PortSwigger just announced the top 10 web hacking techniques of 2025, a few of which we’ve featured in this roundup throughout last year. The final 10 was whittled down from 63 community nominations via a phase of community voting and then deliberations by a judging panel of industry luminaries, including Nicolas Grégoire, Soroush Dalili, STÖK, LiveOverflow and PortSwigger director of research James Kettle. Mr Kettle hailed the overall winner, Vladislav Korchagin’s ‘Successful Errors: New Code Injection and SSTI Techniques’, as a “superb analysis” of new error-based techniques for exploiting blind server-side template injection, including “novel polyglot-based detection techniques to comprehensively expose this attack class”. Find out the rest of the top 10. 🏆
Mehmet Ince recently revealed how he built a pre-auth RCE exploit chain when probing a SIEM/SOAR platform. Kicking off by mapping the appliance’s request flow, the London-based researcher details how each of six otherwise minor bugs involved “becomes the leverage for the next, until the final trigger executes code on the appliance”. These steps include how “exposed internal routes lead to auth primitives, a hard-coded signing secret enables forged access, leaked internal API credentials unlock higher privilege inside the microservice world, an SSRF pivot reaches host-only Python endpoints to mint an admin session, and finally, a rule-engine eval() sink becomes reachable by bypassing validation via a static AES encryption key in imported alert-rule packages”. 🔒
We’ve spotted a wealth of other impressive writeups and news of interest to our community. For no particular reason, we’ll present them in ascending order of title length: 😄
🔬 Pwning Claude Code in 8 different ways – RyotaK
🔬 Cloudflare zero-day: accessing any host globally – FearsOff
🔬 WhatsApp encryption, a lawsuit and a lot of noise – Matthew Green
🔬 Ni8mare : unauthenticated RCE in n8n (CVE-2026-21858) – Dor Attias, Cyera
🔬 Trailing Danger: exploring HTTP trailer parsing discrepancies – sebsrt
🔬 Notepad++ update service hijacked in targeted state-linked attack – reported in The Register
🔬 Parse and parse: MIME validation bypass to XSS via parser differential – Tang Cheuk Hei
🔬 One-click RCE to steal your OpenClaw data and keys (CVE-2026-25253) – Mav Levin
🔬 Billion-dollar bait & switch: exploiting a race condition in blockchain infrastructure – Mav Levin
🔬 Account takeover in Facebook mobile app due to cryptographically insecure random number generator and XSS in Facebook JS SDK – Youssef Sammouda
YesWeHack Report 2026 – featuring hunter survey, hall of fame, hacking advice
How many hunters use AI tools in their Bug Bounty workflow? And in which parts? What benefits have they observed? Which risks are they most concerned about? Findings from a survey of our community on AI, choosing scopes, upskilling and more are a notable addition to this year’s bumper YesWeHack report. These insights appear alongside the final leaderboards of 2025, hacking advice from top hunters and a recap of last year’s live hacking events. Downloadable with a single click, the 2026 edition contains some “pretty sick content” according to Justin Gardner, host of the Critical Thinking podcast, who referenced the report in a recent episode. 😏
Interspersed throughout this edition are not one, not two but three new hunter interview videos, in which leading hackers recount how they got into Bug Bounty, share their best bugs and offer some hacking tips for newbies. The trio of interviewees includes all-time YesWeHack number one rabhi, who says he always tells “young people that their number one asset is time”, SpawnZii, who first “started tinkering with computers to jailbreak my PS3”, and yassine_eal, who admits that the most challenging part of Bug Bounty “was writing great reports”. 🎥
Speaking of rabhi… when we first published this roundup last week he was, unusually, not in top spot on the nascent 2026 leaderboard, trailing ‘zc’ by just five points. But guess what? He’s back on top. However, second-placed zc, newly registered on the platform in 2025, sure looks like ‘one to watch’ this year. 👀
Last month we flagged Talkie Pwnii’s demo ofhow to build your mobile Bug Bounty lab from scratch. The eponymous Pwnii has now released a follow-up Android Special (the video below), in which sheshows viewers how to download, extract and analyse APKs to efficiently map an application’s attack surface. 📱
The best writeup for the recent monthly Dojo challenge APICrash comes fromTekneX. The current challenge, active until 20 March, is called ‘Secret Manager’, about an eponymous application that enables you to “Safely store, manage, and delete your secrets,” except “the developers left an internal secrets folder sitting within the application”. As usual, swag is up for grabs for the best writeups.
A new instalment in our ‘Vulnerability Vectors’ series has landed. The ultimate Bug Bounty guide to exploiting XXE vulnerabilitiesdetails various types of XXE bugs, practical exploitation techniques with real-world scenarios, as well as potential impacts, which include sensitive data disclosure, SSRF and in some cases RCE. You can then put your newly acquired skills in this area to the test by tackling our new XXE training module on Dojo. 🧠
Fresh hunting opportunities
Numerous public Bug Bounty scopes have dropped since the last edition. 🚀 These new programs, which include open-source scopes via the European Commission, are now open to any YesWeHack-registered hunters:
- Bind 9 | open source DNS system | up to €10,000 | visit the public program! 🌐
- Keycloak | open source identity and access management solution | up to €5,000 | visit the public program! 🔐
- Zivver | email security solution | up to €10,000 | visit the public program! 📧
- GoTo Group | two programs for Indonesia’s largest digital ecosystem | up to $7,000 & $5,000 respectively | visit the GoTo Financial & Gojek programs! 🌏
- OpenProject | open source project management software |up to €5,000 |visit the public program! 📊
Military drones, industrial surveillance cameras and smart home/personal devices were probed for vulnerabilities during the October finals of SpiritCyber. We’ve posted some video highlights of the two-day event, which followed a month-long qualifying phase. The Cyber Security Agency of Singapore (CSA) offered a US$50,000 prize pool to strengthen the security of its ‘Smart Nation’ infrastructure via the competition. 🇸🇬
And finally, YesWeHack team will, of course, attend numerous conferences throughout 2026, as well as organise live hacking events around the world. Next up on the schedule is Next IT Security in Stockholm, Sweden, on 12 March. 🇸🇪
And that’s a wrap until our next edition in April – happy hunting in the meantime! 👊
Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to Bug Bounty Bulletin.
Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.
