independent security research

h4ckers.me

I'm Mara Vesk // @m4ra. I break software on purpose so the people who ship it don't have to find out the hard way.

Read the advisories Report a vulnerability

60+ CVEs credited
9 years researching
14 conference talks
100% coordinated disclosure

$ cat whoami.md

Nine years turning unexpected behavior into fixed software.

I'm a full-time independent security researcher. My work sits at the point where a system does something its designers never intended — a length field that's trusted one instruction too early, a token verifier that resolves a path it should treat as opaque, an allocator reference that crosses a trust boundary.

Most of what I do is unglamorous: reading code carefully, building harnesses, triaging crashes, and proving — to myself and then to a vendor — whether a finding is exploitable or just noise. The advisories on this site are the small fraction of that work that ended in a tracked, patched CVE.

I disclose everything responsibly. Vendors get a private report and a reasonable window to ship a fix before anything is published. That policy is non-negotiable and it's written down on thedisclosure page.

$ name: Mara Vesk
$ role: independent researcher
$ focus: memory safety · auth logic · isolation
$ based: remote · CET (UTC+1)
$ langs: C, Rust, Python, asm
$ policy: coordinated, 90-day default

$ man mara

How a finding goes from a strange crash to a shipped fix.

A working researcher's loop — not a buzzword cloud. Three phases, repeated until the bug is dead.

Find the bug
Source and binary auditing, reverse engineering on x86-64 and ARM64, and structure-aware fuzzing of parsers and protocols. Mostly slow, careful reading.
Prove it's real
Memory-corruption primitives, heap grooming, ASLR/CFI defeat, sandbox and VM escapes — turned into a minimal proof of concept that demonstrates real impact.
Get it fixed
Coordinated disclosure, CVE and advisory authoring, and the very human work of liaising with a vendor PSIRT until a patch actually ships.

$ grep -l "exploitable" advisories/

Recent advisories.

All advisories →

CVE-2026-31884MV-2026-0114

Critical9.8

Pre-auth heap overflow in Aperture Gateway TLS resumption

Product: Aperture Gateway 7.x
Class: CWE-122
Vector: Network / unauthenticated
Disclosed: 2026-04-22

A session-ticket parser trusts an attacker-controlled length field before bounds checking, allowing a remote unauthenticated heap overflow during the TLS 1.2 resumption handshake. Reliable code execution was demonstrated against the default appliance build.

ImpactRemote code execution as root on the appliance.

CVE-2026-22057MV-2026-0089

Critical9.1

Authentication bypass via JWT 'kid' path traversal in Lattice IdP

Product: Lattice IdP 4.2 – 4.9
Class: CWE-287
Vector: Network / unauthenticated
Disclosed: 2026-02-09

The token verifier resolves the JWT 'kid' header as a filesystem path without canonicalization, letting an attacker point key lookup at a predictable empty file and forge tokens signed with an empty HMAC secret. Full account takeover follows for any tenant.

ImpactComplete authentication bypass and tenant impersonation.

CVE-2025-49120MV-2025-0231

High8.8

SQL injection to RCE in Quillstone CMS media importer

Product: Quillstone CMS 12.0 – 12.6
Class: CWE-89
Vector: Network / authenticated (low priv)
Disclosed: 2025-11-30

An EXIF caption field is concatenated into a SQL statement during media import. A low-privileged editor can chain the injection with the engine's INTO OUTFILE primitive to drop a PHP stub into the webroot, escalating to remote code execution.

ImpactAuthenticated SQLi leading to remote code execution.

$ open secure-channel

Found something in your product?

I take reports seriously and I credit the people who send them. If you've got a finding — or you want an extra set of eyes on a system before it ships — get in touch.

Start a conversation Get my PGP key