libcurl omits IPv6 zoneid from host identity and leaks credentials/cookies across scoped link-local realms

https://hackerone.com/reports/3680680

How to Get Started with Cybersecurity and Ethical Hacking

infosecwriteups.com/how-to-get-started-with-...

Stored XSS via Custom Template Injection — How I Bypassed Cloudflare WAF

medium.com/@mostafaabogoda8/stored-...

Hardware Hacking Survival: Bypassing PC Limitations to Flash a Bootable Kali Linux ISO

medium.com/@internetthvm/hardware-h...

Web Security Series #15 — Exploiting Command Injection for Reverse Shell

medium.com/@laibakashif0011/web-sec...

How I Found an Unauthenticated POST Endpoint in a Production API -A Real Bug Bounty Story

medium.com/@zishanfiroz/how-i-found...

⚙️ 03. — Forced OAuth profile linking

medium.com/@The4v1/%EF%B8%8F-03-for...

Why I Thought I Found a Zero-Day: The False Positive Trap in Bug Bounty

meetcyber.net/why-i-thought-i-found-a-...

From Nothing to Full Admin Access: Chaining Broken Access Controls

infosecwriteups.com/from-nothing-to-full-adm...

Stored XSS in attachment-display exploitable through SameSite

https://hackerone.com/reports/3594137

Is Your App Still Thinking About Your Ex-User?

medium.com/mobile-app-development-p...

How I Crashed a Blockchain Node with a Single Vote (CVE-2026–40583)

medium.com/@sumitshahorg/how-i-cras...

AI Agents Think. They Just Don’t Know They’re Being Watched.

ad3sh.medium.com/ai-agents-think-they-jus...

SSRF Server-Side Request Forgery: Server Ko Apna Agent Banao, Internal Network Explore Karo!

medium.com/@HackerMD/ssrf-server-si...

Day-6: Let’s do some labs on CSRF

smartpicks4u.medium.com/day-6-lets-do-some-labs-...

A Practical Guide to Testing Static Websites for Security Vulnerabilities

mainekhacker.medium.com/a-practical-guide-to-tes...

libcurl reuses a learned RTSP Session header across different hosts on the same easy handle, enabling cross-host session leak and replay

https://hackerone.com/reports/3680234

From Zero Auth to Admin Access

medium.com/@youssefmohamedsaadhelal...

Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs

https://hackerone.com/reports/3601655

Unauthorized Account Deletion via HTTP Method Manipulation.A Business Logic Flaw in REST API Design

medium.com/@Mo_serag/unauthorized-a...

️‍♂️ Dari Sekadar Ganti Angka, Jadi Celah Besar: Cerita IDOR di Fitur Job Applications

medium.com/@dianahmad929/%EF%B8%8F-...

️ API Pentesting Mastery Series - Part 3: Advanced Vulnerabilities & Modern Defense ️

bughunteryash2511.medium.com/%EF%B8%8F-api-pentesting...

I Followed TCM’s External Pentest Playbook — Here’s What Happened

medium.com/@prathmeshawaghade18/i-f...

Browser Back Button

medium.com/@amalashoka434/browser-b...

Breaking Into a Major Email Platform With Two Vulnerabilities

prateekpulastya.medium.com/breaking-into-a-major-em...

Top AI Tools Every Bug Bounty Hunter Must Use (2026 Guide)

medium.com/@prateek.baghela/top-ai-...

Everyone Is Doing Recon Wrong — And They Don’t Even Know It

medium.com/@clipp3r/everyone-is-doi...

Kali MCP Server Explained | API Integration for Security Labs

medium.com/@pentesterclubpvtltd/kal...

YesWeHack — Dojo #1 Writeup

zor0ark.medium.com/yeswehack-dojo-1-writeup...

How I Turned an AI Search Endpoint into an Internal Org Intel Leak

medium.com/@shxsu1/how-i-turned-an-...