What's Changed
🎉 New Features

Adding json + xpath headless extractors by @Mzack9999 in #6559
Adding VNC auth by @Mzack9999 in #6413
Feat(templating): add vars templating into yaml inputs (ytt)...

The Internet is ablaze, and once again we all have a front-row seat - a bad person, if you can believe it, is doing a bad thing!

The first warning of such behaviour came from the great team at Defused:

As many are now aware, an unnamed (and potentially…

We’re releasing Slither-MCP, a new tool that augments LLMs with Slither’s unmatched static analysis engine.

In this article, I’ll walk you through my journey in intercepting HTTPS traffic from a APK based on Flutter during a pentesting engagement…

This blog introduces SonarQube's enhanced analysis capabilities for GitHub Actions, designed to proactively identify and remediate security vulnerabilities like Command Injection and Code Execution that pose a significant supply chain risk.

Intigriti has won Security Innovation of the Year at the UK IT Industry Awards 2025.

Trail of Bits discovered and disclosed two vulnerabilities in the widely used elliptic JavaScript library that could allow signature forgery or prevent valid signature verification, with one vulnerability still unfixed after the 90-day disclosure window.

This blog introduces SonarQube's enhanced analysis capabilities for GitHub Actions, designed to proactively identify and remediate security vulnerabilities like Command Injection and Code Execution that pose a significant supply chain risk.

We hacked our way into Lovable's office by demoing SupaPwn — a chain that could potentially enable region-wide tenant takeover: event-trigger privilege window, DB superuser, host RCE, SUID escalation, exposed configs, orchestration takeover

Three types of price manipulation techniques threat actors are using this Black Friday and Cyber Monday

Posted by Dave Kleidermacher, VP, Platforms Security & Privacy, Google Technology should bring people closer together, not create walls. ...

This blog introduces SonarQube's enhanced analysis capabilities for GitHub Actions, designed to proactively identify and remediate security vulnerabilities like Command Injection and Code Execution that pose a significant supply chain risk.

🔓 Cracking a Weak HS256 JWT: How I Forged a Token and Retrieved the Masterkey

Hi hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring:  Finding an RCE using AI in GitHub  CORS exploitation cheat sheet  Scanning codebases with AI  Bypass...

We’re excited to announce that Sonar has been named a Fast Company Next Big Things in Tech honoree for Applied AI! This prestigious award honors technology breakthroughs poised to define the future of their industries.

The promise of AI-assisted coding is immense, but it rests on a simple, fundamental reality: the quality and security of the code generated by a Large Language Model (LLM)  depends on the quality of the data that it was trained on.

Turn your signal-to-noise ratio into a key metric, learn how to score it, and identify challenges regarding scope, policy, staff, rewards, researchers, and processes.  

Welcome to watchTowr vs the Internet, part 68.

That feeling you’re experiencing? Dread. You should be used to it by now.

As is fast becoming an unofficial and, apparently, frowned upon tradition - we identified incredible amounts of publicly exposed passwords…

By: savi0r  Date: November 2025  Duration: ~3 hours  Result: Full Solve (JWT Admin Takeover → SSTI → RCE → Flag)  Status: ✅ Completed

This blog post explores a bug, (CVE-2025-64755), I found while trying to find a command execution primitive within Claude Code to demonstrate the risks of web-hosted MCP to a client.