Pig-Tail · Offensive Security Engineer · Vulnerability Researcher · Red Teamer
Offensive security engineer and vulnerability researcher. I audit widely-used open-source and commercial software for credible, exploitation-defensible bugs and drive them through coordinated disclosure — attack-surface mapping → taint tracking → a working PoC → a defensible CVSS write-up. Comfortable across web/API stacks, C/C++ memory safety, Go/Rust/PHP/Python, and red-team tooling.
- 🔭 Classes I hunt: RCE & command/arg injection · auth/authz bypass, IDOR & tenant escape · SSRF · path traversal / zip-slip · unsafe deserialization · memory corruption · race/TOCTOU.
- 🧪 How I verify: local instance + benign PoC (sentinel / timing oracle), then an adversarial re-read to kill false positives. No theoretical reports.
- 🛡️ Background: red-team infrastructure & malware-dev tradecraft (see certifications).
| CVE | Project | Vulnerability | GitHub |
|---|---|---|---|
| CVE-2026-14620 | webpack-dev-server |
webpack-dev-server vulnerable to cross-site request forgery via internal | advisory |
| CVE-2026-40936 | glpi-agent |
ToolBox plugin can allow unauthenticated path traversal leading to arbit | — |
| CVE-2026-42187 | glpi-agent |
Proxy plugin can allow arbitrary file write if local_store is enabled |
— |
| CVE-2026-45621 | glpi-agent |
MongoDB inventory module allows JavaScript injection via unescaped login | — |
| CVE-2026-46615 | glpi-agent |
Database inventory modules execute OS commands with unsanitized database | — |
| CVE-2026-48728 | glpi-inventory-plugin |
Job enumeration and status manipulation on Deploy, Collect, and ESX agen | — |
| CVE-2026-48730 | glpi-inventory-plugin |
Reflected XSS | — |
| CVE-2026-49285 | glpi-agent |
OS Command Injection in GLPI Agent ToolBox Results export via unsanitize | — |
| CVE-2026-52764 | glpi-agent |
MSSQL inventory module executes OS commands with unsanitized database na | — |
| CVE-2026-52765 | glpi-agent |
Oracle and DB2 inventory modules allow SQL injection in GLPI server-supp | — |
| CVE-2026-52768 | glpi-agent |
Deploy task Path Traversal in Tools::Archive | — |
| CVE-2026-53626 | glpi |
Arbitrary document read | — |
| CVE-2026-54697 | cbssh |
Excessive allocation and integer overflow in DER private-key parsing | advisory |
| CVE-2026-54764 | traefik |
ForwardAuth middleware leaks X-Forwarded-Port spoofing via untrusted X-F | advisory |
| CVE-2026-55422 | conda-forge |
Stored DOM XSS on conda-forge.org via unsanitized dangerouslySetInnerHTM | advisory |
| CVE-2026-55780 | NanaZip |
Uncaught exception / unbounded allocation in NanaZip .NET single-file Ex | advisory |
| CVE-2026-55781 | NanaZip |
Unbounded memory allocation (DoS) in NanaZip UFS parser via unvalidated | advisory |
| CVE-2026-55782 | NanaZip |
Unbounded memory allocation (DoS) in NanaZip WebAssembly parser via atta | advisory |
| CVE-2026-55783 | NanaZip |
NULL pointer dereference in Extract() of all seven NanaZip custom archiv | advisory |
| CVE-2026-57562 | readest |
Subscription/entitlement hijack: /api/stripe/check binds any paid Checko | — |
| CVE-2026-57565 | readest |
Cross-tenant object write via unsanitized fileName in /api/storage/uploa | — |
| CVE-2026-57566 | readest |
Unauthenticated SSRF / open request proxy in /api/opds/proxy | — |
| CVE-2026-57567 | readest |
Unscoped Tauri IPC download_file/upload_file allow arbitrary local file | — |
CVE records are public at cve.org; some GitHub advisories are resolved privately (no public advisory page).
