Cuberk

---

HackerOne Hacktivity

• No recent public disclosures in the last 24 hours - The feed showed no new public reports within the 24-hour window.

Medium.com (Tag: BugBounty & InfosecWriteups)

• When APIs Don’t Play by the Rules — Multiple Authorization Bypasses in a SaaS Platform - A detailed writeup on discovering authorization bypasses in a SaaS environment.
• SQL & NoSQL Injection in APIs-The Vulnerability That Still Puts YOUR Data at Risk - An overview of modern injection techniques in API endpoints.
• How I hacked the reports database of a Mid‑Cap Industrial Stock while my flatmate grinded Valo😉 - A narrative writeup on a database breach in an industrial sector company.
• Paywall bypass exposing the premium articles for free - A quick exploit demonstration for bypassing common paywall implementations.

Intigriti 'BugBytes' & YesWeHack Blog Writeups

• No recent updates in the last 24 hours - The latest Intigriti Bug Bytes was published in April 2026, and YesWeHack's blog returned a 404 for the specific writeups category.

GitHub: arkadiyt/bounty-targets-data

• No recent commits in the last 24 hours - The repository commit history showed no updates within the last 24 hours.

getdisclosed.com Aggregator

• Disclosed. April 20, 2026. H1-361 MVH, Vercel Compromised, Caido x YWH Integrations, Opus 4.7 Launch + Leak, and More. - A weekly curation of major infosec events and writeups.

Twitter/X

• CVE-2026-42897 is Microsoft Exchange's newest zero-day — and there's no patch. - Mansour Ali discusses a new Microsoft Exchange zero-day vulnerability.

Reddit: r/netsec

• Pathfinding Labs: Deploy, test, and learn from 100+ intentionally vulnerable AWS environments - A new platform for deploying and learning from vulnerable AWS environments.
• New Age of Collisions: Reading Arbitrary Files Pre-Auth as root in cPanel (CVE-2026-29205) - A detailed write-up on a cPanel vulnerability allowing arbitrary file reading.
• GhostTree: Unveiling Path Manipulation Techniques to Bypass Windows Security - Research on path manipulation techniques to bypass Windows security.

Lobste.rs (Security Tag)

• PinTheft Linux LPE - A Linux Local Privilege Escalation vulnerability named PinTheft.
• It’s all in the name - A discussion on the implications of naming conventions in security.
• My domain got abused on Github Pages - An account of domain abuse on Github Pages.

Mastodon Infosec.exchange Trends

• Google Search as you know it is over - Discussion on Google's AI-driven search changes and their implications.
• Before you worry about AI threats, fix your security fundamentals - An article emphasizing the importance of basic security fundamentals over AI threats.

Telegram/Discord: vx-underground & PayloadsAllTheThings

• No updates found within the last 24 hours for vx-underground.
• No updates found within the last 24 hours for PayloadsAllTheThings.

The Hacker News

• Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps - Researchers disclosed a massive ad fraud operation involving 455 malicious Android apps and 183 C2 domains.
• DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability - Proof-of-concept exploit code released for a Linux kernel flaw allowing local privilege escalation.
• The New Phishing Click: How OAuth Consent Bypasses MFA - EvilTokens platform compromised over 340 Microsoft 365 organizations using OAuth consent phishing.
• Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare - Drupal warns of a critical core security release scheduled for May 20, urging immediate updates.
• SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access - Critical flaws in SEPPMail gateway could allow remote code execution and unauthorized email access.
• Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer - A popular VS Code extension was compromised to deliver a multi-stage credential stealer.
• Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials - Threat actors used imposter commits in a popular GitHub Action to harvest sensitive CI/CD credentials.
• Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account - A supply chain attack compromised multiple npm packages in the @antv ecosystem to spread malware.

BleepingComputer

• Max-severity flaw in ChromaDB for AI apps allows server hijacking - A critical vulnerability in ChromaDB's FastAPI version allows unauthenticated remote code execution.
• Cybercrime service disrupted for abusing Microsoft platform to sign malware - Microsoft disrupted a "Fox Tempest" operation that abused its Artifact Signing service to sign malware.
• Discord rolls out end-to-end encryption on voice, video calls - Discord has implemented default end-to-end encryption for all voice and video communications.
• FBI: Americans lost over $388 million to scams using crypto ATMs in 2025 - New FBI data highlights massive losses to cryptocurrency kiosk-related fraud schemes.
• Microsoft Self-Service Password Reset abused in Azure data theft attacks - Threat actors are leveraging legitimate Azure features to steal data from production environments.

