Category: Blogs

On February 13, 2026, I reported a pre-authentication SQL injection in Moodle’s auth_db plugin to the Moodle bug bounty program on Bugcrowd. It was the kind of finding I genuinely did not expect to see in a project this large in 2026: a literal ' OR 1=1– payload, dropped into the username field on the…

Today, cPanel quietly shipped an emergency security update across every supported branch. The advisory was short. There was a vague reference to “session loading and saving” under internal ticket CPANEL-52908, a note that exploitation predated the patch, and six new build numbers, one per supported major. I started to wonder, how do I tell which…

I was recently included in IBD’s 2026 Coordinated Vulnerability Disclosure Hall of Fame for a responsible disclosure report involving an exposed Firebase Realtime Database. What made this case notable was not only the exposure itself, but also how quickly the issue was handled after disclosure. During research into publicly exposed Firebase instances, I identified a…

The postMessage API lets different contexts in a browser talk to each other: iframes to parent windows, content scripts to page scripts, extension components to each other. It’s designed to work cross-origin. That’s the whole point of the API. And it’s one of the easiest things to get wrong in a Chrome extension. When you…

On February 12, 2026, I responsibly disclosed an open redirect vulnerability in LimeSurvey, the popular open-source survey platform. The issue was patched and released in version 6.16.11+260303 on March 3, 2026. In application/controllers/EditorLinkController.php, the url GET parameter was passed directly into a redirect without any validation or sanitization. This meant that any unauthenticated user could…

Most people assume that using a VPN makes them anonymous online. Your real IP is hidden, your traffic is encrypted, and websites see the VPN server’s location instead of yours. We’ve already seen that this is not fully the case thanks to browser fingeprinting techniques such as the many that https://amiunique.org or the EFF can…

Last week I was doing some bug bounty hunting and stumbled upon what many websites seem to be having nowadays: an LLM-powered chatbot. I thought it would be really interesting to automate the testing of this chatbot and started looking for some tools, instead of having to manually copy-paste dozens of payloads and waiting for…

Yesterday Joomla published version 3.6.4, an update to patch security issues: Because I was curious to see how these vulnerabilies worked I decided to check out the patch and write an exploit. By looking at the changes, the issue had to be in the components/com_users/controllers/user.php file. Press enter or click to view image in full size Turns out…