#Injection
2 postsBugForge - Daily - Tanuki (Jul 14, 2026)
Tanuki's XML deck import blacklists the single quote and numeric entities on the deck name, but allows the standard ' entity, which decodes to a quote and reaches a concatenated SQL query.
SQLi SQL Injection Injection Xml Filter Bypass WAF Bypass Sqlite
Posted on 2026-07-14 20:00 7 min read
BugForge - Daily - Shady Oaks Finance (Jul 12, 2026)
The Shady Oaks forecasting feature renders the user-supplied caption through a server-side template engine, so injecting {api_key} leaks the secret straight back in the response.
SSTI Server Side Template Injection Injection Information Disclosure Sensitive Data Exposure
Posted on 2026-07-12 20:00 4 min read