Alejandro

CVE-2026-44574: Middleware auth bypass via internal query params. Next.js uses internal query params nxtP<param> and nxtI<param> to pass resolved dynamic route params from routing to route modules. they're never stripped from external requests, leading to middleware bypass in dynamic routes.

There's an Intent in the APK that pre-fills Gemini's chat input. Justin used this to build a fake captcha app where victim taps 5 times, intent fires on tap 3, tap 4 or 5 lands on the "Send" button: delivery solved, 2FA code is now in Gemini's context. SMS tool requires manual confirmation before sending = dead end. But phone tool doesn't. But a raw call leaks nothing except that the call happened. So how can we encode data inside audio? We needed a way to exfiltrate that data. The answer was usin dial strings, appending tones directly to the number Gemini dials so they play on the receiver's end. Gemini accepts this syntax, read the code via notifications, encode it into a dial string, call the attacker. Attacker records the tones and decode them. We reported this at Google Bugswat Tokyo and got over 9K USD with the $1337 bonus for "Most Creative Bug". Read the full writeup here: https://t.co/7ycNc0yNux

We’re truly proud to collaborate with MakeGood on such a meaningful and beautiful project. At Formnext, MakeGood showcased their 3D-Printed Toddler Mobility Trainer (TMT) - a low-cost, open-source device designed to support independence, coordination, and social development for young children with mobility challenges. And now it’s available for free from the organization’s website and from MakerWorld. No advanced equipment is required - a Bambu Lab A1 is enough! If you’re interested in this beautiful project, you can learn more on our Bambu Lab Blog: https://t.co/INaSXehKBY

Found a possible injection point, but WAF is preventing you from executing JS code? Time to obfuscate your payload! 🤠 JS-DOMestify is a simple tool that helps convert any JS code to browser-runnable code with only ASCII characters and minimal, non-intrusive symbols. 👀 Check it out! 👇 https://t.co/JYqPh7nBfQ

I’m hyped about what I’m building right now😀 Burp & Caido put automation behind paywalls, so I turned to OWASP ZAP — free, open, scriptable — and wrapped it inside my own MCP (Model Context Protocol) proxy layer. Then I wired everything together: ⚡ ZAP → handles active/passive scanning ⚡ Custom MCP Proxy → routes traffic + injects AI logic ⚡ Node.js service → handles orchestration + payload generation ⚡ Python modules → normalize data, parse responses, detect anomalies ⚡ LLM engine → learns from HTB, PortSwigger Academy, exploit writeups ⚡ Custom ruleset → auto-mutates payloads & attack patterns Now the system doesn’t just test endpoints. It watches. It remembers. It improves. Every scan sharpens the model. Every failure becomes a new technique. Every successful exploit becomes part of its instinct. I’m not building a scanner. I’m training a hunter. #BugBounty #CyberSecurity #AI #Hacking #AppSec