ILTOSEC
security researcher
Ali İltizar
offensive security engineer & security researcher
CRTO
OSCP+
OSWE
TSE
eWPTXv2
/
recent posts
view all ›
Rce·Vulnerability Research
·
Rce·CMS
CVE-2026-53767 & CVE-2026-53768: Authenticated RCE via Chained Upload Path Bypass in Chyrp Lite
Technical breakdown of CVE-2026-53767 and CVE-2026-53768: a chained RCE in Chyrp Lite ≤ 2026.01 via uploads_path blocklist bypass and missing file extension validation. Full PoC included.
2026-06-11
5
0
Rce·File Upload Bypass·Command Injection
·
Rce·File Upload Bypass·misconfiguration
Unauthenticated RCE in CKFinder via Null Byte Injection Vulnerability
A real-world pre-auth RCE chain: exposed CKFinder with no authentication, null byte filter bypass to upload a .cfm webshell, and OS command execution via ColdFusion cfexecute. Full PoC walkthrough.
2026-06-07
26
1
Cloud·AWS
From Presigned URL to Data Exposure: Exploiting a Misconfigured MinIO Instance
How an unauthenticated presigned URL endpoint and a public MinIO bucket misconfiguration exposed over 3GB of corporate internal documents during an authorized red team engagement.
2026-05-31
48
0
CVE·Vulnerability Research
CVE-2026-48493: Privilege Escalation via Permission Bypass in Snipe-IT
Technical breakdown of CVE-2026-48493: Users with users.edit permission escalate to near-full system access via PreserveUnauthorizedPrivilegedPermissionsAction bypass. Detailed PoC and impact analysis.
2026-05-28
79
2
recent cves
view all ›
CVE-2026-53767: Missing File Extension Validation in `admin_update_upload()`
↗
The admin_update_upload() handler overwrites an existing file with newly uploaded content without validating the upload…
CVE-2026-53768: Incomplete Directory Blocklist in uploads_path Validation Allows Access to Sensitive Application Files
↗
An authenticated administrator can set the uploads_path setting to a sensitive application directory (e.g. tools/) beca…
CVE-2026-48493: Snipe-IT < 8.5.1 -- Privilege Escalation via Insufficient Permission Validation in User Update API
↗
Snipe-IT's user update API endpoint (PATCH /api/v1/users/{id}) does not sufficiently validate the permissions payload s…
CVE-2026-48492: Snipe-IT < 8.5.1 -- User Account Enumeration via Unauthenticated selectlist Endpoint
↗
The GET /api/v1/users/selectlist endpoint is missing the view.selectlists authorization check present in all other sele…
CVE-2024-11406 - Stored XSS Vulnerability in Django CMS 3.0.0 (Attributes Fields)
↗
The vulnerability resides in the Django CMS admin panel under the Page Editing interface, specifically when utilizing t…