Report: Autovacuum Arbitrary Code Execution via Expression Index Shadow Functions
Autovacuum executes attacker-defined function under the SECURITY_RESTRICTED bypass path.
Read the writeup →Latest research - page 2
38 writeups & notesASLR Bypass via Lua Function Pointer Leak in Aiven Managed Valkey
ASLR leak through replication metadata.
Read the writeup →Unauthenticated RTSP Video Stream Access via ONVIF WebSocket Endpoint
ONVIF RTSP-over-WebSocket endpoint accessible without authentication.
Read the writeup →SSRF via httptest.cgi IPv6-Mapped Loopback Address Bypass
IPv6-mapped IPv4 (::ffff:127.0.0.1) bypasses the IPv4-only loopback filter on httptest.cgi.
Report: Superuser Database Connection via SECURITY DEFINER dblink Chain
SECURITY DEFINER + dblink loopback chain reaches an unrestricted superuser session.
Read the writeup →Report: Privilege Boundary Violation via Subscription Ownership Escalation
Postgres CREATE SUBSCRIPTION executes under session_user=postgres, escalating sandboxed user to superuser context.
Missing Input Validation in dnsupdate.cgi Delete Path
dnsupdate.cgi delete path skips the input validation applied to add.
Authenticated DoS: Karapace REST Proxy Crash via GZIP Compression Bomb in Kafka Messages
Karapace REST proxy accepts gzip-compressed messages and decompresses without bounds.
Read the writeup →Authenticated DoS: Dragonfly Server Crash via Crafted Stream RESTORE Payload
Unbounded allocation in Dragonfly's stream RESTORE path.
Read the writeup →Stack Overflow in JSONMergePatch Crashes Aiven Managed ClickHouse via Single SELECT Query
Single SELECT JSONMergePatch(...) SIGSEGVs the managed instance. Crash payload is storable in shared tables.
Server-Side Request Forgery via pingtest.cgi Missing Address Validation
pingtest.cgi skips the camera's own validateaddr helper.
SNMP Community String Disclosure to Viewer-Privileged Users via DeviceConfig1 API
SNMP community strings returned in the viewer-role config endpoint.
Read the writeup →Fireblocks MPC-Lib Audit Summary
Eight findings against the open-source Fireblocks MPC-CMP implementation, P1-P4.
Read the writeup →