vulnerability-research

2026

February 9, 2026 Building a Headless Browser RCE with Claude Opus 4.6 Using Claude Opus 4.6 to build a working RCE exploit for a heap buffer overflow in PhantomJS, from existing CVE to PoC.
February 1, 2026 Hunting for Deserialization Gadgets in the Rails Ecosystem Walking through the process of identifying a deserialization gadget chain commonly available in Ruby on Rails applications.
January 27, 2026 Unsafe Reflection Vulnerabilities How unsafe reflection turns user input into arbitrary class instantiation, from the mechanics of CWE-470 to exploitation and prevention across Java and Ruby.

2022

February 18, 2022 Java Deserialization Vulnerabilities Understanding Java deserialization from serialization internals to exploitation, with a walkthrough of using ysoserial gadget chains to achieve RCE on Apache OpenMeetings.

2021

November 5, 2021 Discovering a Blind SQL Injection: Whitebox Approach Finding and exploiting CVE-2021-43481, a time-based blind SQL injection in webTareas, discovered through source code review.