Inlay

ProfilePosts

A fun gadget I found recently! The .NET JIT compiler makes sure there are no rwx pages by using a memfd, but that turns file writes into straight shellcode execution 🐚

Offensivecon's talks are now available on our YouTube channel! 🔗 buff.ly/g63xgm5

SELECT shell FROM postgres: Digging up a 20-year-old bug for ZeroDay.Cloud by @pspaul95.bsky.social and Moritz Sanft

Pwning PostgreSQL was quite fun, excited to share our research at OffensiveCon! www.offensivecon.org/speakers/202...

📱 1-click RCE in the YTDLnis Android app! On Android, turning file writes into RCE is usually quite hard, but here the app had a nice gadget for us. Check out the details in our latest blog post: www.sonarsource.com/blog/ytdlnis... #appsec #security #vulnerability

🧟 A fixed vulnerability that comes back to life? This could have happened in GitHub Actions until yesterday! Learn how attackers could have exploited seemingly fixed workflow vulnerabilities: www.sonarsource.com/blog/zombie-... #appsec #security #vulnerability

My TROOPERS25 talk has been uploaded! If you ever wondered if "style-src: 'unsafe-line'" in your CSP is bad, this one is for you. Scriptless Attacks: Why CSS is My Favorite Programming Language www.youtube.com/watch?v=Owp-...

This was pretty fun to exploit! Even though I didn't manage to pwn the version used for Pwn2Own Berlin, I still learned a ton about LLMs. Maybe I can get my revenge in future competitions 🤞

Using SonarQube to solve a CTF challenge? Done! ✅ Learn how we detected a 0-day vulnerability during #KalmarCTF, making us first to solve the challenge! From Zip Slip to RCE, using lazy class loading: www.sonarsource.com/blog/code-se... #appsec #CTF #vulnerability

🔓⏫ After compromising every endpoint within an organization, our “Caught in the FortiNet” blog series comes to an end with one more thing. Read more about FortiClient's XPC mistake that allows local privilege escalation to root on macOS: www.sonarsource.com/blog/caught-... #appsec #security

17d

21d

1mo

2mo

6mo

7mo

9mo

11mo

OffensiveCon 2026 Talks

youtube.com

OffensiveCon26

Discover a vulnerability our researchers found in the Android app YTDLnis, allowing attackers to execute code on victim devices.

www.sonarsource.com

YouTube video by TROOPERS IT Security Conference

From intent extra to RCE: Argument injection in YTDLnis

TROOPERS25: Scriptless Attacks - Why CSS is My Favorite Programming Language

www.youtube.com

www.sonarsource.com

In the last blog of this series, we will focus back on FortiClient and learn how the inner workings of this application work, and what crucial mistake happened that led to us uncovering a local privil...

www.sonarsource.com

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (3/3)

pspaul

OffensiveCon

SonarResearch

Shellcode execution as a service! To exploit an argument injection in Jellyfin, we searched and found a gadget in the .NET runtime to turn file writes into code execution. Learn about the bug and this new technique in our blog post: www.sonarsource.com/blog/jellyfi... #appsec #vulnerability

From bit flip to RCE in Ollama! 🦙 Our latest blog post explains how a file parsing bug led to an interesting out-of-bounds write primitive. Learn how it could have been exploited in Ollama, a tool to run LLMs locally: www.sonarsource.com/blog/ollama-... #security #vulnerability #llm #ai

17d

7mo

www.sonarsource.com

Explore a Jellyfin remote code execution flaw where inconsistent validation enables FFmpeg argument injection and unauthenticated code execution.

Jellyfin RCE | Inconsistent Validation Leads to Argument Injection

SonarResearch

www.sonarsource.com

SonarResearch