en
Feedback
Brut Security

Brut Security

Open in Telegram

πŸ“ˆ Analytical overview of Telegram channel Brut Security

Channel Brut Security (@brutsecurity) in the English language segment is an active participant. Currently, the community unites 15 896 subscribers, ranking 8 173 in the Technologies & Applications category and 26 443 in the India region.

πŸ“Š Audience metrics and dynamics

Since its creation on Π½Π΅Π²Ρ–Π΄ΠΎΠΌΠΎ, the project has demonstrated rapid growth, gathering an audience of 15 896 subscribers.

According to the latest data from 04 July, 2026, the channel demonstrates stable activity. Although there has been a change in the number of participants by 315 over the last 30 days and by 23 over the last 24 hours, overall reach remains high.

  • Verification status: Not verified
  • Engagement rate (ER): The average audience engagement rate is 16.24%. Within the first 24 hours after publication, content typically collects 5.76% reactions from the total number of subscribers.
  • Post reach: On average, each post receives 2 578 views. Within the first day, a publication typically gains 914 views.
  • Reactions and interaction: The audience actively supports content: the average number of reactions per post is 11.
  • Thematic interests: Content is focused on key topics such as hunter, bounty, darkshadow, bypass, hex.

πŸ“ Description and content policy

The author describes the resource as a platform for expressing subjective opinions:
β€œβœ…DM: @wtf_brut πŸ›ƒWhatsApp: https://wa.link/brutsecurity 🈴Training: https://brutsecurity.com πŸ“¨Mail: info@brutsec.com”

Thanks to the high frequency of updates (latest data received on 05 July, 2026), the channel maintains relevance and a high level of publication reach. Analytics show that the audience actively interacts with content, making it an important point of influence in the Technologies & Applications category.

15 896
Subscribers
+2324 hours
+387 days
+31530 days
Posts Archive
Please do share and like . Thanks πŸ™β€οΈ

━━━━━━━━━━━━━━━━━ 🎁 MIDNIGHT GIVEAWAY β€” 5 FREE COPIES ━━━━━━━━━━━━━━━━━ At midnight tonight I'm dropping 5 free coupon codes right here in the channel. How to get one: β†’ Be here at midnight β†’ First 5 to DM me the word BRUT grab a free copy Set your alarm. πŸ•›

πŸ”₯ Just dropped β€” 2026 Bug Bounty Guide πŸ“– 86 pages. 25 chapters. Built on real data. What's inside: β†’ The AI shift β€” what it means for your bounties β†’ Full recon workflow (subfinder β†’ puredns β†’ httpx β†’ nuclei) β†’ Every major vuln class with payloads β€” XSS, SSRF, IDOR, SSTI, SQLi, LFI, XXE β†’ LLM & AI attack surface β€” prompt injection, MCP, indirect injection β†’ WAF bypass techniques for CloudFlare, Akamai, AWS β†’ 9 real HackerOne reports β€” PayPal $18,900 Β· Dropbox $17,576 Β· GitLab $12K Β· HackerOne $20K β†’ Full payload cheatsheet you'll actually use mid-hunt β†’ A-to-Z methodology checklist β†’ Cloud security β€” AWS SSRF, S3, IAM escalation β†’ Mobile app testing (Android + iOS) β†’ Career roadmap from first VDP to private programs πŸ”— https://topmate.io/saumadip/2187710 β€” Saumadip | Brut Security @brutsecurity

Something is coming soon. Stay Tuned!☠️

5 free coupons for Pro hacker's playbook: recon, XSS, SQLi, SSRF & more https://topmate.io/saumadip/2054509?coupon_code=awww

Repost from Brut Security
157 Methods for Privilege Escalation (WindowsLinuxMacos) PDF.pdf84.93 MB

🚨 [codeb0ss] β€” The Biggest CVE PoCs & Exploitation Channel on Telegram 🚨 [codeb0ss] is the largest and most dedicated Telegram channel focused entirely on real CVEs and professional Proof-of-Concept exploitation, built through more than six years of continuous hard work, research, and real-world experience in offensive security. This channel exists for one purpose only: to publish long, high-quality, Python-based exploitation PoCs that explain how vulnerabilities truly work, from the root cause to full exploitation, without shortcuts, reposts, or shallow demonstrations. Inside [codeb0ss], you will find an ever-growing archive of CVE-2025 and CVE-2026 PoCs, covering web applications, plugins, frameworks, logic flaws, authentication bypasses, remote code execution, privilege escalation, and complex vulnerability chains that reflect real attack scenarios seen in the wild. Unlike typical channels that repost incomplete scripts or broken examples, every PoC published in [codeb0ss] is written with depth, clarity, and purpose, focusing on exploit logic, reliability, and practical understanding. The goal is not only to show that a vulnerability exists, but to teach how exploitation is designed, developed, and executed using clean, structured, and reusable Python code. [codeb0ss] represents years of persistence, learning, failure, reverse engineering, and refinement. It is a channel created for security researchers, penetration testers, red teamers, bug hunters, and serious learners who value knowledge over noise and skill over hype. All content is shared strictly for educational and informational purposes, with no harmful intentions, and with a strong emphasis on responsible learning and technical mastery. If you are looking for the biggest, most serious, and most experienced CVE PoCs channel on Telegram, built on six years of real work and continuous contribution, then [codeb0ss] is the place to be. πŸ‘‰ Join [codeb0ss] β€” where real CVEs become real understanding πŸ”— https://t.me/thecodeb0ss

