CVE discoveries and responsible disclosure stories
Vulnerability Research
Important: These PoCs are for an isolated, consented test environment only (e.g., local Bitnami Moodle Docker). Do not run tests against production or third-party systems. Use non-exfiltrative payloads (e.g., alert('stored-xss')) for public demonstrations. Redact any real usernames/hostnames in screenshots before publishing. Summary This PoC
Penetration Testing
Vulnerability Summary * Vulnerability Type: Insecure Direct Object Reference (IDOR) * Component: Moodle – OpenAI Chat Block Plugin (block_openai_chat) v3.0.1 (Build: 2025021700) * Endpoint: /blocks/openai_chat/api/completion.php * Vulnerable Parameter: blockId * Impact: Information Disclosure, Privilege Escalation, Potential Model Misuse * Attack Prerequisites: Authenticated low-privileged user (e.g., student or
Penetration Testing
Date: 17-Oct-2025 Tags: Cybersecurity, responsible-disclosure, penetration-testing Summary * Vulnerability: Stored Cross-Site Scripting (XSS) in Moodle PDF Annotator plugin (mod_pdfannotator) — Public Comments rendering. * CVE: CVE-2025-60506 (assigned) * Discoverer: Onurcan Genç — Independent Security Researcher * Tested environment: Bitnami Docker image for Moodle 4.x * Plugin: mod_pdfannotator v1.5 (release 9, build 2025090300) * Browser
Vulnerability Research
A stored cross-site scripting (XSS) vulnerability exists in Decap CMS up to version 3.8.3. The issue affects multiple input fields in the admin interface and is triggered when a privileged user opens the content preview panel of a malicious entry. Vulnerability Summary * CVE ID: CVE-2025-57520 * Type: Stored Cross-Site
Vulnerability Research
SQL Authentication Bypass in Fikir Odaları AdminPando Summary Field Value CVE IDCVE-2025-10878 ProductFikir Odaları AdminPando VendorOmran İnşaat A.Ş. Vulnerable URLhttps://www.omran.com.tr/admin/logIn.php Affected Versionv1.0.1 (and possibly earlier) Vulnerability TypeCWE-89: SQL Injection CVSS v3.1 Score10.0 (Critical) CVSS VectorAV:N/AC:L/