Disclosed. January 12, 2026. Top 10 Web Hacking Call for Nominations, YesWeHack Leaderboard, n8n Critical RCE, and more.

Hey there! It’s been a busy week.

This was my first week back to work after the holiday slow-down. I’ve been working on a few projects for HackerOne that I think will be genuinely good for the ecosystem, and I can’t wait to talk more about them. I’ve gotta keep my mouth shut for now 😉

I also made some great progress on my automation pipeline for Disclosed. There are a lot of new features coming together on my side to remove friction and make it easier to get this newsletter out consistently. For example:

Automated author attribution across multiple handles and platforms
The ability to take content from a tweet and feature the linked content itself, rather than embedding the tweet
Automated tuning of my scoring system based on feedback during triage

If none of this makes sense, it’s probably because you’re missing some context on how I’ve automated the pipeline for curated content for this newsletter. Let me know if you’d like to see a detailed blog post or write-up on how it all fits together. I personally think it’s pretty cool.

I’ve also started building an “event ops” system to help streamline the many administrative tasks involved in running Bug Bounty Village. This includes CFP review, speaker and volunteer scheduling, badge allocation, and more. This is still very much a work in progress, but I’m trying to get ahead and take advantage of the downtime before travel and BBV prep kick off in a few months.

Anyway, enough about me. On to this week’s content.

Let’s dive in.

Top 10 Web Hacking Techniques of 2025: Call for Nominations [📓 Blog]
by PortSwigger

PortSwigger opened nominations for the annual Top 10 web hacking techniques of 2025, focused on novel, reusable web-security techniques published over the past year. The post lays out the nomination and voting timeline and links prior years winners, making it a useful barometer for where the research community is heading.

YesWeHack Releases 2025 Top Bounty Hunters Leaderboard [𝕏 Tweet]
by YesWeHack

YesWeHack published its 2025 leaderboard, highlighting the top-ranked bounty hunters and recognizing high-volume contributors. Its a quick snapshot of activity and performance on the platform over the past year.

GitHub Bug Bounty Program: December 2025 Stats [𝕏 Tweet]
by GitHub

GitHub Security shared December 2025 program metrics, including report volume, participating hackers, and total payouts. The post also links back to the official submission portal for new reports.

Have something you want to Spotlight? Tell me.

n8n Critical Authenticated RCE (CVE-2026-21877, CVSS 10.0) [𝕏 Tweet]
by TheHackersNews (@TheHackersNews)

A report flagged a critical authenticated RCE in n8n (CVE-2026-21877) that can lead to full instance compromise. Instances in the affected version range should be patched immediately and validated against any vendor-provided mitigations.

Inside Bugcrowd’s Report Validation Process [𝕏 Tweet]
by Bugcrowd

Bugcrowd shared a breakdown of how reports are validated, with an emphasis on what accelerates triage and reduces back-and-forth. It focuses on practical report-writing signals that make impact and reproducibility clearer for analysts.

Intigriti Launches Office Hours Podcast Series [𝕏 Tweet]
by Intigriti

Intigriti announced a monthly Office Hours format featuring live Q&A with researchers across Discord and X Spaces. The post includes details for joining the first session.

Bangladesh Bug Hunt 2026: Event Timeline [𝕏 Tweet]
by Bug Bounty Community Bangladesh (@bbcbd_official)

Bug Bounty Community Bangladesh shared the schedule for HackerOne BUG HUNT 2026, covering finalist arrival, competition hours, and conference check-in/start times. The post includes an event link and timetable graphic.

Keycloak Public Bug Bounty Goes Live on YesWeHack (Up to 5,000) [𝕏 Tweet]
by YesWeHack

YesWeHack announced a public Keycloak bug bounty with a white-box setup and bounties up to 5,000. Given Keycloaks footprint in identity stacks, this is a notable addition for auth-focused testing.

Hemi Launches Bug Bounty Program on Bugcrowd [📓 Blog]
by hemi_xyz (@hemi_xyz)

Hemi launched a public engagement on Bugcrowd, adding a new target for researchers tracking fresh scope. The link points directly to the program page with participation details.

Manchester In-Person HackerOne Meetup (Jan 31) [📓 Blog]
by Nathan Jones (@njcve_)

A community post announced an in-person HackerOne event in Manchester on January 31, with a registration link for attendees. Its logistics-focused rather than technical content.

Did I miss an important update? Tell me.

Scilla: Recon for DNS, Subdomains, and Port Enumeration [🛠️ Tool]
by Behi

Scilla is a recon utility focused on DNS enumeration, subdomain discovery, and port scanning to support early-stage target mapping. Its positioned as a lightweight addition to automated recon pipelines where quick breadth matters.

Burp Extension for Extracting Endpoints and Secrets from Minified JavaScript [🛠️ Tool]
by Jenish Sojitra (@_jensec)

This tweet shares a Burp Suite extension that parses minified JavaScript to pull out endpoints, file paths, emails, and occasional secret material. Its aimed at reducing manual JS triage when mapping API surface on JS-heavy targets.

