Skip to main content

Blog

Security Research
CVE-2025-27888: Server-Side Request Forgery via URL Parsing Confusion in Apache Druid Proxy Endpoint

CVE-2025-27888: Server-Side Request Forgery via URL Parsing Confusion in Apache Druid Proxy Endpoint

Nico Waisman
Security Research
The Campaign Is Not Available in Your Country: XBOW Discovered an SQLi While Attempting to Bypass Geolocation Restrictions.

The Campaign Is Not Available in Your Country: XBOW Discovered an SQLi While Attempting to Bypass Geolocation Restrictions.

Nico Waisman
Security Research
Another Byte Bites the Dust - How XBOW Turned a Blind SSRF into a File Reading Oracle

Another Byte Bites the Dust - How XBOW Turned a Blind SSRF into a File Reading Oracle

Alvaro Muñoz
Security Research
Beyond the Bands: Exploiting TiTiler’s Expression Parser for Remote Code Execution

Beyond the Bands: Exploiting TiTiler’s Expression Parser for Remote Code Execution

Alvaro Muñoz
Security Research
Finding XSS in Salesforce Aura Components: How XBOW Got Creative

Finding XSS in Salesforce Aura Components: How XBOW Got Creative

Diego Jurado
Security Research
CVE-2025-49493: XML External Entity (XXE) Injection in Akamai CloudTest

CVE-2025-49493: XML External Entity (XXE) Injection in Akamai CloudTest

Diego Jurado
Security Research
Breaking the Shield: How XBOW Discovered Multiple XSS Vulnerabilities in Palo Alto’s GlobalProtect VPN

Breaking the Shield: How XBOW Discovered Multiple XSS Vulnerabilities in Palo Alto’s GlobalProtect VPN

Alvaro Muñoz
Security Research
The Nightmare Before Christmas: An Arbitrary File Download on Zoo-Project

The Nightmare Before Christmas: An Arbitrary File Download on Zoo-Project

Nico Waisman
Security Research
Stored Cross-Site Scripting (XSS) in 2FAuth

Stored Cross-Site Scripting (XSS) in 2FAuth

Diego Jurado