flomb - @fl0mb.bsky.social

Published my write-up regarding two vulnerabilities in the Tekton Dashboard. blog.flomb.net/posts/tekton/

Sometimes a stupid idea get stuck in your head. And will not disappear after a while. Anyway, here is a new blogpost, just a little hoax this time. badoption.eu/blog/2026/02/2…

incredibly excited to share that my research 'Playing with HTTP/2 CONNECT' made the final @PortSwigger Top 10 Web Hacking Techniques of 2025! A huge thank you to everyone who voted. It’s a privilege to be featured alongside such talented researchers. portswigger.net/research/top-1…

👼GatewayToHeaven (CVE-2025-13292). I discovered a cross-tenant vulnerability in @GoogleCloud's #Apigee, allowing me to access other organizations' data (and sometimes even plaintext JWTs of end users). Below is the full breakdown of the exploit chain⛓️

You like technical deep dives into binary exploitation and crazy heap wizardry? Then you'll like our blog post by @0xor_solo about unauth'ed RCE in NetSupport Manager aka CVE-2025-34164 & CVE-2025-34165 code-white.com/blog/2026-01-n…

Honored to be nominated for the @PortSwigger Top 10 Web Hacking Techniques 2025 with my research "Playing with HTTP/2 CONNECT". Make sure to check out the full list and cast your vote! portswigger.net/polls/top-10-w…

Our 2024 applicants challenge is officially #roasted: the full BeanBeat × Maultaschenfabrikle walkthrough is now online. Unwrap the write-up at apply-if-you-can.com/walkthrough/20… and revisit the hacks that escalated from cold brew to full breach.

Latest ≠ Greatest? A Retrospective Analysis of CVE-2025-59287 in Microsoft WSUS from our very own @mwulftange who loves converting n-days to 0-days code-white.com/blog/wsus-cve-…

Did you encounter the Supabase? Might wanna try my newest tooling or have a read about quickwins? There you go: blog.m1tz.com/posts/2025/10/…

CODE WHITE proudly presents #ULMageddon which is our newest applicants challenge at apply-if-you-can.com packaged as a metal festival. Have fun 🤘 and #applyIfYouCan

Just out of stealth mode last week, @TeamCyata reports on their "deliberate, weeks-long effort [...] to uncover logic-level vulnerabilities" in HashiCorp Vault and CyberArk Conjur. And uncover they did. cyata.ai/blog/cracking-… cyata.ai/blog/exploitin…

New writeup: Early last month, @samwcyo, @sshell_, and I found a Django ORM injection in an online shooter game that let us steal cryptocurrency from the game's wallet. Read the blog post here: blog.p1.gs/writeup/2025/0…

Here is a really cool blog post by wasamasa whos is a past student of our FSWA class: emacsninja.com/posts/cve-2025…. You can find them on Mastodon: @wasamasa/" target="_blank" rel="nofollow noopener">lonely.town/@wasamasa/

"Funky chunks: abusing ambiguous chunk line terminators for request smuggling" - quality research by @__w4ke! Also thankfully it doesn't overlap with my upcoming presentation 😅 w4ke.info/2025/06/18/fun…

A quick-and-dirty late night blog post on discovering an nday variant in Zyxel NWA50AX Pro devices frycos.github.io/vulns4free/202…

Three unexpected attack scenarios: 1. Marshaling private data with misconfigured tags 2. Parser differentials in a microservices architecture 3. Cross-format confusion attacks (JSON→XML) blog.trailofbits.com/2025/06/17/une…

One-Click RCE in ASUS’s Preinstalled Driver Software mrbruh.com/asusdriverhub/

Here is a short writeup for my recently discovered CVE: hesec.de/posts/cve-2025…

Yes, we're beating a dead horse. But that horse still runs in corporate networks - and quietly gives attackers the keys to the kingdom. We're publishing what’s long been exploitable. Time to talk about it. #DSM #Ivanti code-white.com/blog/ivanti-de…

My blog post on some vulns in GFI MailEssentials frycos.github.io/vulns4free/202…