Valentin Lobstein

Chocapikk

Security Researcher & Exploit Developer

Breaking, building, and documenting. Vulnerability research, exploit development, and offensive security.

CV
69 cves 81 exploits 51 articles

Latest

OmniGen2: Unauthenticated RCE via Pickle Deserialization in BAAI's Reward Server

A critical unauthenticated RCE vulnerability in OmniGen2's reward server infrastructure. The Flask-based servers deserialize raw HTTP POST bodies with pickle.loads() without any authentication, giving instant code execution to anyone with network access.

Read more →

Recent

all →
>_

sglang: Unauthenticated RCE via Pickle Deserialization in ZMQ Transport (Disaggregated Serving)

A critical unauthenticated RCE vulnerability in sglang's ZMQ transport layer for disaggregated serving. ZMQ PULL sockets bind to all interfaces and deserialize messages with pickle.loads() - no auth, no validation. Distinct from CVE-2025-10164 which only covers the HTTP API.

CVERCE
>_

openDCIM: From SQL Injection to RCE via Config Poisoning

Three chained vulnerabilities in openDCIM turn a missing authorization check into unauthenticated remote code execution on Docker deployments.

CVERCESQL Injection
>_

CVE-2026-27743 through CVE-2026-27747: Five Vulnerabilities in SPIP Plugins

Five vulnerabilities across SPIP plugins: two SQL injections, two RCE (one unauth, one auth), and reflected XSS. Same template engine, same mistakes, different entry points.

CVERCESQLi
>_

CVE-2025-71243: AI-Assisted Reversal of SPIP Saisies RCE in 30 Minutes

From VulnCheck advisory to working PoC in 30 minutes. Full AI-assisted reversal of CVE-2025-71243, an unauthenticated PHP code injection in SPIP's Saisies plugin affecting versions 5.4.0 through 5.11.0.

CVERCESPIP
>_

MajorDoMo Revisited: What I Missed in 2023

In 2023 I found CVE-2023-50917 in MajorDoMo. In 2026, AI agents found 8 more bugs I completely missed.

CVESecurity Research
Android's AccessibilityService: A Single Toggle to Total Device Control

Android's AccessibilityService: A Single Toggle to Total Device Control

How one API designed for disability access became the foundation of a $145M surveillance industry. A proof-of-concept implant demonstrates the full attack chain: silent permission escalation in 2.4 seconds, contextual keylogging, see-through overlays, network toggle, self-hiding persistence, and an embedded Linux terminal with apt - all from a single accessibility toggle, no root required.

AndroidSecurity ResearchAccessibilityService
Rick Astley

NEVER GONNA
GIVE YOU UP

You were warned.