| Project | Vulnerability | CWE | Advisory |
|---|---|---|---|
nebula-mesh |
Certificate revocation is never enforced at the mesh: nebula-agent drops the pol | CWE-299/CWE-672 | GHSA-cm26-5974-52h8 |
nodemailer |
Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling a | CWE-73/CWE-918 | GHSA-p6gq-j5cr-w38f |
shopper |
Missing authorization on product variant DeleteAction/DeleteBulkAction in Form\V | CWE-285/CWE-862 | GHSA-93v2-gcw2-vfwc |
horilla-hr |
Server-Side Template Injection (SSTI) in Mail Preview Endpoints Allows Authentic | CWE-94/CWE-200 | GHSA-9p83-4w63-7c24 |
monitoring-plugins |
fetch() forwards credential headers across a cross-origin redirect | CWE-200/CWE-918 | GHSA-4jc5-g844-4x33 |
monitoring-plugins |
SSRF and auth-token disclosure via unvalidated @odata.id link in redfish-* plugi | CWE-20/CWE-200/CWE-918 | GHSA-96fx-pqc3-28xv |
probo |
Cross-tenant IDOR via unvalidated FK references | CWE-639 | GHSA-c74x-79w6-63jh |
statamic |
Missing authorization on navigation endpoint allows disclosure of restricted ent | CWE-639/CWE-862 | GHSA-qh8c-7588-qfrv |
surrealdb |
SSRF via JWKS URL — Redirect Following in JWT Key Fetch | CWE-918 | GHSA-h5rg-8p7f-47g2 |
glpi-agent |
Oracle inventory module uses unvalidated process username in shell su command | CWE-78 | GHSA-vwv6-85p7-mjvc |
glpi-agent |
Collect task compiles server-controlled regular expression without validation | CWE-1333 | GHSA-mgcf-xgv7-5w4x |
glpi-agent |
Stored XSS via SNMP community/authprotocol credential fields in ToolBox plugin | CWE-79 | GHSA-cwg9-jj5m-pq4q |
monitoring-plugins |
Symlink following in logfile legacy database migration | CWE-59/CWE-367 | GHSA-w2gg-hx6w-24w3 |
openproject |
Content Security Policy img-src wildcard enables cross-origin pixel tracking and | CWE-200 | GHSA-m5p8-h274-f7w8 |
- wolfSSL — X.509 DNS name-constraint bypass (CWE-295) · A leaf carrying a
registeredID(oriPAddress) SAN setsaltNames != NULL, which suppresses the CN-as-DNS name-constraint check inConfirmNameConstraints()while the CN is still used to authenticate the peer — a DNS-name-constrained sub-CA can impersonate arbitrary hosts. Incomplete fix / regression of CVE-2026-6731. Reported with a working PoC; reproduced and fixed by wolfSSL in PR #10837. (CVE pending.) - wolfSSL — PKCS7 / DTLS 1.3 hardening · Two PKCS7 non-streaming bounds over-reads (EnvelopedData IV, AuthEnvelopedData authTag) + an unbounded DTLS 1.3
WriteDupACK-list growth (memory-exhaustion DoS). Fixed & merged in PR #10833. - Microsoft Windows — StorSvc RPC EoP · The Storage Service registers its ALPC/RPC interface (
44d1520b-…) with a NULL security callback and NULL security descriptor, so any unprivileged local user can invoke all 36 procedures.SvcTriggerStorageCleanupdrivesStorSvc(SYSTEM) intoCreateProcessW("cleanmgr.exe", …)without impersonating the caller → SYSTEM process creation from a standard user (missing authorization, CWE-285). Reported to MSRC — Case 111782 (VULN-180255). (Related tooling: alpc-toolkit.) - OpenStreetMap · Reported and fixed several issues in the OSM website, publicly credited by the project: TOTP-cookie handling, CSP rules, and a private-message rate-limit bypass — PR #7045 · #7046 · #7047 · announcement.
139+ further findings reported across 60+ projects are either resolved privately (no public advisory page) or under active coordinated disclosure / vendor embargo — including memory-safety bugs in widely-used engines, unauth secret-disclosure and RCE chains, and supply-chain issues. Details are withheld until each vendor publishes; they surface here automatically on disclosure.
| Repo | What it is |
|---|---|
| alpc-toolkit | Rust toolkit for Windows ALPC/RPC attack-surface recon |
| Mythic-agent-rust | Mythic C2 agent implemented in Rust |
| HuntingFavicoShodan | Find phishing sites by favicon hash via Shodan |
| ReconToolTop · Recond_subdomains | Subdomain recon (alive hosts, ports, no API) |
| Cert | 📜 Certifications & training (indexed) |
| GLPI SNMP-scan PoC | 📓 Gist — PoC for unauthenticated SNMP network scanning in GLPI Agent ToolBox (CWE-918) |
→ full indexed set (58 certificates) in Pig-Tail/Cert.
Coordinated disclosure / collaboration → jorge@jmilla.es · @jgonzalezmilla