Vulnerability Research
CVE-2025-57520 – Stored XSS in Decap CMS (<= 3.8.3)
Stored XSS vulnerability in Decap CMS versions up to 3.8.3 allowing script injection through content fields. Includes PoC and remediation steps.
Latest research
HackTheBox
HTB Nibbles: File Upload to Root
Nibbleblog CMS arbitrary file upload vulnerability for initial shell, then root access through sudo misconfiguration on Linux.
CTF Writeups
HTB Devvortex: From Joomla Info Disclosure to Root
Joomla information disclosure (CVE-2023-23752) leaking database credentials, then privilege escalation to root via apport-cli on Linux.
HackTheBox
HTB Bounty: File Upload to System via Chimichurri
IIS file upload bypass via web.config for initial shell on Windows, then SYSTEM access using the Chimichurri (MS10-059) kernel exploit.
AI Security
I Asked an AI About Its Security Policies: It Gave Me the API Key
A simple prompt about security policies tricked an AI chatbot into leaking its API key. Real-world case study on AI deployment security failures.
AI Security
Breaking an AI-Powered Shell
Red teaming an AI-powered shell application — prompt injection, command injection, and sandbox escape techniques against LLM-integrated CLI tools.