Skip to content

Added a few bugs/expoits of my own#4

Open
Unrealisedd wants to merge 73 commits into
bikini:mainfrom
Unrealisedd:main
Open

Added a few bugs/expoits of my own#4
Unrealisedd wants to merge 73 commits into
bikini:mainfrom
Unrealisedd:main

Conversation

@Unrealisedd

Copy link
Copy Markdown

I've added a few writeups that I'd been sitting on. I previously tried reporting them, but they were ignored, so I thought they might be a good fit for this repository instead. I really like the work you've been doing here, and I figured these could be a useful addition to the collection :).

bikini and others added 30 commits June 26, 2026 12:11
Document multiple high-severity vulnerabilities in Discord Desktop that allow remote code execution and other security risks through various attack vectors.
Updated the title formatting for the Wazuh stack buffer overflow documentation.
Documented a vulnerability in Nextcloud's SSRF protection that allows bypass via IPv4-compatible and NAT64 IPv6 addresses. Provided a detailed proof of concept and attack scenario demonstrating the exploit.
Documented the authenticated SSRF vulnerability via OAuth2 Dynamic Client Registration in n8n, detailing the impact, affected versions, and proof of concept.
Document vulnerabilities in Fluent Bit's collectd parser, including an infinite loop DoS and an out-of-bounds heap read triggered by a zero-length part.
Unrealisedd and others added 11 commits July 2, 2026 16:18
Woodpecker CI: pipeline RCE via carriage return (\r) bypass of
newline sanitization in EnvVarSubst(). YAML parser treats \r as
line break, attacker injects pipeline steps via commit message.

RetroArch libchdr: integer overflow in map allocation
(sizeof(map_entry) * totalhunks) on 32-bit platforms. Crafted
CHD file causes undersized malloc followed by massive OOB write.
…jection

Discovered newline injection in UserSid field → log content injection → batch
file command execution chain. UserSid is embedded in registry key paths logged
by RegistryConfiguration.TrySet. Embedded newlines create standalone command
lines in .bat files written via the ServiceLogFilePath primitive. Combined with
GP startup scripts + gpupdate trigger = full standard-user-to-SYSTEM LPE.

Batch injection confirmed locally. CVSS 7.8 → 8.8.
Remove Attribution section, restore bikini's first-person voice,
rename 'My Additions' to 'Contributed Research (by Unrealisedd)',
and 'Original Contents (by bikini)' back to 'Contents'.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants