Compound's liquidation mechanism fails to validate whether seized assets are actually held as collateral by the borrower, allowing liquidators to seize any user cTokens regardless of whether they were entered into markets. This can result in unauthorized asset seizure even for assets the user explicitly exited from.

Brahma.Fi's L2 position handler miscalculates the value of positions in negative states due to sign confusion in the positionInWantToken() function, where negative account values (indicating underwater accounts rather than short positions) are treated as positive, leading to incorrect share issuance, excess withdrawals, and potential protocol insolvency.

Educational writeup on array input validation vulnerabilities in Substrate smart contracts, demonstrating how missing percentage validation in a voting function allows attackers to exceed 100% voting weight across multiple pools or repeat pool IDs to multiply voting power and drain rewards.

A cross-chain messaging protocol's signature verification can be bypassed when a new domain is added: if enrollValidator is called before setThreshold, the commitment is saved with threshold=0, allowing attackers to frontrun setThreshold and process unsigned messages with a malicious commitment hash matching the stored zero-threshold commitment.

Security researcher discovered an RCE vulnerability in a PHP application by exploiting insufficient input validation on a user ID parameter passed to shell_exec(curl) calls. By bypassing the integer-only check and injecting backtick-delimited shell commands, the attacker achieved code execution running as root.

A security researcher bypassed a custom token-based rate-limiting protection in an Android application by using FRIDA to dynamically hook and overload the native token generation method at runtime, allowing brute-force attacks to succeed by circumventing rate-limit detection through method signature manipulation.

A researcher discovered a critical vulnerability chain in a multi-tenant business data management app: predictable, non-expiring invitation tokens with no signature protection allowed brute-forcing access to organizations, coupled with a secondary issue allowing visibility of pending admin invitations enabled full organizational takeover with minimal detection risk.

Two well-known but still exploitable RCE vulnerabilities in Atlassian products: CVE-2019-11581 in Jira's ContactAdministrators form via Java expression injection, and CVE-2019-3396 in Confluence's Widget Connector macro allowing arbitrary file access and command execution via the _template parameter. The article provides step-by-step exploitation techniques with proof-of-concept payloads.

Michael Stepankin discovered an RCE vulnerability in PayPal's manager.paypal.com caused by unsafe Java object deserialization of the 'oldFormData' parameter, exploitable via Commons Collections gadget chain using ysoserial-generated payloads to execute arbitrary shell commands with database access.

This article details a real-world RCE vulnerability chain on Adobe Experience Manager (AEM) 6.1, exploiting exposed Felix Console through dispatcher bypass (CVE-2016-0957), default credentials (admin/admin), and malicious OSGi bundle deployment. The author provides step-by-step methodology for gaining code execution without Java knowledge by using pre-built exploitation tools.

A rate-limiting bypass vulnerability allowed attackers to brute-force Instagram account passwords through Facebook's mobile endpoint by distributing attempts across multiple test accounts created via Facebook apps, enabling up to 6 million password attempts daily instead of the intended 20 per account.

TinyCards Android app loaded initial web content over HTTP instead of HTTPS, allowing MITM attackers to inject malicious JavaScript into the WebView and achieve code execution. The vulnerability was fixed in v1.0 (version code 10) by switching to SSL for initial content loading.

A Flask/Jinja2 template injection vulnerability was discovered in an email generation utility that evaluated user input in email subject fields. The attacker exploited Python object introspection through Jinja2 syntax to access the file class and read sensitive files including configuration files with API keys and encryption keys from a GCE instance.

A researcher discovered a Server-Side Request Forgery (SSRF) vulnerability using DNS rebinding to bypass IP-based access controls, escalating through AWS metadata enumeration and Monit admin interface exploitation to achieve instance shutdown and memory disclosure. The writeup details the methodology, tool creation, and real-world exploitation chain that combined multiple vulnerabilities.

A CORS misconfiguration vulnerability where a website trusts all origins ending with a specific domain (e.g., evilredacted.com for redacted.com), allowing an attacker who registers a predomain wildcard subdomain to make authenticated requests and steal session credentials via JavaScript. The attacker registers a domain like kiraakredacted.com and crafts a malicious page that calls the /v1/user API endpoint with credentials enabled to extract user session IDs.