🚨 [codeb0ss] β€” The Biggest CVE PoCs & Exploitation Channel on Telegram 🚨 [codeb0ss] is the largest and most dedicated Telegram channel focused entirely on real CVEs and professional Proof-of-Concept exploitation, built through more than six years of continuous hard work, research, and real-world experience in offensive security. This channel exists for one purpose only: to publish long, high-quality, Python-based exploitation PoCs that explain how vulnerabilities truly work, from the root cause to full exploitation, without shortcuts, reposts, or shallow demonstrations. Inside [codeb0ss], you will find an ever-growing archive of CVE-2025 and CVE-2026 PoCs, covering web applications, plugins, frameworks, logic flaws, authentication bypasses, remote code execution, privilege escalation, and complex vulnerability chains that reflect real attack scenarios seen in the wild. Unlike typical channels that repost incomplete scripts or broken examples, every PoC published in [codeb0ss] is written with depth, clarity, and purpose, focusing on exploit logic, reliability, and practical understanding. The goal is not only to show that a vulnerability exists, but to teach how exploitation is designed, developed, and executed using clean, structured, and reusable Python code. [codeb0ss] represents years of persistence, learning, failure, reverse engineering, and refinement. It is a channel created for security researchers, penetration testers, red teamers, bug hunters, and serious learners who value knowledge over noise and skill over hype. All content is shared strictly for educational and informational purposes, with no harmful intentions, and with a strong emphasis on responsible learning and technical mastery. If you are looking for the biggest, most serious, and most experienced CVE PoCs channel on Telegram, built on six years of real work and continuous contribution, then [codeb0ss] is the place to be. πŸ‘‰ Join [codeb0ss] β€” where real CVEs become real understanding πŸ”— https://t.me/thecodeb0ss
#AD

☺️Your support keeps me motivated to share more valuable content! If you found this helpful, drop a like & send stars ⭐ to help me keep going. πŸ’¬ For queries, message me on Telegram: @wtf_brut πŸŽ“ For course enrollment, reach out on WhatsApp: wa.link/brutsecurity

πŸ”₯ Chrome RCE PoC: CVE-2026-6307 A working renderer RCE Proof of Concept for CVE-2026-6307 β€” a V8 type-confusion bug (JS-to-Wasm deoptimization) patched in Chrome 147.0.7727.101. βœ… Full primitives (addrof/fakeobj, out-of-cage, in-cage r/w) βœ… No-ASLR RCE that patches JIT code to pop xcalc βœ… Based on Nebula Security writeup βœ… Heavily improved with frontier LLMs + human direction (4-day experiment) This is renderer-only and still far from fully weaponized, but great for learning and research. πŸ“₯ PoC + scripts: https://github.com/0xsha/CVE-2026-6307 #Chrome #V8 #Exploit #CVE #SecurityResearch

πŸ’₯TORLINK: A torrent finder that runs right from your terminal with zero setup and nothing to configure. One search checks a small curated list of sources at once. Pick what you want, and it downloads directly to your computer. GitHub: https://github.com/baairon/torlink

Repost from Brut Security 2.0
πŸ”΄ Another serious security vulnerability has been discovered in Redis 8.8.0, and no POC has been released yet for this bidirectional RCE found by v12sec.

