This page gathers some of the public bugs I found over the years; don’t hesitate to reach out if you want to know more about them!
Popular Software
RCEs via the NPM integration in Visual Studio < 1.82.1 (CVE-2023-36742)
RCE via the Git URL handler in Visual Studio Code < 1.67.1 (CVE-2022-30129)
Authentication bypass in Zabbix < 5.4.9 (CVE-2022-23131, CVE-2022-23134)
RCE via Git in Visual Studio Code < 1.63.1 (CVE-2021-43891)
RCEs in elFinder <= 2.1.59 (CVE-2021-32682)
LPE in Ubuntu pppd < 2.4.7-2+4.1ubuntu5.1 (CVE-2020-15704)
RCE in Duplicator < 1.2.42 (CVE-2018-17207)
RCE in Etherpad <= 1.6.3 (CVE-2018-9326)
RCE in Etherpad's UberDB <= 1.6.3 (CVE-2018-9327)
Pwn2Own Targets
Pwn2Own 2022 – WAN RCE on Synology RT6600ax
Pwn2Own 2020 – LAN RCE on TP-Link AC1750 sync-server (CVE-2021-27246)
Pwn2Own 2020 – LAN RCE on Western Digital PR4100 login_mgr.cgi
Package Managers Backends and Code Hosting
RCEs in SourceHut’s git.sr.ht (1, 2)
RCEs in SourceHut’s hg.sr.ht (patch)
RCE in Soko affecting packages.gentoo.org (CVE-2023-28424, CVE-TBD)
RCE in pearweb affecting pear.php.net (CVE-2022-27158, CVE-2022-27157)
RCE in Composer <= 2.3.4 affecting packagist.org (CVE-2022-24828)
RCE in Composer <= 2.0.12 affecting packagist.org (CVE-2021-29472)
Misc.
RCE in Gogs x 4 (CVE TBD)
RCE in Composer PHAR with register_argc_argv (CVE-2023-43655)
Authentication bypass(es) and RCE in CasaOS < 0.4.4 (CVE-2023-37265, CVE-2023-37266)
Heap Overflow in Zscaler for Linux (CVE-2023-28793)
JavaScript Injection in pacparser < 1.4.2 (CVE-2023-28798)
Blind SSRF on WordPress (CVE-2022-3590)
RCEs in Melis Platform (CVE-2022-39296, CVE-2022-39297, CVE-2022-39298)
RCE in Icinga < 2.8.6, 2.9.6, 2.10 (CVE-2022-24715, CVE-2022-24716)
RCE in Crypt_GPG < 1.6.7 (CVE-2022-24953)
PID recycling in ZscalerTunnel for MacOS (CVE-2021-26737)
RCE in GoCD < 21.3.0 (CVE-2021-43286)
Stored XSS to RCE in SmartStoreNET (CVE-2021-32607, CVE-2021-32608)
RCE in Cachet <= 2.4 (CVE-2021-39172, CVE-2021-39173, CVE-2021-39174)
RCE via phar handler in elFinder <= 2.1.59 (CVE-2021-23394)
Format String in mod-auth-openidc <= 2.4.8.4 (CVE-2021-32785)
Open Redirect in mod-auth-openidc <= 2.4.8.4 (CVE-2021-32786)
RCE via missing authorization in Grav CMS < 1.7.10 (CVE-2021-29439)
RCE via SSTI in Grav CMS < 1.7.10 (CVE-2021-29440)
LPE in Softaculous (CVE-2020-26886)
LPE in Fortinet's SSL VPN client for Linux
XXE in SAP Control Center, SAP Cockpit Framework
SSRF in w3-total-cache < 0.9.7.4 (CVE-2018-9845)
SQLi in wp-google-maps < 7.11.18 (CVE-2019-10692)
RCE in elFinder < 2.1.48 (CVE-2019-9194)
SQLi in GLPI <= 9.3.3 (CVE-2019-10232)
XXE and SSRF in Jenkins Job Import <= 2.1
Blind SQLi in wp-statistics < 12.6.7 (CVE-2019-13275)
RCEs in PineApp Mail Secure 5.1
SQLi in Flyspray <= v1.0-rc6 SQLi in Image Intense <= 3.2.5
Reflected XSS in Zend Server < 9.1.3 (CVE-2018-10230)