LeakHub: Crowd-Sourced System Prompt Leak Verification [🛠️ Tool]
by Pliny the Liberator (@elder_plinius)

LeakHub is presented as a crowd-sourced catalog for leaked system prompts, with a workflow for re-testing prompt leaks against fresh chats. The announcement is light on implementation details, but the idea targets repeatability and verification in prompt-leak reporting.

Caido v0.54: HTTPQL Autocompletion for Past Queries [🛠️ Tool]
by Caido

Caido v0.54.0 adds HTTPQL autocompletion based on previously used queries, making it faster to reuse common filters during traffic review. The announcement includes links to supporting material and a short demo.

GAP Burp Extension v6.3: Regex and Performance Fixes [🛠️ Tool]
by XNL-H4CK3R

GAP v6.3 updates its link-matching regex and includes small performance improvements, plus a change intended to reduce memory growth in longer sessions. Its a practical maintenance release for Burp-heavy workflows.

xnLinkFinder v7.14: PDF Parsing for Link Extraction [🛠️ Tool]
by XNL-H4CK3R

xnLinkFinder v7.14 adds PDF-aware handling by converting PDF responses to text before extracting endpoints and parameters. The release notes call out poppler-utils (pdftotext) as the preferred backend for better extraction quality.

xnldorker v4.0: DuckDuckGo Lite Support and CAPTCHA Fixes [🛠️ Tool]
by XNL-H4CK3R

xnldorker v4.0 adds DuckDuckGo Lite as a dorking source and improves CAPTCHA detection on DuckDuckGo. The release notes also mention requiring --show-browser for DuckDuckGo sources to function reliably.

altdns-ng: High-Performance Subdomain Permutation and DNS Resolution [🛠️ Tool]
by SickSec (@OriginalSicksec)

altdns-ng is a Go reimplementation of altdns geared for high-throughput subdomain permutation and resolution. It includes parallel resolution, wildcard detection, DoH support, checkpointing for long runs, and multiple output formatsuseful for scaling permutation-based recon without drowning in false positives.

Tiny XSS Payloads [🛠️ Tool]
by terjanq (@terjanq)

Tiny XSS Payloads is a compact reference list of minimal XSS probes annotated by execution context and browser constraints. Its best treated as a payload shortlist for quick fuzzing and triage across different sinks, CSP constraints, and parsing quirks.

Have a favorite tool? Tell me.

Never Trust the Output: Data Pollution in AI Agents and MCP [📓 Blog]
by Slonser (@slonser_)

This post examines how malicious MCP server responses can pollute agent outputs when models treat returned JSON as free-form text and attempt to auto-correct and interpret it. It demonstrates an injection path via GitHub MCP where embedded JSON content influences the models parsed representation, motivating strict parsing, schema validation, and integrity/authentication controls on MCP channels.

OpenFlagr 1.1.18 Authentication Bypass (CVE-2026-0650) [📓 Blog]
by DreyAnd (@dreyand_)

This write-up covers an authentication bypass in OpenFlagr (<= 1.1.18) discovered via quick code review and tracked as CVE-2026-0650. It links the patch and walks through the underlying auth-handling mistake, reinforcing how small logic gaps in access control can translate into full admin exposure.

$3,500 HTML Injection Chain via CSRF-Like Abuse [📓 Blog]
by Novran (@xchopath)

This post describes chaining stored HTML injection with missing token-based CSRF defenses to force privileged actions when an admin views attacker-controlled content. It uses an auto-submitting form to create a new organization user, highlighting that SameSite cookies dont replace explicit CSRF tokens for state-changing requests.

From LFI to Root RCE via Leaked SSH Key [📓 Blog]
by A.fahimi (@af4himi)

This write-up details an LFI that escalated into root-level compromise after the attacker used arbitrary file reads to recover an SSH private key. Its a clean example of why read-only bugs routinely become full takeovers when sensitive credentials and overly privileged services are in play.

Token Handling Flaw Leads to Admin Account Takeover [📓 Blog]
by MOAMEN REZK

This post walks through an account takeover rooted in token mishandling and a broken trust boundary between client and server. The final impact is reached through authorization failures, including an IDOR-style password change that enables full admin takeover when token claims are improperly trusted.

Reflected XSS WAF Bypass Using Obscure Event Handlers and Optional Chaining [📓 Blog]
by aiden0x

This write-up documents a reflected XSS in a search endpoint and the iteration required to bypass a restrictive WAF. The final payload pivots to an uncommon event handler (oncontentvisibilityautostatechange) and uses optional chaining to reach code execution, illustrating how indirect invocation patterns can slip past signature-heavy filtering.

Did I miss something? Tell me.

