security research
iltosec
whoami

About

# profile

Offensive Security Engineer specializing in Web, Mobile, and API security, with a focus on Red Team operations and local network assessments.

I integrate a sophisticated attacker’s perspective honed through my experience as a CTI Analyst at a SOCRadar. - into professional offensive engagements and adversary simulations.

Holding industry-leading certifications including OSCP+, OSWE, CRTO, eWPTXv2 and TSE, I actively contribute to the security community through vulnerability research and published CVEs. I am dedicated to uncovering security flaws and staying at the forefront of emerging exploit techniques to enhance defensive resilience.

# experience
Offensive Security Engineer
LoreSecurity
Jul 2025 — Present
Performed web, API, mobile & network pentests; AD and cloud (AWS/Azure) assessments.
Conducted full-scope red team ops including phishing campaigns and adversary simulations.
Delivered technical and executive-level reports with remediation recommendations.
Red Team Member
Synack Red Team
Feb 2025 — Present
Penetration Tester
LoreSecurity
Jan 2024 — Jul 2025
Executed black/grey-box web & API pentests; automated recon/exploitation with Python & Burp Suite
Collaborated with development teams to validate patches and retest fixed vulnerabilities
Cyber Threat Intelligence Analyst
SOCRadar® Cyber Intelligence Inc.
Oct 2022 — Dec 2023
Monitored dark web forums, leak sites and underground markets for threat actor activity
Tracked TTPs (MITRE ATT&CK), performed OSINT investigations and produced client intelligence reports
Cyber Threat Intelligence Intern
SOCRadar® Cyber Intelligence Inc.
Jul 2022 — Sep 2022
·Learned dark web OSINT methodologies and threat actor profiling techniques.
Cyber Security Specialist Intern
İsteCenter
Jul 2022 — Sep 2022
·Supported the development team in building a DLP (Data Loss Prevention) web application using Django, contributing to back-end logic and security controls.
·Collaborated with teammates on security feature implementation and vulnerability testing of the internal platform.
# vulnerability research
view all ›
11
CVEs
disclosed
CVE-2026-53767: Missing File Extension Validation in `admin_update_upload()` Critical / 9.1
The admin_update_upload() handler overwrites an existing file with newly uploaded content without validating the uploaded file's type or extension against the upload whitelist. The upload_tester() helper only checks the PHP upload error code and the file size — it does not enforce an extension allowlist. Additionally, files in the current uploads_path directory can be listed and downloaded via the admin panel, exposing application internals when the path is redirected to a sensitive directory.
2026-06-11
CVE-2026-53768: Incomplete Directory Blocklist in uploads_path Validation Allows Access to Sensitive Application Files High / 8.7
An authenticated administrator can set the uploads_path setting to a sensitive application directory (e.g. tools/) because the directory blocklist used to validate the path is incomplete. This allows the application's upload directory to be pointed at directories that contain executable PHP files.
2026-06-11
CVE-2026-54597: Authenticated Time-Based Blind SQL Injection in ITFlow via expires Parameter High / 8.3
The share_generate_link handler inserts the expires GET parameter directly into a MySQL INTERVAL expression without quoting it. sanitizeInput() escapes quote characters via mysqli_real_escape_string(), which is only effective in string contexts. The INTERVAL unit position is a raw SQL expression context where no quoting occurs, so the escape is bypassed entirely. Any authenticated user with module_support write permission can perform time-based blind SQL injection to read any data from the database.
2026-06-06
CVE-2026-54596: Authenticated SQL Injection via recurring_invoice_frequency Parameter Enables Full Database Exfiltration High / 8.1
An SQL injection vulnerability in ITFlow's recurring invoice creation endpoint allows any authenticated user with the Technician role to exfiltrate arbitrary data from the database. A Technician who has access to at least one client invoice can extract admin password hashes, SMTP credentials, and all user account data in a single HTTP request -without any admin interaction.
2026-06-06
CVE-2026-48493: Privilege Escalation via Insufficient Permission Validation in User Update API - Snipe-IT Medium / 5.5
Snipe-IT's user update API endpoint (PATCH /api/v1/users/{id}) does not sufficiently validate the permissions payload submitted by authenticated users. The PreserveUnauthorizedPrivilegedPermissionsAction class only strips superuser and admin flags from incoming requests; all other module-level permissions (e.g., assets.delete, licenses.keys, users.delete) pass through without any restriction or ownership ceiling validation. This allows an authenticated attacker with limited privileges (such as users.edit) to escalate their privileges vertically and perform unauthorized actions across the system.
2026-05-28
CVE-2026-48492: User Account Enumeration via Unauthenticated selectlist Endpoint - Snipe-IT Low / 3.3
The GET /api/v1/users/selectlist endpoint is missing the view.selectlists authorization check present in all other selectlist controllers. Any authenticated user with zero permissions can enumerate all user accounts, harvest usernames, full names, employee numbers, and perform indirect email enumeration via the search parameter.
2026-05-21
CVE-2026-55476: Unauthorized Asset Request Cancellation via Unguarded cancel_by_admin Parameter - Snipe-IT Medium / 6.5
The route POST /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?} accepts cancel_by_admin as a plain URL path segment with no authorization check. Any authenticated user regardless of permissions can set this parameter to a truthy value and supply a victim's user ID to silently cancel that user's pending asset requests. The attacker only needs an active session; no elevated privilege is required.
2026-05-21
CVE-2026-55464: Stored XSS via Markdown custom field - Snipe-IT Medium / 6.4
CommonMark is configured with html_input => 'escape', which blocks raw HTML injection. However, javascript: URIs in Markdown hyperlinks are not sanitized. A user with assets.edit permission can inject a malicious link into any markdown-textarea custom field. Any user who opens the asset detail page and clicks the link executes arbitrary JavaScript in their browser session.
2026-05-21
CVE-2024-11406: Stored XSS Vulnerability in Django CMS 3.0.0 (Attributes Fields) Medium / 6.9
The vulnerability resides in the Django CMS admin panel under the Page Editing interface, specifically when utilizing the "Add plugin to placeholder 'Page Content'" feature. Malicious payloads can be injected into the "Attributes" field of plugins like "card" or "badge," leading to Stored XSS attacks.
2024-11-20
CVE-2024-11404 - File Upload Bypass Vulnerability in Django Filer 3.2.3 Medium / 5.5
The vulnerabilities were identified in django-filer 3.2.3, a file management application commonly used with django CMS. These issues allow attackers to bypass upload restrictions for HTML and SVG files, potentially uploading malicious files containing scripts that execute on the client side.
2024-11-20
CVE-2024-11319: Stored XSS Vulnerability in Django CMS 4.1.3 Medium / 4.8
Django CMS version 4.1.3 is affected by a stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject arbitrary JavaScript code that is executed in the context of the web application, potentially compromising the safety of all users visiting the affected page.
2024-11-18
# education
Akdeniz University
Management Information Systems
2019 — 2023