Valentin Lobstein

ʞʞıdɐɔoɥƆ

Security Researcher & Exploit Developer

at VulnCheck

Breaking, building, and documenting. Vulnerability research, exploit development, and offensive security.

79 cves 82 exploits 69 articles

Latest

Monsta FTP: An SSRF Blocklist That Forgot IPv6 Exists

Monsta FTP: An SSRF Blocklist That Forgot IPv6 Exists

An unauthenticated SSRF in Monsta FTP 2.14.4. The product ships a real SSRF blocklist that correctly blocks 127.0.0.1, 169.254.169.254 and RFC1918, then forgets that ::ffff:169.254.169.254 is the exact same host. One missing normalization, both gates bypassed, and a static AAAA record is all it takes.

Read more →

Recent

all →
>_

NVIDIA GEN3C: Unauthenticated RCE via Pickle Deserialization in Inference API

A critical unauthenticated RCE vulnerability in NVIDIA's GEN3C project. Two FastAPI inference endpoints deserialize raw HTTP POST bodies with pickle.loads() without any authentication, giving instant code execution to anyone with network access.

CVERCE
>_

FOSSBilling: One Missing throw - From Auth Bypass to Unauthenticated RCE

A missing throw keyword in FOSSBilling's API router exposes the entire admin surface to unauthenticated attackers. Combined with an unsandboxed Twig SSTI that leaks the full DI container, this leads to arbitrary SQL execution, admin takeover, and unauthenticated RCE via malicious extension installation.

CVERCEAuth Bypass
>_

CVE-2026-29514: NetBox Jinja2 Sandbox Bypass to RCE via RenderTemplateMixin environment_params

A Jinja2 sandbox bypass in NetBox allows low-privilege users to achieve remote code execution via the RenderTemplateMixin environment_params finalize parameter, affecting both ExportTemplate and ConfigTemplate.

CVE-2026-29514RCEJinja2
>_

Unauthenticated RCE in OpenCATS via Installer Config Injection

Unauthenticated remote code execution in OpenCATS through unsanitized input in the installer AJAX endpoint, allowing PHP code injection into config.php.

CVERCEOpenCATS
>_

CVE-2026-26210: ktransformers Unauthenticated RCE via Pickle Deserialization in ZMQ Scheduler

A critical unauthenticated RCE vulnerability in ktransformers' balance_serve backend. A ZMQ ROUTER socket binds to all interfaces and proxies messages to worker threads that deserialize them with pickle.loads() - no authentication, no validation.

CVERCE
>_

CVE-2026-25874: HuggingFace LeRobot Unauthenticated RCE via Pickle Deserialization in gRPC PolicyServer

A critical unauthenticated RCE vulnerability in HuggingFace's LeRobot project (21.5k stars). The gRPC PolicyServer deserializes attacker-controlled data with pickle.loads() in two RPC handlers, allowing instant code execution without authentication.

CVERCE
Rick Astley

NEVER GONNA
GIVE YOU UP

You were warned.