| Homepage | https://jameskettle.com/ |
| https://twitter.com/albinowax | |
| https://www.linkedin.com/in/james-kettle-albinowax/ | |
| PortSwigger | https://portswigger.net/research |
Excited to share that I recently identified and responsibly disclosed a security vulnerability in Akamai's edge servers, which has now been fully remediated and assigned CVE-2026-26365! The issue involved a subtle edge case in HTTP request handling: improper processing of custom hop-by-hop headers. By specifying Transfer-Encoding as a hop-by-hop header via the Connection header, it was possible to trigger inconsistent request framing at the edge, creating a potential HTTP request smuggling vector depending on internal processing paths and origin server behavior. Huge credit to Akamai's security team for their responsiveness and thorough handling of the report. Also shoutout to James Kettle for his amazing research on request smuggling! | 13 comments on LinkedIn
New geolocation-based XSS vectors just landed in our XSS cheat sheet. Huge thanks to AmirMohammad Safari for the great submission.
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#onpromptaction
The report from CERT.PL covering the attacks on the Polish energy system is finally available:
https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/
CERT Polska presents a report on the analysis of an incident in the energy sector that occurred on 29 December 2025. The attacks were destructive in nature and targeted wind and photovoltaic farms, a large combined heat and power plant, and a company from the manufacturing sector. The publication aims to raise awareness of the risks associated with sabotage in cyberspace.
Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!
Jeff Moss
Gareth Heyes 
Otmar Lendl