Skip to content

Added a few bugs/expoits of my own#4

Open
Unrealisedd wants to merge 56 commits into
bikini:mainfrom
Unrealisedd:main
Open

Added a few bugs/expoits of my own#4
Unrealisedd wants to merge 56 commits into
bikini:mainfrom
Unrealisedd:main

Conversation

@Unrealisedd

Copy link
Copy Markdown

I've added a few writeups that I'd been sitting on. I previously tried reporting them, but they were ignored, so I thought they might be a good fit for this repository instead. I really like the work you've been doing here, and I figured these could be a useful addition to the collection :).

bikini and others added 30 commits June 26, 2026 12:11
Document multiple high-severity vulnerabilities in Discord Desktop that allow remote code execution and other security risks through various attack vectors.
Updated the title formatting for the Wazuh stack buffer overflow documentation.
Documented a vulnerability in Nextcloud's SSRF protection that allows bypass via IPv4-compatible and NAT64 IPv6 addresses. Provided a detailed proof of concept and attack scenario demonstrating the exploit.
Documented the authenticated SSRF vulnerability via OAuth2 Dynamic Client Registration in n8n, detailing the impact, affected versions, and proof of concept.
Document vulnerabilities in Fluent Bit's collectd parser, including an infinite loop DoS and an out-of-bounds heap read triggered by a zero-length part.
Added detailed information on kernel vulnerabilities in ovpn-dco-win, including use-after-free, and information disclosure issues. Suggested fixes for each vulnerability are also included.
Simplified PoC that races KeyLen=33 IOCTL_NEW_KEY against WSK RX
to trigger use-after-free on freed BCRYPT_KEY_HANDLE. Reliable BSOD.
…EM32

SvcRebootToFlashingMode has no access check on desktop SKUs.
Any std user triggers SYSTEM to load SprintCSP.dll from writable machine PATH.
…efender freeze)

NULL deref via IOCTL 0x226014, confused deputy adds any process to DAM
job objects via 0x22A01C, freeze control via 0x22A008. All from non-admin.
Unrealisedd and others added 6 commits July 2, 2026 16:18
Woodpecker CI: pipeline RCE via carriage return (\r) bypass of
newline sanitization in EnvVarSubst(). YAML parser treats \r as
line break, attacker injects pipeline steps via commit message.

RetroArch libchdr: integer overflow in map allocation
(sizeof(map_entry) * totalhunks) on 32-bit platforms. Crafted
CHD file causes undersized malloc followed by massive OOB write.
…jection

Discovered newline injection in UserSid field → log content injection → batch
file command execution chain. UserSid is embedded in registry key paths logged
by RegistryConfiguration.TrySet. Embedded newlines create standalone command
lines in .bat files written via the ServiceLogFilePath primitive. Combined with
GP startup scripts + gpupdate trigger = full standard-user-to-SYSTEM LPE.

Batch injection confirmed locally. CVSS 7.8 → 8.8.
Remove Attribution section, restore bikini's first-person voice,
rename 'My Additions' to 'Contributed Research (by Unrealisedd)',
and 'Original Contents (by bikini)' back to 'Contents'.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants