

Hope to find a growing infosec community in blue sky, I would honestly be happier if I could move to another social network forever