Valentin Lobstein

Chocapikk

Security Researcher & Exploit Developer

Breaking, building, and documenting. Vulnerability research, exploit development, and offensive security.

74 cves 82 exploits 64 articles

Latest

CVE-2026-26210: ktransformers Unauthenticated RCE via Pickle Deserialization in ZMQ Scheduler

A critical unauthenticated RCE vulnerability in ktransformers' balance_serve backend. A ZMQ ROUTER socket binds to all interfaces and proxies messages to worker threads that deserialize them with pickle.loads() - no authentication, no validation.

Read more →

Recent

all →
>_

CVE-2026-25874: HuggingFace LeRobot Unauthenticated RCE via Pickle Deserialization in gRPC PolicyServer

A critical unauthenticated RCE vulnerability in HuggingFace's LeRobot project (21.5k stars). The gRPC PolicyServer deserializes attacker-controlled data with pickle.loads() in two RPC handlers, allowing instant code execution without authentication.

CVERCE
>_

Microsoft tensorwatch: Local Code Execution via Pickle Deserialization in ZMQ Listener

A local code execution vulnerability in Microsoft's tensorwatch. Calling tw.Watcher() - the first line in every README example - silently creates a ZMQ REP socket on localhost that deserializes incoming messages with pickle.loads(). Any local user on the same machine gets code execution.

CVERCE
>_

Instagram's 'Seen' Is a Lie — And They're About to Charge You for the Proof

Instagram's 'seen' indicator is a separate GraphQL call that any browser extension can block. It's been this way since 2019. Now Meta wants to charge $2/month for it.

PrivacyResearchInstagram
How to Start Contributing to Metasploit: Field Notes from 68 Modules

How to Start Contributing to Metasploit: Field Notes from 68 Modules

68 modules in 2.5 years. Here's what the official docs don't tell you about writing Metasploit modules - from finding targets to surviving code review.

MetasploitTutorialExploit Dev
>_

Your .swp Files Are Telling on You: A Git Forensics Guide

Swap files from Vim and nano can leak usernames, hostnames, and sensitive data in git repos. Even after deletion, the blob stays in git history forever. Here's how to find them and how to actually clean them.

ForensicsTutorial
>_

CeWL Is Dead. Here's What Replaces It.

CeWL has been the default wordlist generator for 10 years. CeWL AI crawls HTTP, FTP, SFTP, SMB, and S3 targets, feeds context to an LLM, scans for secrets with 800+ trufflehog detectors, and dumps files - all from one binary.

ToolsAIPentest
Rick Astley

NEVER GONNA
GIVE YOU UP

You were warned.