Inlay

//

Profile

Loading...

Security Researcher @rapid7.com 😈 Hacking Content @ https://yt.cryptocat.me 💜

CryptoCat

Loading...

I found a stored XSS in the slideshow feature of Hedgedoc. It was the preview release, so no CVE (or patch), but here's the writeup anyway! 🦔 cryptocat.me/blog/researc...

4d

That's a wrap on Pwn2Own Berlin 2026! 🏆 $1,298,250 awarded. 47 unique 0-days. 3 days of absolute chaos. And talk about main character energy - congrats to DEVCORE for claiming Master of Pwn with 50.5 points and $505,000 - they never slowed down. See you next year! #Pwn2Own #P2OBerlin

1mo

CryptoCat

New video about the argument injection bug I found in Gogs! youtu.be/wt6l_5VB91A

New episode of the @rapid7.com podcast! 👀 @stephenfewer.bsky.social joins @fulmetalpackets.bsky.social and myself to talk about the latest SD-WAN auth bypass - available now in the Metasploit framework 😎 www.youtube.com/watch?v=tg4T...

An SQLi I found in Photo Gallery by 10Web was disclosed this week! cryptocat.me/blog/researc...

Quick video about the new SD-WAN Auth bypass (CVE-2026-20182) discovered by @rapid7.com Labs 👀 I say quick, because @stephenfewer.bsky.social will be joining @fulmetalpackets.bsky.social and myself to talk all about it (and more) in the next podcast - dropping Thursday 🔥 youtu.be/_AxRbX_GLiA

Found an unpatched RCE in Gogs 👀 Any authenticated user can get code execution on the server through argument injection into git rebase. Full @rapid7.com writeup + #Metasploit module available now! 🔗 www.rapid7.com/blog/post/ve...

Writeup coming 🔜 github.com/TryGhost/Gho...

Another bug I found in ProfileGrid was disclosed this week. Broken access control! cryptocat.me/blog/researc...

20d

Here's the writeup for CVE-2026-53943, a cache poisoning -> XSS vuln I found in Ghost CMS 👻 cryptocat.me/blog/researc...

28d

13d

1mo

22d

17d

1mo

7d

CryptoCat

TrendAI Zero Day Initiative

CryptoCat

Root cause analysis of a stored XSS in HedgeDoc 2's slideshow renderer, where a Reveal data-background-iframe attribute carrying a javascript: URL survives DOMPurify and is later loaded as an iframe s...

cryptocat.me

HedgeDoc 2 Stored XSS via Slideshow Reveal Background Iframe | CryptoCat's Blog

YouTube video by Rapid7

www.youtube.com

YouTube video by CryptoCat

youtu.be

Hacktics and Telemetry, E6: Cisco SD-WAN Zero-Days, Mythos AI Evaluations, and Pwn2Own Drama

Rebase Before Merging? More Like RCE Before Merging (Gogs Zero Day)

ProfileGrid Missing Authorization Allows Subscriber+ Arbitrary Group Joining | CVE-2026-4609 | CryptoCat's Blog

Root cause analysis of CVE-2026-4609 in ProfileGrid, where a nonce-only AJAX invite flow lets Subscriber-level users add themselves or other registered users to closed and paid groups.

cryptocat.me

### Impact When Ghost is behind a shared caching layer that results in cached content being shared between different visitors (e.g., Fastly, Cloudflare, nginx proxy_cache, and others), an unauth...

github.com

YouTube video by CryptoCat

Cache-poisoning XSS in Ghost frontend via x-ghost-preview header

Authenticate? No Thanks, I'll Skip It! (CVE-2026-20182)

youtu.be

Root cause analysis of CVE-2026-53943 in Ghost CMS, an unauthenticated cache-poisoning XSS where one anonymous request poisons any caching layer in front of Ghost with attacker-controlled JavaScript t...

cryptocat.me

Root cause analysis of CVE-2026-9829 in Photo Gallery by 10Web, where compact album shortcode sort direction was stored then later reached an album ORDER BY clause and allowed Contributor+ time-based ...

cryptocat.me

Ghost CMS Unauthenticated Cache-Poisoning XSS to Account Takeover via x-ghost-preview | CVE-2026-53943 | CryptoCat's Blog

Photo Gallery by 10Web Compact Album Second-Order Blind SQL Injection | CVE-2026-9829 | CryptoCat's Blog