0xacb
@0xacb.com
Hacker grinding for L1gh7 and Fr33dφm, straight outta the cosmic realm.
Co-founder @ethiack.com
https://0xacb.com
Co-founder @ethiack.com
https://0xacb.com
Openclaw (Clawdbot) is cool and all but it’s also risky.
Make sure you get your bot audited with some better security practices 👇
https://auth0.com/blog/five-step-guide-securing-moltbot-ai-agent/
Make sure you get your bot audited with some better security practices 👇
https://auth0.com/blog/five-step-guide-securing-moltbot-ai-agent/
Security - OpenClaw
docs.molt.bot
February 10, 2026 at 11:03 AM
Openclaw (Clawdbot) is cool and all but it’s also risky.
Make sure you get your bot audited with some better security practices 👇
https://auth0.com/blog/five-step-guide-securing-moltbot-ai-agent/
Make sure you get your bot audited with some better security practices 👇
https://auth0.com/blog/five-step-guide-securing-moltbot-ai-agent/
Manually hunting for endpoints and hidden parms in web apps?
Another nice tool from xnl_h4ck3r is xnLinkFinder that crawls targets, extracts links, discovers secrets, and builds target-specific wordlists.
Try it out 👇
https://github.com/xnl-h4ck3r/xnLinkFinder
Another nice tool from xnl_h4ck3r is xnLinkFinder that crawls targets, extracts links, discovers secrets, and builds target-specific wordlists.
Try it out 👇
https://github.com/xnl-h4ck3r/xnLinkFinder
February 6, 2026 at 11:04 AM
Manually hunting for endpoints and hidden parms in web apps?
Another nice tool from xnl_h4ck3r is xnLinkFinder that crawls targets, extracts links, discovers secrets, and builds target-specific wordlists.
Try it out 👇
https://github.com/xnl-h4ck3r/xnLinkFinder
Another nice tool from xnl_h4ck3r is xnLinkFinder that crawls targets, extracts links, discovers secrets, and builds target-specific wordlists.
Try it out 👇
https://github.com/xnl-h4ck3r/xnLinkFinder
404 page to RCE. A report by Spaceraccoon
Chained CVE-2007-0450 (mod_proxy traversal via %5C../) + CVE-2007-1036 (exposed JBoss console) + Java deserialization RCE with jexboss
Full report 👇
Chained CVE-2007-0450 (mod_proxy traversal via %5C../) + CVE-2007-1036 (exposed JBoss console) + Java deserialization RCE with jexboss
Full report 👇
Starbucks disclosed on HackerOne: RCE and Complete Server Takeover...
This report from @spaceraccoon demonstrated a valid attack resulting in RCE and full compromise of the target. The detailed and thorough report was especially helpful throughout the triage process,...
hackerone.com
February 3, 2026 at 10:06 AM
404 page to RCE. A report by Spaceraccoon
Chained CVE-2007-0450 (mod_proxy traversal via %5C../) + CVE-2007-1036 (exposed JBoss console) + Java deserialization RCE with jexboss
Full report 👇
Chained CVE-2007-0450 (mod_proxy traversal via %5C../) + CVE-2007-1036 (exposed JBoss console) + Java deserialization RCE with jexboss
Full report 👇
💥 One click could completely compromise a OpenClaw / Moltbot / Clawdbot (CVE-2026-25253)
The vulnerability is now fixed, but here's how it worked:
The vulnerability is now fixed, but here's how it worked:
February 2, 2026 at 9:07 AM
💥 One click could completely compromise a OpenClaw / Moltbot / Clawdbot (CVE-2026-25253)
The vulnerability is now fixed, but here's how it worked:
The vulnerability is now fixed, but here's how it worked:
Very interesting techniques by Slonser.
If your AI agent is reading external data (especially from MCP servers), proceed with caution. Incoming data might trick your model into executing unintended actions.
Blog link 👇
If your AI agent is reading external data (especially from MCP servers), proceed with caution. Incoming data might trick your model into executing unintended actions.
Blog link 👇
Never Trust the Output: Data Pollution in AI Agents and MCP
Disclaimer: This article is intended for educational purposes and security specialists conducting authorized testing. The author assumes no responsibility for any misuse of the information provided. Distribution of malicious software, system disruption, and privacy violations are punishable by law.
