Skip to content
View Pig-Tail's full-sized avatar

Block or report Pig-Tail

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
Pig-Tail/README.md

Jorge González Milla

Pig-Tail · Offensive Security Engineer · Vulnerability Researcher · Red Teamer


whoami

Offensive security engineer and vulnerability researcher. I audit widely-used open-source and commercial software for credible, exploitation-defensible bugs and drive them through coordinated disclosure — attack-surface mapping → taint tracking → a working PoC → a defensible CVSS write-up. Comfortable across web/API stacks, C/C++ memory safety, Go/Rust/PHP/Python, and red-team tooling.

  • 🔭 Classes I hunt: RCE & command/arg injection · auth/authz bypass, IDOR & tenant escape · SSRF · path traversal / zip-slip · unsafe deserialization · memory corruption · race/TOCTOU.
  • 🧪 How I verify: local instance + benign PoC (sentinel / timing oracle), then an adversarial re-read to kill false positives. No theoretical reports.
  • 🛡️ Background: red-team infrastructure & malware-dev tradecraft (see certifications).

🎯 Assigned CVEs (23)

CVE Project Vulnerability GitHub
CVE-2026-14620 webpack-dev-server webpack-dev-server vulnerable to cross-site request forgery via internal advisory
CVE-2026-40936 glpi-agent ToolBox plugin can allow unauthenticated path traversal leading to arbit
CVE-2026-42187 glpi-agent Proxy plugin can allow arbitrary file write if local_store is enabled
CVE-2026-45621 glpi-agent MongoDB inventory module allows JavaScript injection via unescaped login
CVE-2026-46615 glpi-agent Database inventory modules execute OS commands with unsanitized database
CVE-2026-48728 glpi-inventory-plugin Job enumeration and status manipulation on Deploy, Collect, and ESX agen
CVE-2026-48730 glpi-inventory-plugin Reflected XSS
CVE-2026-49285 glpi-agent OS Command Injection in GLPI Agent ToolBox Results export via unsanitize
CVE-2026-52764 glpi-agent MSSQL inventory module executes OS commands with unsanitized database na
CVE-2026-52765 glpi-agent Oracle and DB2 inventory modules allow SQL injection in GLPI server-supp
CVE-2026-52768 glpi-agent Deploy task Path Traversal in Tools::Archive
CVE-2026-53626 glpi Arbitrary document read
CVE-2026-54697 cbssh Excessive allocation and integer overflow in DER private-key parsing advisory
CVE-2026-54764 traefik ForwardAuth middleware leaks X-Forwarded-Port spoofing via untrusted X-F advisory
CVE-2026-55422 conda-forge Stored DOM XSS on conda-forge.org via unsanitized dangerouslySetInnerHTM advisory
CVE-2026-55780 NanaZip Uncaught exception / unbounded allocation in NanaZip .NET single-file Ex advisory
CVE-2026-55781 NanaZip Unbounded memory allocation (DoS) in NanaZip UFS parser via unvalidated advisory
CVE-2026-55782 NanaZip Unbounded memory allocation (DoS) in NanaZip WebAssembly parser via atta advisory
CVE-2026-55783 NanaZip NULL pointer dereference in Extract() of all seven NanaZip custom archiv advisory
CVE-2026-57562 readest Subscription/entitlement hijack: /api/stripe/check binds any paid Checko
CVE-2026-57565 readest Cross-tenant object write via unsanitized fileName in /api/storage/uploa
CVE-2026-57566 readest Unauthenticated SSRF / open request proxy in /api/opds/proxy
CVE-2026-57567 readest Unscoped Tauri IPC download_file/upload_file allow arbitrary local file

CVE records are public at cve.org; some GitHub advisories are resolved privately (no public advisory page).


🐛 Published GitHub advisories (no CVE assigned) (14)

Project Vulnerability CWE Advisory
nebula-mesh Certificate revocation is never enforced at the mesh: nebula-agent drops the pol CWE-299/CWE-672 GHSA-cm26-5974-52h8
nodemailer Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling a CWE-73/CWE-918 GHSA-p6gq-j5cr-w38f
shopper Missing authorization on product variant DeleteAction/DeleteBulkAction in Form\V CWE-285/CWE-862 GHSA-93v2-gcw2-vfwc
horilla-hr Server-Side Template Injection (SSTI) in Mail Preview Endpoints Allows Authentic CWE-94/CWE-200 GHSA-9p83-4w63-7c24
monitoring-plugins fetch() forwards credential headers across a cross-origin redirect CWE-200/CWE-918 GHSA-4jc5-g844-4x33
monitoring-plugins SSRF and auth-token disclosure via unvalidated @odata.id link in redfish-* plugi CWE-20/CWE-200/CWE-918 GHSA-96fx-pqc3-28xv
probo Cross-tenant IDOR via unvalidated FK references CWE-639 GHSA-c74x-79w6-63jh
statamic Missing authorization on navigation endpoint allows disclosure of restricted ent CWE-639/CWE-862 GHSA-qh8c-7588-qfrv
surrealdb SSRF via JWKS URL — Redirect Following in JWT Key Fetch CWE-918 GHSA-h5rg-8p7f-47g2
glpi-agent Oracle inventory module uses unvalidated process username in shell su command CWE-78 GHSA-vwv6-85p7-mjvc
glpi-agent Collect task compiles server-controlled regular expression without validation CWE-1333 GHSA-mgcf-xgv7-5w4x
glpi-agent Stored XSS via SNMP community/authprotocol credential fields in ToolBox plugin CWE-79 GHSA-cwg9-jj5m-pq4q
monitoring-plugins Symlink following in logfile legacy database migration CWE-59/CWE-367 GHSA-w2gg-hx6w-24w3
openproject Content Security Policy img-src wildcard enables cross-origin pixel tracking and CWE-200 GHSA-m5p8-h274-f7w8