Security researcher Josip Franjković discovered four SQL injection vulnerabilities across Nokia domains between April-July 2013, exploiting blind SQL injection in INSERT queries via User-Agent headers and time-based attacks on legacy PHP sites, earning a Nokia Lumia 820 and Top Reporter status.

A critical Slack SAML authentication bypass vulnerability caused by failure to validate the Audience restriction element in SAML assertions, allowing attackers to present assertions meant for other service providers (e.g., expired Github assertions) to gain unauthorized access to Slack accounts. The vulnerability exploited the "confused deputy problem" and was reported and patched in 2017.

Security researcher Josip Franjković documents race condition vulnerabilities discovered on Facebook, DigitalOcean, and LastPass that allow attackers to bypass single-use restrictions on page reviews, usernames, and promo codes by sending concurrent requests to trigger non-atomic operations. The bugs were responsibly disclosed and patched across all affected platforms.

SQL injection vulnerability in tw.stock.yahoo.com's getjson.php endpoint exploited via double URL encoding (%2527) to bypass single-quote filtering, achieving root database access and ability to extract MySQL password hashes.

AirDoS is a denial-of-service vulnerability in iOS that allows attackers to remotely spam nearby iPhones/iPads with infinite AirDrop share popups, rendering the UI unusable until the device is restarted or the user escapes Bluetooth/WiFi range. Apple patched it in iOS 13.3 (December 2019) with a rate limit that auto-declines requests after 3 rejections from the same device.

A researcher discovered an unauthenticated Apache Solr instance running on a Microsoft subdomain and exploited CVE-2019-17558 through Velocity template injection to achieve remote code execution. The vulnerability required two steps: enabling the resource loader via config API, then injecting malicious Velocity templates to execute arbitrary commands.

A technical writeup of an Oracle SQL injection vulnerability discovered during a pentest/bug bounty, demonstrating a novel technique using pipe operators and string concatenation with the rownum function to bypass CASE() filtering and extract data like usernames despite character restrictions (underscore, parentheses, plus signs, dots, spaces).

Researcher discovered an improper authorization vulnerability in HackerOne's Embedded Submission Form feature that allows bypassing both 2FA requirements and hacker blacklist restrictions when submitting bug reports to programs. The vulnerability affected the same authorization check, resulting in a $10,000 bounty ($2,500 initial + $7,500 for expanded scope).

An IDOR vulnerability in Facebook's video poll feature allowed attackers to delete polls from other users' videos by manipulating the deleted_poll_ids parameter in a POST request to the video edit endpoint. The vulnerability was reported in November 2018 and patched within days.

A 2FA bypass vulnerability where improperly implemented rate limits could be bypassed using the X-Forwarded-For HTTP header, allowing attackers to brute-force TOTP codes. The vulnerability stems from the rate limit being based on manipulable HTTP headers rather than server-side session identifiers.

Multi-stage vulnerability chain exploiting GitHub credential leaks, password pattern analysis, and CVE-2019-11580 in outdated Atlassian Crowd to achieve RCE and internal network access at a major ICT company. The attacker combined reconnaissance, Google dorking, and public exploits to breach the internal network perimeter.

Educational article explaining race condition vulnerabilities in web applications, particularly in financial systems, with real-world examples including the Starbucks gift card exploit where attackers could generate unlimited credit by sending concurrent transfer requests to bypass balance checks.

Ron Chan discovered an SSRF vulnerability in Google Cloud Platform's Stackdriver Debug feature that allowed attackers to steal user OAuth access tokens from connected Git repositories (GitHub, GitLab, Bitbucket) by exploiting an unvalidated URL parameter that made SSRF requests with the victim's authorization headers.

A detailed writeup of discovering and exploiting an SSRF vulnerability in a proxy endpoint by bypassing URL whitelist restrictions through subdomain enumeration, testing wildcard domain logic, discovering that amazonaws.com was whitelisted, and ultimately planning to use a custom domain (neemacompany.com) with DNS manipulation to bypass the whitelist validator.

A researcher discovered an SSRF vulnerability in a Jira instance and escalated it to local file read by chaining it with an internal GlassFish server exploit using double-URL encoding to bypass path traversal protections and read /etc/passwd.