Introduction I’m sure most of you are already familiar with the concept of Prompt Injection and its various consequences. However, in 2026, any AI model without MCP (Model Context Protocol) servers can’t reach its full potential — that’s why developers are connecting numerous MCP servers to extend their capabilities.
blog.slonser.info
February 1, 2026 at 9:39 AM
Very interesting techniques by Slonser.
If your AI agent is reading external data (especially from MCP servers), proceed with caution. Incoming data might trick your model into executing unintended actions.
Blog link 👇
If your AI agent is reading external data (especially from MCP servers), proceed with caution. Incoming data might trick your model into executing unintended actions.
Blog link 👇
Need to find the APIs the devs forgot about?
Combine waymore with xnLinkFinder or similar.
- waymore: Gathers the archived URL responses.
- xnLinkFinder: Extracts the hidden paths and parameters.
GitHub repos 👇
https://github.com/xnl-h4ck3r/waymore
https://github.com/xnl-h4ck3r/xnLinkFinder
Combine waymore with xnLinkFinder or similar.
- waymore: Gathers the archived URL responses.
- xnLinkFinder: Extracts the hidden paths and parameters.
GitHub repos 👇
https://github.com/xnl-h4ck3r/waymore
https://github.com/xnl-h4ck3r/xnLinkFinder
January 31, 2026 at 10:03 AM
Need to find the APIs the devs forgot about?
Combine waymore with xnLinkFinder or similar.
- waymore: Gathers the archived URL responses.
- xnLinkFinder: Extracts the hidden paths and parameters.
GitHub repos 👇
https://github.com/xnl-h4ck3r/waymore
https://github.com/xnl-h4ck3r/xnLinkFinder
Combine waymore with xnLinkFinder or similar.
- waymore: Gathers the archived URL responses.
- xnLinkFinder: Extracts the hidden paths and parameters.
GitHub repos 👇
https://github.com/xnl-h4ck3r/waymore
https://github.com/xnl-h4ck3r/xnLinkFinder
Our pentesting agent found a 1-click ATO to RCE in @moltbot Gateway Control UI in under 2 hours.
Local instances can also be exploited with one click.
Patched in main, update now.
Watch the exploit 👇
Local instances can also be exploited with one click.
Patched in main, update now.
Watch the exploit 👇
January 29, 2026 at 4:38 PM
Our pentesting agent found a 1-click ATO to RCE in @moltbot Gateway Control UI in under 2 hours.
Local instances can also be exploited with one click.
Patched in main, update now.
Watch the exploit 👇
Local instances can also be exploited with one click.
Patched in main, update now.
Watch the exploit 👇
It's been a while since I've tried to find bugs in Facebook. Maybe it's time to look into the new stuff.
I remember the days when we spent one entire day intercepting mobile app traffic by patching a native lib when nobody knew about it and finding an open redirect on instagram[.]com///evil.com
I remember the days when we spent one entire day intercepting mobile app traffic by patching a native lib when nobody knew about it and finding an open redirect on instagram[.]com///evil.com
January 28, 2026 at 10:27 AM
It's been a while since I've tried to find bugs in Facebook. Maybe it's time to look into the new stuff.
I remember the days when we spent one entire day intercepting mobile app traffic by patching a native lib when nobody knew about it and finding an open redirect on instagram[.]com///evil.com
I remember the days when we spent one entire day intercepting mobile app traffic by patching a native lib when nobody knew about it and finding an open redirect on instagram[.]com///evil.com
Looking for S(security) in MCP? 👀
You’re probably already familiar with MCP but did you know that it’s not secure out of the box?
You’re probably already familiar with MCP but did you know that it’s not secure out of the box?
January 27, 2026 at 10:24 AM
Looking for S(security) in MCP? 👀
You’re probably already familiar with MCP but did you know that it’s not secure out of the box?
You’re probably already familiar with MCP but did you know that it’s not secure out of the box?
Ryotak discovered 8 ways to achieve RCE in Claude Code without user approval 🤯
Claude Code allowlisted "safe" commands like echo, sed, and sort, then used regex blocklists to prevent dangerous arguments.
