Research

CVE work, vulnerability research, and security-focused writeups across web, browser, and device security.

Findings and disclosuresLast updated May 2026

CVE ID	Product	Vulnerability type	CVSS	Status
CVE-2026-XXXX	Camaleon CMS	Broken Access Control in Plugin Administration Routes	6.3	Reserved
CVE-2026-XXXX	Camaleon CMS	Stored XSS via Draft Post Title	8.7	Reserved
CVE-2026-XXXX	Camaleon CMS	Authenticated RCE via instance_eval in Select Eval Custom Fields	7.2	Reserved
CVE-2026-XXXX	Camaleon CMS	Stored XSS via Contact Form previous_html Rendering	8.7	Reserved
CVE-2026-XXXX	Camaleon CMS	Authenticated SQL Injection via Slug Translations	6.5	Reserved
CVE-2026-XXXX	Camaleon CMS	Authenticated SSTI leading to RCE via render inline in test_email	6.6	Reserved
Disclosed	Generic FH8626V100 / JX-F37P IP Camera	Unauthenticated PSIA API read/write access and plaintext credential disclosure	TBD	Disclosed
Disclosed	Generic FH8626V100 / JX-F37P IP Camera	Blind OS command execution via custom SYSTEM protocol with root telnet compromise	TBD	Disclosed

March 20, 2026

Camaleon CMS Vulnerability Research

Security review of Camaleon CMS 2.9.1 covering broken access control, stored XSS, authenticated RCE, SQL injection, and SSTI-to-RCE findings.

CVEBroken Access ControlStored XSSRCESQL InjectionSSTI

Open Research

March 10, 2026

Breaking Into My Own Camera

IoT camera research chaining unauthenticated PSIA endpoints, plaintext credential exposure, unauthenticated write access, exposed snapshots, and blind command execution into root shell access.

IoT SecurityMissing AuthenticationCredential ExposureCommand Execution

Open Research

December 2, 2025

Kosovo Government Domain Checker

Browser extension research and tooling for identifying official Kosovo government domains and reducing phishing risk.

PhishingDomain VerificationBrowser Extension

Open Research