SecurityWeek

• Drupal to Patch Highly Critical Vulnerability at Risk of Quick Exploitation - Security teams are urged to prepare for an immediate patch for a critical Drupal core flaw.
• Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks - Attackers are increasingly using the MSHTA utility to deliver persistent malware stealthily.
• B1ack’s Stash Marketplace Gives Away 4.6 Million Stolen Credit Cards - A cybercrime marketplace released a massive database of stolen credit cards for free.
• Critical Vulnerability Exposes Industrial Robot Fleets to Hacking - CVE-2026-8153 affects Universal Robots PolyScope, allowing OS command injection in industrial environments.
• 7-Eleven Data Breach Confirmed After ShinyHunters Ransom Demand - 7-Eleven confirmed a breach involving over 600,000 Salesforce records following a ransom demand.

Krebs on Security

• CISA Admin Leaked AWS GovCloud Keys on Github - A CISA contractor accidentally exposed highly privileged AWS GovCloud credentials in a public repository.

DataBreaches.net

• Chairman Cassidy, Tuberville Seek Answers on Canvas Cybersecurity Incident - US Senators demand accountability following the massive Canvas/Instructure data breach.
• Congress Learns of Prescription Data Hack Months Later - Lawmakers were recently notified of a March breach at a medical contractor managing congressional prescriptions.
• Extant Aerospace Data Breach Exposed SSNs for More Than 3,000 People - A defense electronics firm disclosed a breach affecting thousands of individuals' sensitive data.

Risky Business

• Between Two Nerds: Russia's hacker university - A deep dive into the educational infrastructure supporting Russian state-sponsored hacking operations.
• Srsly Risky Biz: Thursday May 19 - Weekly intelligence briefing covering major policy and security shifts.

CIO ET

• Fireside Chat: Cloud Security & Zero-Trust Modernisation - Industry leaders discuss strengthening cloud environments and embracing zero-trust architectures.
• CERT-In finds multiple bugs in Microsoft Edge, advises users to update - India's cyber agency warns of critical vulnerabilities in Edge that could lead to remote code execution.
• Tech Mahindra and Cisco to deliver AI-powered firewall solution - Partnership aims to modernize network security with unified policy management and threat intelligence.

NIST NVD & CVE Mitre

• CVE-2026-8975 - Memory safety bugs in Thunderbird 140.10 and 150 potentially allowing arbitrary code execution.
• CVE-2026-8974 - Memory corruption vulnerabilities in Thunderbird fixed in Firefox 151 and Thunderbird 140.11.
• CVE-2026-8973 - Memory safety bugs in Thunderbird 150 fixed in Firefox 151 and Thunderbird 151.
• CVE-2026-8972 - Privilege escalation in WebRTC: Audio/Video component fixed in Firefox 151.
• CVE-2026-8971 - Same-origin policy bypass in Networking: JAR component fixed in Firefox 151.
• CVE-2026-8970 - Privilege escalation in the Security component fixed in Firefox 151 and Thunderbird 151.
• CVE-2026-8969 - Mitigation bypass in DOM: Security component fixed in Firefox 151 and Thunderbird 151.
• CVE-2026-8968 - Denial-of-service via invalid pointer in Audio/Video: Web Codecs fixed in Firefox 151.

PoC-in-GitHub & GitHub Advisories List

• RClone: Unauthenticated operations/fsinfo - Critical unauthenticated local command execution in rclone.
• Mako: Path traversal via double-slash URI prefix - High severity path traversal in Mako templates.
• Mlflow: Command Injection in model serving - Critical command injection when serving models with enable_mlserver=True.
• Keycloak: Unauthorized authentication via disabled SAML IdP - High severity unauthorized authentication in Keycloak.

GitHub Search: 'CVE-2026' OR 'CVE-2025' created:today

• learner202649/CVE-2026-42271-PoC - New repository for reproducing CVE-2026-42271 vulnerability.

Exploit-DB & Packet Storm Security

• Packet Storm Security - No specific new exploits found in the last 24h due to access restrictions or no updates.
• Exploit-DB - No new exploits listed in the last 24 hours.

GitHub: GhostTroops/TOP (Trending Offensive Projects)

• copy-fail-CVE-2026-31431 - 9-year-old Linux kernel LPE found by Theori's Xint Code.
• Nginx-Rift - Exploit for CVE-2026-42945 recently updated.
• next-16.2.4-pocs - Collection of security PoCs for Next.js v16.2.4.
• CVE-2026-21858 - n8n Ni8mare unauthenticated RCE exploit.

---