Blog link 👇
Claude Code allowlisted "safe" commands like echo, sed, and sort, then used regex blocklists to prevent dangerous arguments.
Blog link 👇
Pwning Claude Code in 8 Different Ways
Introduction Hello, I’m RyotaK (@ryotkak ), a security engineer at GMO Flatt Security Inc.
A few months ago, I came across an interesting behavior while using Claude Code—it executed a command without my approval.
Since I wasn’t using the permission bypass mode, I decided to investigate further to understand why it was able to execute commands without explicit approval.
TL;DR I discovered 8 ways to execute arbitrary commands in Claude Code without user approval.
flatt.tech
January 26, 2026 at 10:10 AM
Ryotak discovered 8 ways to achieve RCE in Claude Code without user approval 🤯
Claude Code allowlisted "safe" commands like echo, sed, and sort, then used regex blocklists to prevent dangerous arguments.
Blog link 👇
Claude Code allowlisted "safe" commands like echo, sed, and sort, then used regex blocklists to prevent dangerous arguments.
Blog link 👇
It's crazy how hallucinated AI CVE PoCs keep ending up in NIST NVD references.
One recent example is CVE-2026-21962, a 10.0 CVE in Oracle HTTP Server / Apache Proxy Plugin.
https://nvd.nist.gov/vuln/detail/CVE-2026-21962 links to a GitHub repository with a fake PoC.
One recent example is CVE-2026-21962, a 10.0 CVE in Oracle HTTP Server / Apache Proxy Plugin.
https://nvd.nist.gov/vuln/detail/CVE-2026-21962 links to a GitHub repository with a fake PoC.
January 25, 2026 at 5:13 PM
It's crazy how hallucinated AI CVE PoCs keep ending up in NIST NVD references.
One recent example is CVE-2026-21962, a 10.0 CVE in Oracle HTTP Server / Apache Proxy Plugin.
https://nvd.nist.gov/vuln/detail/CVE-2026-21962 links to a GitHub repository with a fake PoC.
One recent example is CVE-2026-21962, a 10.0 CVE in Oracle HTTP Server / Apache Proxy Plugin.
https://nvd.nist.gov/vuln/detail/CVE-2026-21962 links to a GitHub repository with a fake PoC.
Active crawling is powerful, but combining it with passive leads to even better results.
GAU fetches historical URLs from external sources like AlienVault OTX, Wayback Machine, and Common Crawl.
It’s great for uncovering forgotten endpoints and parameters.
👉https://github.com/lc/gau
GAU fetches historical URLs from external sources like AlienVault OTX, Wayback Machine, and Common Crawl.
It’s great for uncovering forgotten endpoints and parameters.
👉https://github.com/lc/gau
January 23, 2026 at 10:24 AM
Active crawling is powerful, but combining it with passive leads to even better results.
GAU fetches historical URLs from external sources like AlienVault OTX, Wayback Machine, and Common Crawl.
It’s great for uncovering forgotten endpoints and parameters.
👉https://github.com/lc/gau
GAU fetches historical URLs from external sources like AlienVault OTX, Wayback Machine, and Common Crawl.
It’s great for uncovering forgotten endpoints and parameters.
👉https://github.com/lc/gau
Have you ever tried to find JSON Web Token (JWT) bugs?
5 ideas to try 👇
5 ideas to try 👇
January 19, 2026 at 3:11 PM
Have you ever tried to find JSON Web Token (JWT) bugs?
5 ideas to try 👇
5 ideas to try 👇
Manually going through multiple web archiving sites while hunting can be a tedious task.
Here is a browser extension to help you do that quickly.
https://chromewebstore.google.com/detail/web-archives/hkligngkgcpcolhcnkgccglchdafcnao
https://addons.mozilla.org/en-US/firefox/addon/view-page-archive/
Here is a browser extension to help you do that quickly.
https://chromewebstore.google.com/detail/web-archives/hkligngkgcpcolhcnkgccglchdafcnao
https://addons.mozilla.org/en-US/firefox/addon/view-page-archive/
January 16, 2026 at 10:04 PM
Manually going through multiple web archiving sites while hunting can be a tedious task.