How to Find P1 Bugs Using Google in Your Target (Part 3) [📓 Blog]
by RivuDon

This post continues a series on Google-based recon, focusing less on classic dorking and more on discovery via Google Docs and Slides exposures tied to a target. It highlights how document ecosystems can leak internal URLs, credentials, and operational context that can materially expand attack surface.

Android Bug Bounty Recon: APK Extraction to Attack Surface Mapping [𝕏 Thread]
by YesWeHack

This thread outlines an Android recon workflow starting from APK acquisition and extraction through static/dynamic analysis and attack-surface mapping. It also calls out common tooling used to identify exported components, hardcoded endpoints, and API interactions worth probing.

FFUF Virtual Host Fuzzing: Common Mistakes and Better Wordlists [📓 Blog]
by Abhishek Gupta

This article breaks down virtual host fuzzing with ffuf, emphasizing how wordlist quality and infrastructure context drive results more than raw request volume. It frames vhost discovery as an attack-surface expansion technique for uncovering hidden apps behind shared IPs and front doors.

Did I miss something? Tell me.

Client Side 01: postMessage Bugs [🎥 Video]
by Amr Elsagaei (@amrelsagaei)

This video breaks down common postMessage failure modes, including weak origin validation and unsafe sinks that lead to XSS, data leakage, and account compromise. It frames analysis around the sender/receiver/sink model and demonstrates patterns that typically require manual review in multi-domain iframe flows.

Bugbounty.forum Q&A (Ep. 156) [🎥 Video]
by Critical Thinking Podcast

This Q&A episode covers community questions spanning strategy, workflow, and tooling, including discussion of the Cross-Site ETag Length Leak and a pointer to Clawdbot. The content is more about prioritization and execution (target mapping, scope management, avoiding time sinks) than exploit-level deep dives.

Why Payload Spraying Stopped Working (and What Replaced It) [🎥 Video]
by Logan-sec (Logan-sec)

The video argues that mass payload spraying tends to plateau and that higher-signal bugs come from understanding real application flows. It focuses on auth/state transitions, OAuth and redirect logic, and business-process abuse as more reliable paths to impactful findings.

Did I miss something? Tell me.

Content-Type CSRF Bypass Against JSON-Only APIs [𝕏 Tweet]
by Intigriti

This tweet highlights a CSRF angle against JSON-only endpoints when servers fail to strictly enforce Content-Type. Its a reminder that relying on CORS assumptions without server-side validation can leave state-changing requests forgeable.

XSS Bypass via Quote-Stripping in SVG onload Payloads [𝕏 Tweet]
by NullSecX

This tweet shows an XSS bypass where server-side filtering strips double quotes, unintentionally normalizing a broken-up payload into a valid <svg onload=...> construct. Its a crisp example of how mutation-based filtering can create, not remove, exploitability.

SSRF to Cloud Metadata Often Escalates to Full Takeover [𝕏 Tweet]
by Omar Abdelsalam (@lex_is1)

A short reminder that SSRF reaching cloud metadata services (e.g., 169.254.169.254) commonly yields credentials, tokens, and secrets that can translate into full cloud compromise. It calls out impact under-rating as a recurring triage failure mode.

Time-Based Blind SQLi Payload Using a Stacked SLEEP Subquery [𝕏 Tweet]
by 0x0smilex

This tweet shares a compact time-based blind SQLi confirmation payload using stacked queries and SLEEP (e.g., ;(SELECT(1)FROM(SELECT(SLEEP(5)))a)). Its a useful probe when error output is suppressed and response timing is the only feedback channel.

Second-Order SQL Injection: Stored Payloads That Execute Later [𝕏 Tweet]
by NullSecX

This tweet summarizes second-order SQLi, where attacker-controlled input is stored and later interpolated into a separate query path. Its a common source of unexplained auth bypasses and data access issues when storage and execution contexts diverge.

CRLF in 302 Redirects: Empty Location Header XSS Trick [𝕏 Tweet]
by def1ant (@0xdef1ant)

A quick technique note: CRLF injection in a 302 response can be leveraged into XSS when an attacker can force an empty Location header. Its a high-signal reminder to treat redirect responses as a viable sink for header injection testing.

Dont Get Attached to SubmissionsOptimize for Consistency [𝕏 Tweet]
by Farhan Khan (@one33se7en)

This tweet argues that outcomes on individual submissions are noisy and often outside a researchers control. The focus is on consistency and iteration as the more reliable driver of long-term results.

Did I miss something? Tell me.

Did you like this week's drop?

Please share feedback.

Yes|
No

Because Disclosure Matters: This newsletter was produced with the assistance of AI. While I strive for accuracy and quality, not all content has been independently vetted or fact-checked. Please allow for a reasonable margin of error. The views expressed are my own and do not reflect those of my employer.

Disclosed. January 12, 2026. Top 10 Web Hacking Call for Nominations, YesWeHack Leaderboard, n8n Critical RCE, and more.

Did you like this week's drop?

Keep Reading