Security research write-ups and disclosure records by @whatisproblem.
This repository documents vulnerabilities I have responsibly disclosed to upstream maintainers. Each finding includes root-cause analysis, an exploitation walkthrough, the upstream fix, and the GHSA / CVE references.
All write-ups are published after the upstream patch is released. PoCs are intentionally trimmed to the minimum reproduction needed to demonstrate impact.
PHP / Laravel helpdesk. Patched in 1.8.217.
| CVE | GHSA | Severity (CVSS) | Class | Title |
|---|---|---|---|---|
| CVE-2026-41902 | hqff-cwx7-3jpm | Critical (9.1) | CWE-613 | User invitation hash never expires — permanent unauthenticated account takeover |
| CVE-2026-41903 | f489-qxv6-gvgg | Moderate (5.4) | CWE-863 | IDOR: PERM_EDIT_USERS lets any user mute another user's notifications (incomplete fix of CVE-2025-48472) |
| CVE-2026-41904 | q3fh-rj9h-jfrc | High (7.6) | CWE-79 | Stored XSS in mailbox auto-reply — payload reaches every customer's email client |
| CVE-2026-41905 | 22wf-848c-c856 | High (7.7) | CWE-918 | SSRF via Helper::sanitizeRemoteUrl — redirect destination is not re-validated |
See freescout/README.md for a project-level summary.
Python / Django continuous-localisation platform. Patched in 5.17.1.
| CVE | GHSA | Severity (CVSS) | Class | Title |
|---|---|---|---|---|
| CVE-2026-41519 | 6j8j-4qp3-36p2 | Moderate (4.2) | CWE-613 | API token (wlu_…) survives password change — stolen-token persistence after incident response |
See weblate/README.md for a project-level summary.
Python / Django self-hosted fitness/workout tracker. Patch on main (e1d329f); 2.6 release pending.
| CVE | GHSA | Severity (CVSS) | Class | Title |
|---|---|---|---|---|
| CVE-2026-43948 | mhc8-p3jx-84mm | Critical (9.9) | CWE-863 | Cross-tenant password reset + plaintext disclosure via gym=None comparison bypass |
See wger/README.md for a project-level summary. A sibling advisory in the same comparison-bug cluster is currently embargoed and will be added on publication.
Most findings in this repository are surfaced by web-vuln-agent, an automated multi-phase agent (recon → static analysis → variant analysis → Docker-validated PoC). Every finding is then manually triaged, reproduced end-to-end, and reduced to the smallest demonstrative PoC before disclosure.
- Vendor first, public second. Reports go to the maintainer privately (GHSA Draft, security@, or equivalent).
- 90-day default embargo, extended on request when a fix is in flight.
- Public write-up is published after the patched release ships and the GHSA is published.
- GitHub: @whatisproblem
- For new reports concerning my research: open a private security advisory on the relevant upstream repository, not this one.
Write-ups are published under CC BY 4.0. Code snippets reproduced from upstream projects retain their original license.