Here is a browser extension to help you do that quickly.
https://chromewebstore.google.com/detail/web-archives/hkligngkgcpcolhcnkgccglchdafcnao
https://addons.mozilla.org/en-US/firefox/addon/view-page-archive/
Here is a browser extension to help you do that quickly.
https://chromewebstore.google.com/detail/web-archives/hkligngkgcpcolhcnkgccglchdafcnao
https://addons.mozilla.org/en-US/firefox/addon/view-page-archive/
The questions you need to ask to learn about a new vuln class or technique 🐛
Why does it occur (root cause) and how to exploit it?
Are there labs or challenges to practice on?
Any related disclosed reports, blog posts or writeups?
What are the best targets to hunt for it?
What tools can detect it?
Why does it occur (root cause) and how to exploit it?
Are there labs or challenges to practice on?
Any related disclosed reports, blog posts or writeups?
What are the best targets to hunt for it?
What tools can detect it?
January 15, 2026 at 11:41 AM
The questions you need to ask to learn about a new vuln class or technique 🐛
Why does it occur (root cause) and how to exploit it?
Are there labs or challenges to practice on?
Any related disclosed reports, blog posts or writeups?
What are the best targets to hunt for it?
What tools can detect it?
Why does it occur (root cause) and how to exploit it?
Are there labs or challenges to practice on?
Any related disclosed reports, blog posts or writeups?
What are the best targets to hunt for it?
What tools can detect it?
A critical Supabase JWT bug by @BourAbdelhadi
And he used rep+ for this impactful finding
Tool👇
And he used rep+ for this impactful finding
Tool👇
GitHub - repplus/rep-chrome: rep+ — Burp-style HTTP Repeater for Chrome DevTools with built‑in AI to explain requests and suggest attacks
rep+ — Burp-style HTTP Repeater for Chrome DevTools with built‑in AI to explain requests and suggest attacks - repplus/rep-chrome
github.com
January 14, 2026 at 10:35 AM
A critical Supabase JWT bug by @BourAbdelhadi
And he used rep+ for this impactful finding
Tool👇
And he used rep+ for this impactful finding
Tool👇
Hacking a GraphQL API but introspection is disabled?
Clairvoyance, a tool by @_nikitastupin, can reconstruct GraphQL API schema even if the introspection is disabled.
For installation and usage 👇
Clairvoyance, a tool by @_nikitastupin, can reconstruct GraphQL API schema even if the introspection is disabled.
For installation and usage 👇
GitHub - nikitastupin/clairvoyance: Obtain GraphQL API schema even if the introspection is disabled
Obtain GraphQL API schema even if the introspection is disabled - nikitastupin/clairvoyance
github.com
January 13, 2026 at 2:06 PM
Hacking a GraphQL API but introspection is disabled?
Clairvoyance, a tool by @_nikitastupin, can reconstruct GraphQL API schema even if the introspection is disabled.
For installation and usage 👇
Clairvoyance, a tool by @_nikitastupin, can reconstruct GraphQL API schema even if the introspection is disabled.
For installation and usage 👇
A researcher showed that for SSO users, the Firefox password hash check could be bypassed using the attacker's session to delete arbitrary accounts. I guess the password DB values were None/NULL, causing the bug. Super interesting.
Always check SSO edge cases!
Always check SSO edge cases!
Mozilla disclosed on HackerOne: IDOR: Account Deletion via Session...
An IDOR vulnerability was identified in the Firefox Accounts API endpoint `https://api.accounts.firefox.com/v1/account/destroy` that allows an authenticated attacker using SSO (i.e Google login) to...
hackerone.com
January 9, 2026 at 8:38 PM
A researcher showed that for SSO users, the Firefox password hash check could be bypassed using the attacker's session to delete arbitrary accounts. I guess the password DB values were None/NULL, causing the bug. Super interesting.
Always check SSO edge cases!
Always check SSO edge cases!
Very nice writeup by @J0R1AN
Intigriti December XSS Challenge (1225) | Jorian Woltjer
A unique 6-part challenge by @Renwa containing many interesting techniques that combine into one large exploit. Learn some HTML/JavaScript quirks, an XS-Leak and how to minimize user interaction
jorianwoltjer.com
January 8, 2026 at 3:34 PM
Very nice writeup by @J0R1AN
If you’re tired of encountering AI slop blogs, this one’s for you.