🔬 Research & vendor disclosures

  • wolfSSL — X.509 DNS name-constraint bypass (CWE-295) · A leaf carrying a registeredID (or iPAddress) SAN sets altNames != NULL, which suppresses the CN-as-DNS name-constraint check in ConfirmNameConstraints() while the CN is still used to authenticate the peer — a DNS-name-constrained sub-CA can impersonate arbitrary hosts. Incomplete fix / regression of CVE-2026-6731. Reported with a working PoC; reproduced and fixed by wolfSSL in PR #10837. (CVE pending.)
  • wolfSSL — PKCS7 / DTLS 1.3 hardening · Two PKCS7 non-streaming bounds over-reads (EnvelopedData IV, AuthEnvelopedData authTag) + an unbounded DTLS 1.3 WriteDup ACK-list growth (memory-exhaustion DoS). Fixed & merged in PR #10833.
  • Microsoft Windows — StorSvc RPC EoP · The Storage Service registers its ALPC/RPC interface (44d1520b-…) with a NULL security callback and NULL security descriptor, so any unprivileged local user can invoke all 36 procedures. SvcTriggerStorageCleanup drives StorSvc (SYSTEM) into CreateProcessW("cleanmgr.exe", …) without impersonating the caller → SYSTEM process creation from a standard user (missing authorization, CWE-285). Reported to MSRC — Case 111782 (VULN-180255). (Related tooling: alpc-toolkit.)
  • OpenStreetMap · Reported and fixed several issues in the OSM website, publicly credited by the project: TOTP-cookie handling, CSP rules, and a private-message rate-limit bypass — PR #7045 · #7046 · #7047 · announcement.

🔒 Under coordinated disclosure

139+ further findings reported across 60+ projects are either resolved privately (no public advisory page) or under active coordinated disclosure / vendor embargo — including memory-safety bugs in widely-used engines, unauth secret-disclosure and RCE chains, and supply-chain issues. Details are withheld until each vendor publishes; they surface here automatically on disclosure.


🧰 Tools & research

Repo What it is
alpc-toolkit Rust toolkit for Windows ALPC/RPC attack-surface recon
Mythic-agent-rust Mythic C2 agent implemented in Rust
HuntingFavicoShodan Find phishing sites by favicon hash via Shodan
ReconToolTop · Recond_subdomains Subdomain recon (alive hosts, ports, no API)
Cert 📜 Certifications & training (indexed)
GLPI SNMP-scan PoC 📓 Gist — PoC for unauthenticated SNMP network scanning in GLPI Agent ToolBox (CWE-918)

🎓 Certifications & training (58 total)

Category Certifications & courses (→ PDF)
🔴 Red Team / Offensive MCRTA · CRTS v2 · C3SA · Offensive Phishing Operations · RedInfraCraft · C2 Development · Ekoparty Red Team 101
🧬 Malware Dev / Exploitation Malware Dev Essentials · Malware Dev Intermediate · Adv. Process Injection v2 · OST2 Exp4011 · OST2 Fuzz1001 · OST2 Dbg1011 · OST2 Arch2821 · OffensiveRust · offensiveC# · Windows API Hooking · How To Write A Shellcode · Evil ClickOnce
☁️ Cloud IAM / Access Guardian · AWS AMI Security · Azure Pentest Lab (SANS) · MCBTA · AWS Flow Logs · External Attack Surface (AWS)
🌐 Web / API / Mobile Hacking APIs · Practical Web AppSec & Testing · Mobile App Pentesting · Practical Ethical Hacking · Movement, Pivoting & Persistence
🏭 ICS / OT / IoT / Medical 210W-07 ICS Vulnerabilities · 210W-09 IT & ICS Attack Methods · OT Security · Medical Device Security · IoT Pentesting
🔵 Blue / Purple / DFIR / CTI Purple Teaming Fundamentals · CTI (SANS) · HELK · MITRE ATT&CK · Practical Malware Analysis & Triage
🤖 AI Security Claude Computer Use — Prompt Injection to Shells

→ full indexed set (58 certificates) in Pig-Tail/Cert.


Coordinated disclosure / collaboration → jorge@jmilla.es · @jgonzalezmilla

Popular repositories Loading

  1. Recond_subdomains Recond_subdomains Public

    Recon subdomains without API , Take Ports and Alive subdomains.

    Shell

  2. Cert Cert Public

  3. minimal-backdoor minimal-backdoor Public

    A simple C code shellcode

    C

  4. notoryesshell notoryesshell Public

    Forked from t3l3machus/hoaxshell

    An unconventional Windows reverse shell, currently undetected by Microsoft Defender and various other AV solutions, solely based on http(s) traffic.

    Python

  5. deployautomatictoolsopsec deployautomatictoolsopsec Public

    Script to deploy automatic some tools and opsec

    Shell

  6. MalDevSamples MalDevSamples Public

    C++