The offensive work that powers everything else: CVEs, advisories and bug bounty across enterprise programs and open source projects, with a growing focus on the security of AI/LLM systems.
OS Command Injection (CWE-78) in the v2-dev branch of im3x/Scriptables: unsanitized input passed to a shell, leading to arbitrary command execution on the server. From proof of concept to maintainer notification and MITRE assignment.
Zip Slip / Path Traversal (CWE-22) in codeskyblue/gohttpserver v1.3.0: a malicious archive extracts files outside the intended directory, allowing writes to arbitrary host paths.
Path Traversal (CWE-22, CVSS 9.8) in phpk's GodoOS: validateFilePath() only checks that the path is non-empty, leaving 14+ unauthenticated endpoints free to read, write and delete arbitrary files on the host. Advisory in coordinated disclosure, CVE pending.
Responsible disclosure to Anthropic of a bypass of Claude Code’s safety guardrails. Handled privately with the vendor: the technical details remain confidential.
On a major SaaS customer support platform (engagement under NDA): indirect prompt injection (RAG poisoning) on its AI agent. A poisoned knowledge base article drives the AI to generate phishing replies - asking for the password and redirecting to a malicious URL - sent from the official channel with valid DKIM/SPF/DMARC and no human review. Full chain demonstrated end-to-end with .eml proof (OWASP LLM01).
Unauthenticated admin endpoints on the Pyroscope data-plane port enable cross-tenant data access (High, 8.6).
Custom authentication headers (X-API-Key, X-Auth-Token) forwarded to the target of a cross-domain redirect instead of being stripped: a credential leak in the follow-redirects module, axios's redirect dependency. Same class confirmed in five other HTTP libraries; fix shipped in 1.16.0.
Incomplete fix of a path traversal in pghoard delta backup restore (Aiven): arbitrary file write outside the pgdata directory.
Hardcoded Session Secret (CWE-798) in codeskyblue/gohttpserver v1.3.0: a static session key in the source, opening the door to session token forgery. Rescored to 7.5 in triage (the gate guards writes, not reads).
Dangling CNAMEs on railing.meraki.com and heroku.meraki.com point to a registered but inactive Heroku application: subdomain takeover risk.
SSRF in webhook URL validation: no internal IP filtering, with full response body disclosure. Resolved by the vendor.
For a FedRAMP-regulated government SaaS provider (engagement under NDA): AWS Cognito pool credentials exposed in a public config file, enabling unauthenticated user enumeration (PreventUserExistenceErrors disabled) and unthrottled credential stuffing. Full chain demonstrated, from reconnaissance to the conditions enabling account takeover.
Sensitive headers (Authorization, Cookie) not stripped when the client follows a redirect to a different origin: a cross-origin credential leak. Confirmed in Node.js’s global fetch, where undici is vendored.
Same class in the npm client node-fetch: authentication headers survive a redirect to a different host, exposing them to the destination origin.
In the Go client resty: user-set headers are not cleared on a cross-origin redirect, leaking tokens and cookies to the new destination.
In the Go client req: the same leak class: sensitive headers are forwarded to a new origin when following a redirect, with no sanitization.
In the Go client gorequest: authentication headers forwarded to a new origin after the redirect, closing the set of six HTTP libraries hit by the same class.
Credentials preserved across an HTTP→HTTPS same-host redirect when only the port changed: the same-host check compared host and scheme, not the port. Reported on March 20, fixed within six days (PR #12275); closed without a CVE as the code lived only on the v4 development line, never in a release.
Incorrect EIP-712 struct hashing of dynamic types in GuardedMulticaller2: the struct is not encoded per the standard, with risk to signature validation.
Cross-user Kafka consumer hijacking via consumer identifier enumeration in the REST proxy, enabling unauthorized message exfiltration.
Authorization bypass in Grafana nested-folder permissions (Medium, 6.5).
Unauthenticated application version disclosure via the /version endpoint, useful to an attacker for fingerprinting.
SDK sandbox network isolation bypassable: access to the host's Prometheus metrics through the Docker bridge.
SSRF and internal network scanning via the SECURITY DEFINER function aiven_extras.pg_create_subscription().
A selection of the most relevant results, from 40+ programs and projects across Bugcrowd, Intigriti, HackerOne, Huntr and GitHub.