@busf4ctor made cool website that has a curated collection of bug bounty resources.
Check it out👇
@busf4ctor made cool website that has a curated collection of bug bounty resources.
Check it out👇
Bug Bounty Daily
The ultimate reading list for bug bounty hunters. Discover curated articles and resources, track your progress, and stay ahead in cybersecurity.
bugbountydaily.com
January 5, 2026 at 10:02 AM
If you’re tired of encountering AI slop blogs, this one’s for you.
@busf4ctor made cool website that has a curated collection of bug bounty resources.
Check it out👇
@busf4ctor made cool website that has a curated collection of bug bounty resources.
Check it out👇
With a single command, xnldorker gathers dork results from multiple search engines.
Another nice tool by @xnl_h4ck3r
Github link 👇
https://github.com/xnl-h4ck3r/xnldorker
Another nice tool by @xnl_h4ck3r
Github link 👇
https://github.com/xnl-h4ck3r/xnldorker
January 2, 2026 at 11:47 AM
With a single command, xnldorker gathers dork results from multiple search engines.
Another nice tool by @xnl_h4ck3r
Github link 👇
https://github.com/xnl-h4ck3r/xnldorker
Another nice tool by @xnl_h4ck3r
Github link 👇
https://github.com/xnl-h4ck3r/xnldorker
Happy New Year everyone!
Enjoy the moment, and get ready for the challenges 0x7ea will bring.
Enjoy the moment, and get ready for the challenges 0x7ea will bring.
January 1, 2026 at 12:01 AM
Happy New Year everyone!
Enjoy the moment, and get ready for the challenges 0x7ea will bring.
Enjoy the moment, and get ready for the challenges 0x7ea will bring.
Stumbled upon this cool tool, a repeater for Chrome.
Rep+ is a Burp-style repeater extension with built-in AI for quick attack suggestions, very handy for BB hunters.
It can also extract secrets and endpoints from JS files. Cool stuff by @BourAbdelhadi
Check it out
Rep+ is a Burp-style repeater extension with built-in AI for quick attack suggestions, very handy for BB hunters.
It can also extract secrets and endpoints from JS files. Cool stuff by @BourAbdelhadi
Check it out
GitHub - repplus/rep: rep+ — Burp-style HTTP Repeater for Chrome DevTools with built‑in AI to explain requests and suggest attacks
rep+ — Burp-style HTTP Repeater for Chrome DevTools with built‑in AI to explain requests and suggest attacks - repplus/rep
github.com
December 31, 2025 at 10:04 AM
Stumbled upon this cool tool, a repeater for Chrome.
Rep+ is a Burp-style repeater extension with built-in AI for quick attack suggestions, very handy for BB hunters.
It can also extract secrets and endpoints from JS files. Cool stuff by @BourAbdelhadi
Check it out
Rep+ is a Burp-style repeater extension with built-in AI for quick attack suggestions, very handy for BB hunters.
It can also extract secrets and endpoints from JS files. Cool stuff by @BourAbdelhadi
Check it out
Nice stuff @pxmme1337!
https://bugbounty.forum
This is the first use case I've seen for DKIM being used like this 😆
https://bugbounty.forum
This is the first use case I've seen for DKIM being used like this 😆
bugbounty.forum - Anonymous Forum for Bug Bounty Hunters
The anonymous forum for bug bounty hunters with optional earnings verification.
bugbounty.forum
December 30, 2025 at 10:21 AM
Nice stuff @pxmme1337!
https://bugbounty.forum
This is the first use case I've seen for DKIM being used like this 😆
https://bugbounty.forum
This is the first use case I've seen for DKIM being used like this 😆
Find out if a GraphQL Endpoint is vulnerable to DoS, CSRF or Information disclosure 👇
GitHub - dolevf/graphql-cop: Security Auditor Utility for GraphQL APIs
Security Auditor Utility for GraphQL APIs. Contribute to dolevf/graphql-cop development by creating an account on GitHub.
github.com
December 26, 2025 at 5:46 PM
Find out if a GraphQL Endpoint is vulnerable to DoS, CSRF or Information disclosure 👇