Loading...
CVE work, vulnerability research, and security-focused writeups across web, browser, and device security.
Compact tracking for CVEs and public vulnerability disclosures, grouped by affected product.
Broken Access Control in Plugin Administration Routes
Stored XSS via Draft Post Title
Authenticated RCE via instance_eval in Select Eval Custom Fields
Stored XSS via Contact Form previous_html Rendering
Authenticated SQL Injection via Slug Translations
Authenticated SSTI leading to RCE via render inline in test_email
Patch-bypass in Next.js App Router (affecting v16.2.6). Discovered that segment-prefetch transport requests (`.segments/.../.segment.rsc`) failed to undergo proper canonical pathname normalization prior to execution, allowing unauthenticated routing bypasses and static RSC layout data leaks despite existing middleware authentication controls.
Security review of Camaleon CMS 2.9.1 covering broken access control, stored XSS, authenticated RCE, SQL injection, and SSTI-to-RCE findings.
IoT camera research chaining unauthenticated PSIA endpoints, plaintext credential exposure, unauthenticated write access, exposed snapshots, and blind command execution into root shell access.
Browser extension research and tooling for identifying official Kosovo government domains and reducing phishing risk.