<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>0xManticore writeups</title><description>Security write-ups by Saleh Elsayed (0xManticore): web and API security, WordPress, vulnerability research, and offensive methodology.</description><link>https://0xmanticore.com/</link><language>en-us</language><item><title>A reflected XSS in Cisco Webex Meetings, and what a clean disclosure looks like</title><link>https://0xmanticore.com/blog/cisco-webex-xss-disclosure/</link><guid isPermaLink="true">https://0xmanticore.com/blog/cisco-webex-xss-disclosure/</guid><description>Notes on reporting CVE-2026-20233, an unauthenticated reflected cross-site scripting issue in the Webex Meetings web interface, and the process that turned it into a fixed product and a named credit.</description><pubDate>Wed, 03 Jun 2026 00:00:00 GMT</pubDate><category>web</category><category>xss</category><category>disclosure</category></item><item><title>Unauthenticated SSRF in WordPress plugins, and the callback pattern that keeps producing it</title><link>https://0xmanticore.com/blog/unauthenticated-ssrf-wordpress-plugins/</link><guid isPermaLink="true">https://0xmanticore.com/blog/unauthenticated-ssrf-wordpress-plugins/</guid><description>A field note on the class of bug behind CVE-2026-7798 in FluentCRM. When a plugin fetches a URL supplied in an unauthenticated request, an allowlist is not optional. Educational only, no weaponization.</description><pubDate>Fri, 22 May 2026 00:00:00 GMT</pubDate><category>wordpress</category><category>ssrf</category><category>methodology</category></item></channel></rss>