Bug-Bounty

Finding a Svelte SSR XSS …

Background

I’ve been working through Vercel’s bug bounty program, which explicitly calls out server-side rendering and compiler security as focus areas. Svelte is a Tier 1 target in that program, and since Svelte 5 introduced a significant rework of how components are compiled and …

Finding an Authentication …

Background

I’ve been running Seerr at home for a while now. It’s a self-hosted media request manager, forked from Jellyseerr/Overseerr, and it’s the kind of app that gets exposed to the internet pretty regularly since family members need to be able to submit requests. That always …

CSS Injection in …

If you run a home lab or a self-hosted setup, there is a good chance you have come across dashdot. It is a slick, glassmorphism-style server monitoring dashboard that shows you CPU load, RAM usage, network stats, and more in real time. It also has a handy single-widget embed mode, where you can pull …

Bug-Bounty

Finding a Svelte SSR XSS …

Background

Finding an Authentication …

Background

CSS Injection in …

Finding a Svelte SSR XSS via Unsanitized idPrefix in HTML Comment Markers

AdGuardHome: Unauthenticated API Access via HTTP/2 Cleartext (h2c) Upgrade

Unauthenticated SSRF in RustDesk Lets Anyone Port-Scan Your Internal Network