CVE-2025-67906Stored XSS in MISP Workflow Engine. Unsanitized name field rendered via doT.js — payload executes in any user viewing the workflow, including admins. Enables privilege escalation and threat intelligence exfiltration.
CVSS 9.0 CriticalPatched
Critical 0-Days / GovTech & Enterprise SaaSBlind SQLi + Zero-Click Stored XSS. Unauthenticated DB exfiltration (PII, admin creds, live MFA tokens) + super-admin session takeover without user interaction.
CriticalNDA
Critical 0-Day / Fortune 500 Payment InfrastructureCryptographic failure + business logic flaw. Transaction integrity bypass across the entire global payment network.
CriticalNDA
Xelians / Government ArchivesMultiple chained vulnerabilities leading to full account takeover across the platform and all client tenants.
CVSS 9.3 Critical
DINUM / Government Digital PlatformChained enumeration and authentication bypass — exposing highly confidential government data at national scale.
CVSS 7.5 High
Qwant / Privacy Search EngineCross-origin exfiltration of authenticated data via CORS origin reflection and regex suffix bypass.
CVSS 7.4 High
Caisse Nationale d'Assurance Maladie / HealthcareUnauthenticated access to sensitive internal healthcare data.
CVSS 7.5 High
Skills
OffensivePentest · Red Team · Malware Dev · Exploit Writing · AD attacks · OPSEC