Valentin Lobstein

Chocapikk

Security Researcher & Exploit Developer

Breaking, building, and documenting. Vulnerability research, exploit development, and offensive security.

69 cves 81 exploits 54 articles

Latest

From Zero to Exploit Dev: What Actually Worked

How I went from knowing nothing about computers in 2020 to writing exploits. No magic, no shortcuts, just the process.

Read more →

Recent

all →
>_

How I Added PTY Support to Busybox Shells (When Everyone Said It Was Impossible)

Every shell handler fails on busybox/Alpine. No script, no python, no PTY. I fixed it with 80 lines of C and a base64 upload.

ToolsTechniqueTutorial
Reverse Engineering the ITE 8910 Keyboard RGB Protocol for OpenRGB

Reverse Engineering the ITE 8910 Keyboard RGB Protocol for OpenRGB

How I reverse-engineered the complete USB HID protocol of the ITE 8910 keyboard controller from a Windows DLL and .NET executable, and contributed per-key RGB support with 14 modes to OpenRGB - the first implementation for this chip on Linux.

Reverse EngineeringOpenRGBLinux
>_

OmniGen2: Unauthenticated RCE via Pickle Deserialization in BAAI's Reward Server

A critical unauthenticated RCE vulnerability in OmniGen2's reward server infrastructure. The Flask-based servers deserialize raw HTTP POST bodies with pickle.loads() without any authentication, giving instant code execution to anyone with network access.

CVERCE
>_

sglang: Unauthenticated RCE via Pickle Deserialization in ZMQ Transport (Disaggregated Serving)

A critical unauthenticated RCE vulnerability in sglang's ZMQ transport layer for disaggregated serving. ZMQ PULL sockets bind to all interfaces and deserialize messages with pickle.loads() - no auth, no validation. Distinct from CVE-2025-10164 which only covers the HTTP API.

CVERCE
>_

openDCIM: From SQL Injection to RCE via Config Poisoning

Three chained vulnerabilities in openDCIM turn a missing authorization check into unauthenticated remote code execution on Docker deployments.

CVERCESQL Injection
>_

CVE-2026-27743 through CVE-2026-27747: Five Vulnerabilities in SPIP Plugins

Five vulnerabilities across SPIP plugins: two SQL injections, two RCE (one unauth, one auth), and reflected XSS. Same template engine, same mistakes, different entry points.

CVERCESQLi
Rick Astley

NEVER GONNA
GIVE YOU UP

You were warned.