Exploit development, vulnerability research & security writeups
A complete step-by-step walkthrough of the HTB "Facts" machine. From initial access via Camaleon CMS CVE-2025-2304, extracting AWS S3 credentials, cracking an SSH key, to rooting the box using a custom Facter fact.
An unauthenticated path traversal vulnerability in SiYuan ≤ 3.6.1 allows attackers to read arbitrary files from the server via the /appearance/ endpoint, exposing sensitive configuration and system data.
A heap-based buffer overflow in MLX ≤ 0.29.3 allows attackers to trigger memory corruption via crafted NumPy .npy files, potentially leading to denial of service or information disclosure.
An authorization flaw in Discourse allows authenticated non-staff users to issue official warnings to other users by abusing type coercion in the post_actions endpoint.
A kernel vulnerability in Linux-based drone operating systems allows attackers to trigger a system-wide crash by invoking schedule() in an atomic context, leading to denial of service on Parrot and DJI drones.
An authenticated SQL injection vulnerability in Kanboard allows attackers to extract sensitive data such as API tokens and password hashes through the external_id_column parameter in project permissions.
A command injection vulnerability in Glances allows attackers to execute arbitrary OS commands through malicious process or container names when Mustache templates are used in action configurations.
A stack-based buffer overflow vulnerability in LB-LINK BL-WR9000 routers allows attackers to crash the web management service remotely by abusing the HideSSID configuration value, leading to denial of service.
A deserialization vulnerability in Keras allows attackers to execute arbitrary system commands when loading a malicious machine learning model. This proof-of-concept demonstrates how a crafted .keras file can trigger code execution during model loading.
A Use-After-Free vulnerability in Microsoft PowerPoint allows attackers to execute arbitrary code when a specially crafted PPTX file is opened. This article demonstrates a proof-of-concept generator for malicious PPTX files designed to trigger the vulnerability.