ILTOSEC
security researcher
Ali İltizar
offensive security engineer & security researcher
CRTO
OSCP+
OSWE
TSE
eWPTXv2
/
recent posts
view all ›
Rce·Vulnerability Research
·
Rce·CMS
CVE-2026-53767 & CVE-2026-53768: Authenticated RCE via Chained Upload Path Bypass in Chyrp Lite
Technical breakdown of CVE-2026-53767 and CVE-2026-53768: a chained RCE in Chyrp Lite ≤ 2026.01 via uploads_path blocklist bypass and missing file extension validation. Full PoC included.
2026-06-11
28
0
Rce·File Upload Bypass·Command Injection
·
Rce·misconfiguration·File Upload Bypass
Unauthenticated RCE in CKFinder via Null Byte Injection Vulnerability
A real-world pre-auth RCE chain: exposed CKFinder with no authentication, null byte filter bypass to upload a .cfm webshell, and OS command execution via ColdFusion cfexecute. Full PoC walkthrough.
2026-06-07
43
1
CVE·Vulnerability Research·Injection
CVE-2026-54597: Authenticated Time-Based Blind SQL Injection in ITFlow
Technical breakdown of an authenticated time-based blind SQL injection in ITFlow (GHSA-m63v-j7fw-hq2h). CVE-2026-54597.The expires parameter in agent/ajax.php bypasses sanitizeInput() entirely in a raw INTERVAL context, enabling full database exfiltration. Detailed PoC and fix analysis.
2026-06-03
9
1
Vulnerability Research·Injection
·
enumeration·SQLI
CVE-2026-54596: Authenticated SQL Injection via recurring_invoice_frequency Parameter Enables Full Database Exfiltration
Technical breakdown of an authenticated SQL injection in ITFlow (GHSA-f9m3-qjc9-v27j). The recurring_invoice_frequency POST parameter bypasses sanitizeInput() in a DATE_ADD INTERVAL context, enabling full database exfiltration and second-order injection. Detailed PoC and fix analysis.
2026-06-03
14
0
Cloud·AWS
From Presigned URL to Data Exposure: Exploiting a Misconfigured MinIO Instance
How an unauthenticated presigned URL endpoint and a public MinIO bucket misconfiguration exposed over 8GB of corporate internal documents during an authorized red team engagement.
2026-05-31
59
1
CVE·Vulnerability Research
CVE-2026-48493: Privilege Escalation via Permission Bypass in Snipe-IT
Technical breakdown of CVE-2026-48493: Users with users.edit permission escalate to near-full system access via PreserveUnauthorizedPrivilegedPermissionsAction bypass. Detailed PoC and impact analysis.
2026-05-28
90
2
CVE·Vulnerability Research
·
CVE
CVE-2026-48492: User Account Enumeration via Missing Authorization in Snipe-IT
Technical breakdown of CVE-2026-48492: A missing authorization flaw in Snipe-IT allowing authenticated users to enumerate accounts via the API.
2026-05-27
136
4
Rce·CVE
·
Rce
FacturaScripts <= 2026 Authenticated RCE via Malicious Plugin Upload
Detailed vulnerability analysis of an Authenticated Remote Code Execution (RCE) in FacturaScripts (<= 2026). Explore the PoC via malicious plugin upload and learn about server hardening mitigations.
2026-05-01
237
2
recent cves (9)
view all ›
CVE-2026-53767: Missing File Extension Validation in `admin_update_upload()`
↗
The admin_update_upload() handler overwrites an existing file with newly uploaded content without validating the upload…
CVE-2026-53768: Incomplete Directory Blocklist in uploads_path Validation Allows Access to Sensitive Application Files
↗
An authenticated administrator can set the uploads_path setting to a sensitive application directory (e.g. tools/) beca…
CVE-2026-54597: Authenticated Time-Based Blind SQL Injection in ITFlow via expires Parameter
↗
The share_generate_link handler inserts the expires GET parameter directly into a MySQL INTERVAL expression without quo…
CVE-2026-54596: Authenticated SQL Injection via recurring_invoice_frequency Parameter Enables Full Database Exfiltration
↗
An SQL injection vulnerability in ITFlow's recurring invoice creation endpoint allows any authenticated user with the T…
CVE-2026-48493: Snipe-IT < 8.5.1 -- Privilege Escalation via Insufficient Permission Validation in User Update API
↗
Snipe-IT's user update API endpoint (PATCH /api/v1/users/{id}) does not sufficiently validate the permissions payload s…