I am ᴿᴱᴺᵂᴬ
Writings
- Safari Address Bar Spoof via Cursor Overlap
- When CTF Meets Bug Bounty: A Critical UXSS in Opera Browser
- Disclosing "PermissionJacking," a Safari bug that lets websites trick you into giving camera, mic, gps... access.
- HTML Injection to Stored XSS and Account Takeover
- Stored XSS in My Flow To RCE in Opera Browser #2
- Reflected XSS In Main Search, WAF+Sanitizer Bypass Using 2 Reflections
- Client Side Path Traversal (CSPT) Bug Bounty Reports and Techniques
- Arc Browser UXSS, Local File Read, Arbitrary File Creation and Path Traversal to RCE
- XSS to OAuth access token leak in office online which can be used to account takeover
- You Are Not Where You Think You Are, Opera Browsers Address Bar Spoofing Vulnerabilities
- Chatwoot postMessage XSS
- Opera Browser VPN Bypass
- Asana Electron desktop app open redirect to local file read
- The Underrated Bugs, Clickjacking, CSS Injection, Drag-Drop XSS, Cookie Bomb, Login+Logout CSRF…
- XSS to RCE in Opera Browser
- Opera Browser Local File Read and UXSS via Stored-XSS
- Facebook Messenger Desktop App Arbitrary File Read
- Copy Drag — Paste Drop
- Bypass SameSite Cookies Default to Lax and get CSRF
- Facebook Messenger exposing deleted messages using [Remove for Everyone]
- Security Fest 2019 CTF, entropian [web] write-up
- New technique to find Blind-XSS
- Self-XSS + CSRF to Stored XSS
CVEs (just popular ones)
- Safari: CVE-2025-24128, CVE-2025-30467, CVE-2025-24113, CVE-2025-31266, CVE-2025-30466, CVE-2025-43327, CVE-2025-43503, CVE-2025-43493
- Firefox: CVE-2025-23108, CVE-2025-27424, CVE-2025-27426, CVE-2024-11695, CVE-2025-55030, CVE-2025-55032, CVE-2025-9183, CVE-2025-3029
- Edge: CVE-2024-38093, CVE-2026-0103, CVE-2025-65046, CVE-2025-21253
- Chrome: Pending...
- LibreOffice: 3 RCEs
- Opera: 15+
- Arc: 15+
- TechSmith: 5
- Chatwoot: CVE-2023-2109
- Google: 2
- Yandex: 5
- ...