Valentin Lobstein

ʞʞıdɐɔoɥƆ

Security Researcher & Exploit Developer

at VulnCheck

Breaking, building, and documenting. Vulnerability research, exploit development, and offensive security.

76 cves 82 exploits 66 articles

Latest

CVE-2026-29514: NetBox Jinja2 Sandbox Bypass to RCE via RenderTemplateMixin environment_params

A Jinja2 sandbox bypass in NetBox allows low-privilege users to achieve remote code execution via the RenderTemplateMixin environment_params finalize parameter, affecting both ExportTemplate and ConfigTemplate.

Read more →

Recent

all →
>_

Unauthenticated RCE in OpenCATS via Installer Config Injection

Unauthenticated remote code execution in OpenCATS through unsanitized input in the installer AJAX endpoint, allowing PHP code injection into config.php.

CVERCEOpenCATS
>_

CVE-2026-26210: ktransformers Unauthenticated RCE via Pickle Deserialization in ZMQ Scheduler

A critical unauthenticated RCE vulnerability in ktransformers' balance_serve backend. A ZMQ ROUTER socket binds to all interfaces and proxies messages to worker threads that deserialize them with pickle.loads() - no authentication, no validation.

CVERCE
>_

CVE-2026-25874: HuggingFace LeRobot Unauthenticated RCE via Pickle Deserialization in gRPC PolicyServer

A critical unauthenticated RCE vulnerability in HuggingFace's LeRobot project (21.5k stars). The gRPC PolicyServer deserializes attacker-controlled data with pickle.loads() in two RPC handlers, allowing instant code execution without authentication.

CVERCE
>_

Microsoft tensorwatch: Local Code Execution via Pickle Deserialization in ZMQ Listener

A local code execution vulnerability in Microsoft's tensorwatch. Calling tw.Watcher() - the first line in every README example - silently creates a ZMQ REP socket on localhost that deserializes incoming messages with pickle.loads(). Any local user on the same machine gets code execution.

CVERCE
>_

Instagram's 'Seen' Is a Lie — And They're About to Charge You for the Proof

Instagram's 'seen' indicator is a separate GraphQL call that any browser extension can block. It's been this way since 2019. Now Meta wants to charge $2/month for it.

PrivacyResearchInstagram
How to Start Contributing to Metasploit: Field Notes from 68 Modules

How to Start Contributing to Metasploit: Field Notes from 68 Modules

68 modules in 2.5 years. Here's what the official docs don't tell you about writing Metasploit modules - from finding targets to surviving code review.

MetasploitTutorialExploit Dev
Rick Astley

NEVER GONNA
GIVE YOU UP

You were warned.