πŸ›‘οΈ Bug Bounty Tip: Test IDOR + Web Cache Deception Together When hunting IDORs, always check for web cache deception on the same endpoints: 1. As User A, access a sensitive resource like /api/invoices/123 (also try appending .css or `.js`). 2. As User B, repeat the exact same URL with identical headers. 3. Only change the Cookie/Auth token. If User B receives User A's 200 OK response from cache β†’ you've likely found a critical vulnerability! This combo can lead to account takeover-level impacts. #BugBounty #AppSec #WebSecurity #IDOR #Pentesting

πŸ˜†πŸ˜†

πŸ” Detailed Bug Bounty Tip: Publicly Exposed Firebase Config β†’ Unauthorized Data Uploads Found a juicy misconfiguration durin
πŸ” Detailed Bug Bounty Tip: Publicly Exposed Firebase Config β†’ Unauthorized Data Uploads Found a juicy misconfiguration during a recon phase! ### Vulnerability: Many web/mobile apps use Firebase Realtime Database (Google) and leave the configuration exposed in client-side JavaScript or source code. When the database security rules are not properly set (often left as default "true" for testing), anyone can read and write data without authentication. This leads to unauthorized data injection, tampering, or even full database takeover. ### How to Test: 1. Hunt for Firebase config in JS files, source code, or APK (look for firebaseConfig, apiKey, databaseURL, projectId etc.) 2. Identify the database URL (usually `https://<project-id>.firebaseio.com`) 3. Test write access with a simple PUT request ### Exploitation Command:
curl -X PUT "https://your-project-id.firebaseio.com/poc.json" \
     -d '{"POC": "Successful upload by Bug Hunter", "timestamp": "2026"}'
Replace your-project-id with the actual one. If successful, you'll be able to inject arbitrary data into the database. Proof of Concept Result: The database accepted the PUT request and stored the attacker-controlled JSON data. ### Impact: - Data pollution / poisoning - Injecting malicious content (e.g., XSS payloads, fake user data, phishing links) - Potential account takeover or business logic abuse depending on how the app uses the data - In severe cases β†’ complete database compromise ### How to Report & Fix (for devs): - Set proper Firebase Realtime Database Security Rules (deny read/write by default) - Use Firebase Authentication - Avoid exposing sensitive config in client-side code when possible - Use Firestore with stricter rules instead (if applicable) Pro Tip: Always check .js files and network tab for firebaseio.com during recon. Many programs pay well for this! #BugBounty #BugBountyTips #Firebase #WebAppSec #HackerOne #Bugcrowd #Pentesting #CyberSecurity

☺️Your support keeps me motivated to share more valuable content! If you found this helpful, drop a like & send stars ⭐ to help me keep going. πŸ’¬ For queries, message me on Telegram: @wtf_brut πŸŽ“ For course enrollment, reach out on WhatsApp: wa.link/brutsecurity

🚨 CVE-2026-20230: Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition S
🚨 CVE-2026-20230: Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition Server-Side Request Forgery (SSRF) Critical Vulnerability Alert! Cisco Unified Communications Manager is affected by CVE-2026-20230. Full Vulnerability Details & Analysis at DarkEye: πŸ”— https://darkeye.org/vuln/cve/CVE-2026-20230 πŸ” Identify Targets via ZoomEye: Filter: vul.cve="CVE-2026-20230" Search Dork: app="Cisco Unified Communications Manager" Exposure: 5k instances identified globally. ZoomEye Search Link: πŸ‘‰ https://www.zoomeye.ai/searchResult?q=YXBwPSJDaXNjbyBVbmlmaWVkIENvbW11bmljYXRpb25zIE1hbmFnZXIi&t=all&utm_source=telegram&utm_medium=community&utm_campaign=cve_ops_20260626

An anonymous GitHub account has begun releasing proof-of-concepts for exploits framed as undisclosed zero-days, accompanied b
An anonymous GitHub account has begun releasing proof-of-concepts for exploits framed as undisclosed zero-days, accompanied by a note instructing readers to report the findings and claim credit for the associated CVEs themselves. πŸ›‘οΈπŸ“ https://github.com/bikini/exploitarium πŸ”—

🚨 Bug Bounty Tip: Password Reset Race Condition Many applications generate a password reset token but fail to invalidate it when critical account details change. This can create a dangerous account takeover scenario. Test Flow: 1️⃣ Request a password reset for your account. 2️⃣ Do not use the reset link yet. 3️⃣ Log in normally using your current password. 4️⃣ Change your email address (or another identifier linked to password recovery). 5️⃣ Now open the old password reset link you received before the email change. πŸ’₯ Potential Finding: If the old reset token still resets the password after the email change, the application isn't invalidating previously issued reset tokens. An attacker with access to an older reset email could still take over the account even after the user updates their recovery email. What to Verify: β€’ Is the old token still valid after changing the email? β€’ Does the reset affect the current account owner? β€’ Are all existing reset tokens revoked after sensitive account changes? β€’ Does changing the password or email invalidate outstanding reset links? 🎯 Impact: High (Account Takeover) if an attacker can obtain or intercept an old password reset email. Always test only on accounts you own or are explicitly authorized to assess.