ILTOSEC

security research

iltosec

writeups & research

Blog

17 posts

categories

all Rce Xss CVE Ransomware File Upload Bypass Host Header Injection Authentication Bypass SSTI Command Injection Vulnerability Research Cloud AWS Injection

tags

Rce CMS CVE Ransomware File Upload Bypass snipe-it idor authorization-bypass privilege-escalation information-disclosure enumeration misconfiguration aws-s3 SQLI

Rce·Vulnerability Research · Rce·CMS

CVE-2026-53767 & CVE-2026-53768: Authenticated RCE via Chained Upload Path Bypass in Chyrp Lite

Technical breakdown of CVE-2026-53767 and CVE-2026-53768: a chained RCE in Chyrp Lite ≤ 2026.01 via uploads_path blocklist bypass and missing file extension validation. Full PoC included.

67 0 4 min read

Rce·File Upload Bypass·Command Injection · Rce·misconfiguration·File Upload Bypass

Unauthenticated RCE in CKFinder via Null Byte Injection Vulnerability

A real-world pre-auth RCE chain: exposed CKFinder with no authentication, null byte filter bypass to upload a .cfm webshell, and OS command execution via ColdFusion cfexecute. Full PoC walkthrough.

69 1 5 min read

Vulnerability Research·CVE·Injection

CVE-2026-54597: Authenticated Time-Based Blind SQL Injection in ITFlow

Technical breakdown of an authenticated time-based blind SQL injection in ITFlow (GHSA-m63v-j7fw-hq2h). CVE-2026-54597.The expires parameter in agent/ajax.php bypasses sanitizeInput() entirely in a raw INTERVAL context, enabling full database exfiltration. Detailed PoC and fix analysis.

56 1 7 min read

Vulnerability Research·Injection · enumeration·SQLI

CVE-2026-54596: Authenticated SQL Injection via recurring_invoice_frequency Parameter Enables Full Database Exfiltration

Technical breakdown of an authenticated SQL injection in ITFlow (GHSA-f9m3-qjc9-v27j). The recurring_invoice_frequency POST parameter bypasses sanitizeInput() in a DATE_ADD INTERVAL context, enabling full database exfiltration and second-order injection. Detailed PoC and fix analysis.

53 0 7 min read

From Presigned URL to Data Exposure: Exploiting a Misconfigured MinIO Instance

How an unauthenticated presigned URL endpoint and a public MinIO bucket misconfiguration exposed over 8GB of corporate internal documents during an authorized red team engagement.

87 1 6 min read

CVE·Vulnerability Research

CVE-2026-48493: Privilege Escalation via Permission Bypass in Snipe-IT

Technical breakdown of CVE-2026-48493: Users with users.edit permission escalate to near-full system access via PreserveUnauthorizedPrivilegedPermissionsAction bypass. Detailed PoC and impact analysis.

116 2 3 min read

CVE·Vulnerability Research · CVE

CVE-2026-48492: User Account Enumeration via Missing Authorization in Snipe-IT

Technical breakdown of CVE-2026-48492: A missing authorization flaw in Snipe-IT allowing authenticated users to enumerate accounts via the API.

186 4 3 min read

Rce·CVE · Rce

FacturaScripts <= 2026 Authenticated RCE via Malicious Plugin Upload

Detailed vulnerability analysis of an Authenticated Remote Code Execution (RCE) in FacturaScripts (<= 2026). Explore the PoC via malicious plugin upload and learn about server hardening mitigations.

258 2 3 min read

Rce·File Upload Bypass·Command Injection · Rce·CMS·File Upload Bypass

EspoCRM v9.3.4 Authenticated Remote Code Execution via Malicious Extension Upload

Explore the technical analysis of the Authenticated Remote Code Execution (RCE) vulnerability in EspoCRM <= v9.3.4. Learn how malicious extension uploads can lead to full OS command execution and find mitigation strategies. Official PoC and exploit details included.

353 1 3 min read

Rce·CVE · Rce·CMS

.NET Deserialization Leading to Remote Code Execution (CVE-2019-18211)

This blog post explains the black-box exploitation of Composite C1 CMS via CVE-2019-18211. The deserialization vulnerability in the EntityTokenSerializer class allows attackers to achieve remote code execution (RCE) on the server. Step-by-step attack and mitigation recommendations are provided.

1272 13 3 min read

1 2 next →