Security-Research

Three Security Findings in Tautulli: SSRF, JSONP Injection, and SQL Injection
Three Security Findings …

Background

Tautulli is a Python/CherryPy web application that sits alongside your Plex Media Server and gives you statistics, notifications, and monitoring for everything happening on your server. It is one of the most popular self-hosted Plex companion apps, and a lot of people run it exposed on …

March 27, 2026 Read
Finding a Svelte SSR XSS via Unsanitized idPrefix in HTML Comment Markers
Finding a Svelte SSR XSS …

Background

I’ve been working through Vercel’s bug bounty program, which explicitly calls out server-side rendering and compiler security as focus areas. Svelte is a Tier 1 target in that program, and since Svelte 5 introduced a significant rework of how components are compiled and …

March 23, 2026 Read
Unauthenticated SSRF in RustDesk Lets Anyone Port-Scan Your Internal Network
Unauthenticated SSRF in …

Background

RustDesk is an open-source remote desktop tool written in Rust. It is basically the self-hosted alternative to TeamViewer or AnyDesk, and it has gotten pretty popular because you can run your own relay and rendezvous server. That self-hosted server model is actually the interesting part …

March 6, 2026 Read
Open Redirect in Prowlarr Login Lets Attackers Redirect Users After Authentication
Open Redirect in Prowlarr …

Background

Prowlarr is an open-source indexer manager for the *arr ecosystem (Radarr, Sonarr, Lidarr, etc.). It acts as a centralized proxy for torrent and Usenet indexers, so a typical homelab setup has it sitting alongside a media server stack with direct access to download clients and a lot of …

March 5, 2026 Read
Finding an Authentication Bypass and Credential Disclosure in Seerr Using Claude and Bitwarden's AI Security Plugins
Finding an Authentication …

Background

I’ve been running Seerr at home for a while now. It’s a self-hosted media request manager, forked from Jellyseerr/Overseerr, and it’s the kind of app that gets exposed to the internet pretty regularly since family members need to be able to submit requests. That always …

February 27, 2026 Read