This page gathers some of the public bugs I found over the years; don’t hesitate to reach out if you want to know more about them!

Popular Software

RCEs via the NPM integration in Visual Studio < 1.82.1 (CVE-2023-36742)

RCE via the Git URL handler in Visual Studio Code < 1.67.1 (CVE-2022-30129)

Authentication bypass in Zabbix < 5.4.9 (CVE-2022-23131, CVE-2022-23134)

RCE via Git in Visual Studio Code < 1.63.1 (CVE-2021-43891)

RCEs in elFinder <= 2.1.59 (CVE-2021-32682)

LPE in Ubuntu pppd < 2.4.7-2+4.1ubuntu5.1 (CVE-2020-15704)

RCEs in ruTorrent <= 55ddfb4

RCE in Duplicator < 1.2.42 (CVE-2018-17207)

RCE in Etherpad <= 1.6.3 (CVE-2018-9326)

RCE in Etherpad's UberDB <= 1.6.3 (CVE-2018-9327)

Pwn2Own Targets

Pwn2Own 2022 – WAN RCE on Synology RT6600ax

Pwn2Own 2020 – LAN RCE on TP-Link AC1750 sync-server (CVE-2021-27246)

Pwn2Own 2020 – LAN RCE on Western Digital PR4100 login_mgr.cgi

Package Managers Backends and Code Hosting

RCEs in SourceHut’s git.sr.ht (1, 2)

RCEs in SourceHut’s hg.sr.ht (patch)

RCE in Soko affecting packages.gentoo.org (CVE-2023-28424, CVE-TBD)

RCE in pearweb affecting pear.php.net (CVE-2022-27158, CVE-2022-27157)

RCE in Composer <= 2.3.4 affecting packagist.org (CVE-2022-24828)

RCE in Composer <= 2.0.12 affecting packagist.org (CVE-2021-29472)


RCE in Gogs x 4 (CVE TBD)

RCE in Composer PHAR with register_argc_argv (CVE-2023-43655)

Authentication bypass(es) and RCE in CasaOS < 0.4.4 (CVE-2023-37265, CVE-2023-37266)

Heap Overflow in Zscaler for Linux (CVE-2023-28793)

JavaScript Injection in pacparser < 1.4.2 (CVE-2023-28798)

Blind SSRF on WordPress (CVE-2022-3590)

RCEs in Melis Platform (CVE-2022-39296, CVE-2022-39297, CVE-2022-39298)

RCE in Icinga < 2.8.6, 2.9.6, 2.10 (CVE-2022-24715, CVE-2022-24716)

RCE in Crypt_GPG < 1.6.7 (CVE-2022-24953)

PID recycling in ZscalerTunnel for MacOS (CVE-2021-26737)

RCE in GoCD < 21.3.0 (CVE-2021-43286)

Stored XSS to RCE in SmartStoreNET (CVE-2021-32607, CVE-2021-32608)

RCE in Cachet <= 2.4 (CVE-2021-39172, CVE-2021-39173, CVE-2021-39174)

RCE via phar handler in elFinder <= 2.1.59 (CVE-2021-23394)

Format String in mod-auth-openidc <= (CVE-2021-32785)

Open Redirect in mod-auth-openidc <= (CVE-2021-32786)

RCE via missing authorization in Grav CMS < 1.7.10 (CVE-2021-29439)

RCE via SSTI in Grav CMS < 1.7.10 (CVE-2021-29440)

LPE in Softaculous (CVE-2020-26886)

LPE in Fortinet's SSL VPN client for Linux

LPE in Aegir Hostmaster

XXE in SAP Control Center, SAP Cockpit Framework

SSRF in w3-total-cache < (CVE-2018-9845)

SQLi in wp-google-maps < 7.11.18 (CVE-2019-10692)

RCE in elFinder < 2.1.48 (CVE-2019-9194)

SQLi in GLPI <= 9.3.3 (CVE-2019-10232)

XXE and SSRF in Jenkins Job Import <= 2.1

Blind SQLi in wp-statistics < 12.6.7 (CVE-2019-13275)

RCEs in PineApp Mail Secure 5.1

SQLi in Flyspray <= v1.0-rc6 SQLi in Image Intense <= 3.2.5

LPE in Super Duper <= 3.1.6

Reflected XSS in Zend Server < 9.1.3 (CVE-2018-10230)

Authentication bypass in Etherpad <= 1.6.3 (CVE-2018-9845)

Information leak in Etherpad <= 1.6.3 (CVE-2018-9325)