research index
mara@workstation:~/research$ grep -rl "exploitable" advisories/
Published advisories from coordinated-disclosure engagements. Each entry shipped with a tracked CVE, a proof of concept held privately, and a fix from the vendor. Identifiers, vendors, and products here are illustrative.
Showing 6 of 6 advisories
A session-ticket parser trusts an attacker-controlled length field before bounds checking, allowing a remote unauthenticated heap overflow during the TLS 1.2 resumption handshake. Reliable code execution was demonstrated against the default appliance build.
The token verifier resolves the JWT 'kid' header as a filesystem path without canonicalization, letting an attacker point key lookup at a predictable empty file and forge tokens signed with an empty HMAC secret. Full account takeover follows for any tenant.
An EXIF caption field is concatenated into a SQL statement during media import. A low-privileged editor can chain the injection with the engine's INTO OUTFILE primitive to drop a PHP stub into the webroot, escalating to remote code execution.
A type-confusion bug in the host-call marshalling layer lets sandboxed WebAssembly modules pass a forged reference to the host allocator, corrupting the embedder's object table and breaking out of the isolate. Demonstrated against multi-tenant function workloads.
Password-reset tokens were derived from a millisecond timestamp seeded with a 16-bit counter. With timing observed from the reset email, the token space collapses to a few thousand candidates, enabling practical account takeover via brute force.
A malformed RTP fragmentation header causes the depacketizer to read past the packet buffer when reassembling H.264 NAL units, leaking adjacent heap memory into decoded frames and crashing the stream handler.
$ no advisories match that filter — try clearing the search.
$ how a finding ships
Reproduce reliably, isolate the root cause, and decide whether the bug is actually reachable and exploitable — not just a crash.
Build a minimal proof of concept that demonstrates real impact. The PoC stays private and is shared only with the vendor.
Send a detailed write-up to the vendor's security contact, request a CVE, and agree on a disclosure timeline.
Once a fix ships or the window closes, publish the advisory here with enough detail to be useful and not enough to be a weapon.