Security Research

CVEs, security advisories, and other vulnerabilities I've reported and helped fix.

  • GHSA-62j3-r93h-3fpp CVSS 3.1 GHSA Lichess Jul 10, 2026
    Private broadcast exfiltration via relay round sync

    Lichess is a free, open-source online chess platform. Its broadcast relay can sync a round's games from another Lichess broadcast, an action meant to require the Relay permission, but the permission check inspects the source URL's host while the resolver reads its path, so a URL on any other host that carries a valid round id in its path slips past the check and still loads the round with no visibility check. Any account that knows a private broadcast's eight-character round id could read all of its games, moves, and annotations, and republish them through a public broadcast.

  • GHSA-8738-rh94-9c27 CVSS 8 GHSA Lichess Jul 6, 2026
    Account takeover of invited students via password reset

    Lichess is a free, open-source online chess platform. Its class password-reset action omitted the ownership check that its other class actions enforce. Any self-appointed teacher could reset and read the password of any user who accepted a class invite, taking over their account.

  • GHSA-8j7w-m3cr-6q6x CVSS 7.2 GHSA Pi-hole FTL Jul 6, 2026
    Remote code execution via CivetWeb config injection

    Pi-hole is a network-wide DNS ad blocker, and FTL is its embedded DNS and API engine. An admin-controlled setting accepted arbitrary web-server options with no allowlist, while a separate import wrote an attacker-supplied file to disk unchecked. Chained together, an authenticated admin could run arbitrary code on the host.

  • CVE-2026-56448 CVSS 8.3 CVE AIL Framework Jun 22, 2026
    Path traversal / arbitrary file read in investigation downloads

    AIL Framework is an open-source platform for analyzing and detecting information leaks in unstructured data. Its investigation download feature joined user-controlled identifiers to storage paths without keeping the result inside the intended directories. An authenticated user could traverse the filesystem and pull arbitrary readable files into a generated archive.

  • CVE-2026-56450 CVSS 5.1 CVE AIL Framework Jun 22, 2026
    2FA TOTP brute-force via missing rate limit

    AIL Framework is an open-source platform for analyzing and detecting information leaks in unstructured data. Its two-factor verification step placed no limit on failed one-time-code attempts. An attacker who had passed the password stage could brute-force the second factor and bypass 2FA to reach the account.

  • CVE-2026-58269 CVSS 8.1 CVE Sync-in Jun 22, 2026
    Complete 2FA bypass via /api/auth/token

    Sync-in is a self-hosted file sync and sharing server. Its token endpoint authenticated on username and password alone and issued full session tokens without checking whether the account had 2FA enabled. Anyone holding valid credentials for a 2FA-protected account could bypass the second factor in a single request.

  • CVE-2026-58270 CVSS 6.5 CVE Sync-in Jun 22, 2026
    ReDoS via unsanitized regex in sync diff pathFilters

    Sync-in is a self-hosted file sync and sharing server. Its sync-diff endpoint compiled a user-supplied value into a regular expression and ran it synchronously with no complexity checks. A catastrophic-backtracking pattern could stall the server's event loop and deny service to other users.

  • CVE-2026-58271 CVSS 6.8 CVE Sync-in Jun 22, 2026
    TOTP brute-force via /api/app/sync/register

    Sync-in is a self-hosted file sync and sharing server. Its sync-client registration endpoint failed to advance the account lockout counter on failed TOTP attempts. An attacker could brute-force the second factor and, on a successful guess, register a client or disable MFA outright.

  • CVE-2026-56138 CVSS 5.3 CVE AIL Framework Jun 19, 2026
    Authenticated path traversal in /objects/item/diff

    AIL Framework is an open-source platform for analyzing and detecting information leaks in unstructured data. Its item-diff endpoint compared item contents before confirming both items existed, so crafted identifiers could escape the intended storage directory. An authenticated user could read arbitrary gzip-compressed files from the server's filesystem.

  • CVE Pending CVSS 5.3 BookStack Jun 9, 2026
    Search-system abuse (error / log flooding)

    BookStack is an open-source wiki and documentation platform. Its search system mishandled certain crafted queries, raising errors instead of rejecting them cleanly. An attacker could abuse this to generate repeated errors and flood the application's logs.

  • CVE-2026-49976 CVSS 6.5 CVE Snipe-IT Jun 8, 2026
    Account escalation via CSV import

    Snipe-IT is an open-source IT asset management system. Its CSV user importer rebuilt the update payload from the raw CSV row rather than the authorization-checked model, so a user holding only the import permission could set fields they were not allowed to change. This let an attacker overwrite another user's email and take over the account through a password reset.

  • CVE-2026-49870 CVSS 5.9 CVE Snipe-IT Jun 8, 2026
    TOTP brute-force via missing rate limit

    Snipe-IT is an open-source IT asset management system. Its two-factor verification endpoint enforced no rate limiting or attempt counter, leaving TOTP codes open to unlimited guessing. An attacker with valid credentials could brute-force the second factor to finish logging in and, where 2FA was optional, disable it entirely.

  • CVE Pending CVSS 6.5 BookStack May 21, 2026
    MFA brute-force (rate-limiting fix)

    BookStack is an open-source wiki and documentation platform. Its multi-factor verification routes enforced no rate limiting. An attacker could brute-force a user's second factor to get past MFA.