Vulnerability Research

Security vulnerabilities I've discovered and responsibly disclosed since 2020.

TOTAL CVES

CRITICAL FINDINGS

YEARS ACTIVE

CTRL + K

ID	Target	Type	Date	Severity
CVE-2026-27944	Nginx UI	Sensitive Information Disclosure	2026	Critical
CVE-2026-3432	SimStudio	Sensitive Information Disclosure	2026	Critical
CVE-2026-3431	SimStudio	SSRF	2026	Critical
CVE-2026-27167	Gradio	Sensitive Information Disclosure	2026	High
CVE-2026-2577	Nanobot	Broken Authentication	2026	Critical
CVE-2026-25120	Gogs	Broken Authentication	2026	Medium
TRA-2025-50	Ultimate Dashboard	Exposed API Key	2025	Medium
TRA-2025-34	BentoML	SSRF Bypass	2025	High
TRA-2025-33	Feed Them Social	Exposed API Key	2025	Medium
TRA-2025-32	WP Social Ninja	Exposed API Key	2025	Medium
CVE-2025-2304	Camaleon CMS	Privilege Escalation	2025	High
CVE-2024-12015	Project Manager	SQL Injection	2024	High
CVE-2024-10859	Surecart	SQL Injection	2024	Critical
CVE-2024-9148	Flowise	Stored XSS	2024	Medium
CVE-2024-8182	Flowise	Denial of Service	2024	High
CVE-2024-7790	DevikaAI	Stored XSS	2024	Medium
CVE-2024-7297	Langflow	Privilege Escalation	2024	High
CVE-2024-4960	WP RSS Aggregator	Reflected XSS	2024	Medium
CVE-2024-4959	Solidus	Stored XSS	2024	Medium
CVE-2024-1063	AppWrite	Blind SSRF	2024	Medium
CVE-2024-1061	HTML5 Video Player	SQL Injection	2024	Critical
CVE-2023-6360	My Calendar	SQL Injection	2023	Critical
CVE-2023-4137	AYS Popup Box	Reflected XSS	2023	Medium
CVE-2023-28667	Lead Generated	Insecure Deserialization	2023	Critical
CVE-2023-28666	InPost Gallery	Reflected XSS	2023	Medium
CVE-2023-28665	Bulk Price Update	Reflected XSS	2023	Medium
CVE-2023-28664	MDTF – Meta Data Filter	Reflected XSS	2023	Medium
CVE-2023-28663	Formidable PRO2PDF	SQL Injection	2023	High
CVE-2023-28662	Gift Vouchers and Packages	SQL Injection	2023	Critical
CVE-2023-28661	WP Popup Banners	SQL Injection	2023	High
CVE-2023-28660	Events Made Easy	SQL Injection	2023	High
CVE-2023-28659	Waiting: One-click countdowns	SQL Injection	2023	High
CVE-2023-28017	CraftCMS	Stored XSS	2023	Medium
CVE-2023-26326	BuddyForms	Insecure Deserialization	2023	Critical
CVE-2023-26325	ReviewX	SQL Injection	2023	High
CVE-2023-23492	Login with Phone Number	Reflected XSS	2023	Medium
CVE-2023-23491	Quick Event Manager	Reflected XSS	2023	Medium
CVE-2023-23490	Survey Maker	SQL Injection	2023	High
CVE-2023-23489	Easy Digital Downloads	SQL Injection	2023	Critical
CVE-2023-23488	Paid Memberships Pro	SQL Injection	2023	Critical
CVE-2023-0448	WP Helper Lite	Reflected XSS	2023	Medium
CVE-2022-1731	Metasonic Doc WebClient	SQL Injection	2022	Critical
CVE-2022-38131	RStudio Connect	Open Redirect	2022	Medium
CVE-2021-41262	Galette	SQL Injection	2021	High
CVE-2021-41261	Galette	Stored XSS	2021	Medium
CVE-2021-41260	Galette	CSRF	2021	Medium
CVE-2020-25070	USVN	CSRF	2020	Medium
CVE-2020-25069	USVN	RCE	2020	Critical
CVE-2020-15081	PrestaShop	Information Disclosure	2020	Medium