Another great week!
🧠 CSP Bypass Search
What if there was a place you could copy/paste a CSP policy and instantly get a bypass for it: https://cspbypass.com/
🤖 Prompt injection to RCE in AI agents
A great case study of common protections meant to “prevent” arbitrary commands in AI agents and how to bypass them: https://blog.trailofbits.com/2025/10/22/prompt-injection-to-rce-in-ai-agents/
🧱 Client-Side Path Traversal: Exploiting CSRF in Header-based auth scenarios
A great article from the Kulkan team with a lab on client-side path traversal: https://blog.kulkan.com/client-side-path-traversal-exploiting-csrf-in-header-based-auth-scenarios-31c26a1baece
🕵️ Key IOCs for Pegasus and Predator Spyware Cleaned With iOS 26 Update
Learn how the iOS 26 update impacts forensic analysis: https://iverify.io/blog/key-iocs-for-pegasus-and-predator-spyware-cleaned-with-ios-26-update
💥 Why nested deserialization is STILL harmful – Magento RCE (CVE-2025-54236)
A deep dive on Magento deserialization by the AssetNote^wslcyber team: https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/
📜 The minefield between syntaxes: exploiting syntax confusions in the wild
YesWeHack published a great article with real bug-bounty examples of parser differentials: https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits
