Engineering notes from the trenches.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
6 posts ← reset filters
A patched SSRF in Shopware’s uploadFromURL left a nearly identical endpoint exposed – here’s how the bypass works, why even HEAD requests matter, and how to keep your own APIs from suffering the same fate.
A new resource consumption vulnerability (CVE-2026-24215) in NVIDIA Triton Inference Server's DALI backend allows attackers to exhaust GPU memory, leading to denial-of-service. This post details the vulnerability, its impact, and immediate mitigation strategies.
A critical vulnerability in phpMyFAQ allows unauthenticated password resets by simply knowing a username and email, leading to full account takeover without any token validation.
A deep dive into CVE-2025-11954, a CSRF vulnerability in WISECP with a CVSS score of 8. I break down how the attack works mechanically, why this 'old' class of vulnerability keeps showing up, and provide detailed defense strategies with production-ready code examples.
A critical IP spoofing vulnerability in HestiaCP (CVE-2026-43634) allows unauthenticated remote attackers to bypass security controls. Learn what happened and how to protect your server immediately.
A critical RCE vulnerability in PenPot's MCP module exposed instances to trivial code execution due to binding to all interfaces and an unauthenticated /execute endpoint. Learn what happened, why it matters, and how to secure your systems.