Application Security Feed

🗞️ cURL stopped HackerOne bug bounty program due to excessive slop reports

🔗 https://github.com/curl/curl/pull/20312

🗞️ How we mitigated a vulnerability in Cloudflare’s ACME validation logic

🔗 https://blog.cloudflare.com/acme-path-vulnerability/

🗞️ OWASP PTK add-on for ZAP is now released

🔗 https://www.zaproxy.org/blog/2026-01-19-owasp-ptk-add-on/

🗞️ Research Worth Reading Week 03/2026

🔗 https://pentesterlab.com/blog/research-worth-reading-week03-2026

🗞️ Scaling developer content production at Snyk

🔗 https://developerrelations.com/case-studies/snyk-content-scaling/

🗞️ CVEFinder – Fast CVE lookup with product-level mapping

🔗 https://news.ycombinator.com/item?id=46676994

🗞️ CVE-2026-0915: GNU C Library Fixes a Security Issue Present Since 1996

🔗 https://www.phoronix.com/news/Glibc-Security-Fix-For-1996-Bug

🗞️ Crypto holder loses $283 million to scammer impersonating wallet support

🔗 https://web3isgoinggreat.com/single/trezor-support-scam

🗞️ 🎓️ Vulnerable U | #151

🔗 https://www.vulnu.com/p/vulnerable-u-151

🗞️ New Vulnerability in n8n – CVE-2026-21858

🔗 https://www.schneier.com/blog/archives/2026/01/new-vulnerability-in-n8n.html

🗞️ Analysis of ServiceNow's AI Vulnerability (85% of Fortune 500 Affected)

🔗 https://opena2a.org/blogs/servicenow-ai-vulnerability

🗞️ WinBoat: Drive by Client RCE and Sandbox Escape

🔗 https://hack.do/posts/winboat-guest-service-host-rce/

🗞️ StackWarp Vulnerability

🔗 https://stackwarpattack.com/

🗞️ Last Week in AppSec for 15. January 2026

🔗 https://checkmarx.com/zero-post/last-week-in-appsec-for-15-january-2026/

🗞️ [tl;dr sec] #311 - Slack's Security Agents, Cloud-Native Detection Engineering, Trail of Bits' Claude Skills

🔗 https://tldrsec.com/p/tldr-sec-311

🗞️ Building the Talent Engine Behind TRM's Mission to Protect Billions | TRM Blog

🔗 https://www.trmlabs.com/resources/blog/building-the-talent-engine-behind-trms-mission-to-protect-billions

🗞️ Community-powered security with AI: an open source framework for security research

🔗 https://github.blog/security/community-powered-security-with-ai-an-open-source-framework-for-security-research/

🗞️ Curl to end Bug Bounty program due to overwhelming number of AI submissions

🔗 https://github.com/curl/curl-www/pull/538

🗞️ Determinate Secure Packages: Nixpkgs with SBOMs, FIPS, and SLA'd CVE Patching

🔗 https://determinate.systems/blog/determinate-secure-packages/

🗞️ $250K+ XSS in Meta Conversion API Leading to Zero-Click Account Takeover

🔗 https://ysamm.com/uncategorized/2025/01/13/capig-xss.html

🗞️ DoS Vulnerability in Node.js for React, Next.js, and APM Users

🔗 https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks

🗞️ Stop trusting torch.load() – I built a tool to scan AI models for RCE

🔗 https://github.com/ArseniiBrazhnyk/Veritensor

🗞️ Blacksmith – AI Powered Penetration Testing

🔗 https://github.com/yohannesgk/blacksmith

🗞️ Former NYC Mayor Eric Adams accused of rug pull as NYC Token crashes

🔗 https://web3isgoinggreat.com/single/nyc-token-crash

🗞️ Building the Talent Engine Behind TRM's Mission to Protect Billions | TRM Blog

🔗 https://www.trmlabs.com/resources/blog/building-the-talent-engine-behind-trms-mission-to-protect-billions

🗞️ Exploiting LLM Write Primitives: System Prompt Extraction When Chat Output Is Locked Down

🔗 https://www.praetorian.com/blog/exploiting-llm-write-primitives-system-prompt-extraction-when-chat-output-is-locked-down/

🗞️ Mitigating DoS Vulnerability from Unrecoverable Stack Space Exhaustion

🔗 https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks

🗞️ Claude Code CVE-2025-66032: Why Allowlists Aren't Enough

🔗 https://niyikiza.com/posts/cve-2025-66032/

🗞️ Tackling Technical Debt before It Owns Your Roadmap

🔗 https://www.netspi.com/blog/executive-blog/ciso-perspectives/tackling-technical-debt-before-it-owns-your-roadmap/

🗞️ Sift or Get Off the PoC: Vulnerability Research via Information Retrieval

🔗 https://arxiv.org/abs/2512.06155