security research
iltosec
ILTOSEC
writeups & research

Blog

RSS
7 posts
/
categories
tags
Rce·Vulnerability Research · Rce
CVE-2026-58409 : Authenticated Remote Code Execution (RCE)
Technical breakdown of an authenticated RCE in ChurchCRM (GHSA-37mf-vq43-5qp9). Insecure extension allowlist in PluginInstaller.php allows .php files to be extracted directly under the web root, enabling full server compromise.
2026-06-19
90 2 4 min read
Rce·Vulnerability Research · Rce·CMS
CVE-2026-53767 & CVE-2026-53768: Authenticated RCE via Chained Upload Path Bypass in Chyrp Lite
Technical breakdown of CVE-2026-53767 and CVE-2026-53768: a chained RCE in Chyrp Lite ≤ 2026.01 via uploads_path blocklist bypass and missing file extension validation. Full PoC included.
2026-06-11
175 0 4 min read
Vulnerability Research·CVE·Injection
CVE-2026-54597: Authenticated Time-Based Blind SQL Injection in ITFlow
Technical breakdown of an authenticated time-based blind SQL injection in ITFlow (GHSA-m63v-j7fw-hq2h). CVE-2026-54597.The expires parameter in agent/ajax.php bypasses sanitizeInput() entirely in a raw INTERVAL context, enabling full database exfiltration. Detailed PoC and fix analysis.
2026-06-03
467 1 7 min read
Vulnerability Research·Injection · enumeration·SQLI
CVE-2026-54596: Authenticated SQL Injection via recurring_invoice_frequency Parameter Enables Full Database Exfiltration
Technical breakdown of an authenticated SQL injection in ITFlow (GHSA-f9m3-qjc9-v27j). The recurring_invoice_frequency POST parameter bypasses sanitizeInput() in a DATE_ADD INTERVAL context, enabling full database exfiltration and second-order injection. Detailed PoC and fix analysis.
2026-06-03
173 0 7 min read
CVE·Vulnerability Research
CVE-2026-48493: Privilege Escalation via Permission Bypass in Snipe-IT
Technical breakdown of CVE-2026-48493: Users with users.edit permission escalate to near-full system access via PreserveUnauthorizedPrivilegedPermissionsAction bypass. Detailed PoC and impact analysis.
2026-05-28
176 2 3 min read
Vulnerability Research·CVE · enumeration·CVE
CVE-2026-55476: Snipe-IT Unauthorized Asset Request Cancellation via cancel_by_admin IDOR
Technical writeup of CVE-2026-55476 in Snipe-IT <= v8.5.0. Any authenticated user can cancel other users asset requests via a missing authorization check on the cancel_by_admin URL parameter.
2026-05-28
99 3 3 min read
CVE·Vulnerability Research · CVE
CVE-2026-48492: User Account Enumeration via Missing Authorization in Snipe-IT
Technical breakdown of CVE-2026-48492: A missing authorization flaw in Snipe-IT allowing authenticated users to enumerate accounts via the API.
2026-05-27
824 4 3 min read