A list of vulnerabilities I found.
Some vulnerabilities come with deep technical writeups, exploits or even fuzzing session walkthroughs.
Some vulnerabilities don't have CVEs because maintainers ghosted me, or because a maintainer didn't agree it's a security bug, I decided to release those as well.
| CVE | Target | Short Description | Discovery Method | Write-up/report/other |
|---|---|---|---|---|
| CVE-2025-58364 | CUPS - Linux Printing Stack | Remote DoS via a fake printer response | Fuzzing IPP packet deserialization | write-up, including fuzzing & exploitation |
| CVE-2025-61915 | CUPS - Linux Printing Stack | Stack Underflow when parsing config with a ROP chain exploit | Fuzzing config parser | write-up, including fuzzing & exploitation |
| CVE-2025-61915 (2) | CUPS - Linux Printing Stack | Local DoS when parsing config due to null dereference | Fuzzing config parser | write-up, including exploitation |
| CVE-2026-27447 | CUPS - Linux Printing Stack | Authorization Bypass due to case insensitive user name comparison | Static code analysis of the user auth component | write-up, including demo of chaining with CVE-2025-61915 to get unprivileged-to-root LPE |
| CVE-2026-23246 | Linux Kernel | Stack based OOB write in the mac80211 | CodeQL + Static code analysis | Commit & report |
| CVE-2026-31405 | Linux Kernel | Stack based OOB read in dvb-net | self-developed AI tool; may be released in the future | Commit & report |
| CVE-2026-25883 | Vexa AI | SSRF - authenticated users to configure an arbitrary URL that receives HTTP POST requests | self-developed AI tool; may be released in the future | report |
| CVE-2026-25058 | Vexa AI | IDOR - Internal endpoint that returns transcript data for any meeting without any authentication or authorization | self-developed AI tool; may be released in the future | report |
| No CVE | CUPS - Linux Printing Stack | Service load timeout due to config-injection causes local DoS | Static code analysis of config parsers | Report. Maintainer didn't see this as a vuln 🤷♂️ |
| No CVE | ksmbd - SMB1 | OOB read due to incorrect pointer arithmetic | Static code analysis | Commit & report. After merging my commit, the maintainer didn't reply to my CVE request. |
