Valentin Lobstein

Chocapikk

Security Researcher & Exploit Developer

Breaking, building, and documenting. Vulnerability research, exploit development, and offensive security.

CV
69 cves 81 exploits 52 articles

Latest

Reverse Engineering the ITE 8910 Keyboard RGB Protocol for OpenRGB

Reverse Engineering the ITE 8910 Keyboard RGB Protocol for OpenRGB

How I reverse-engineered the complete USB HID protocol of the ITE 8910 keyboard controller from a Windows DLL and .NET executable, and contributed per-key RGB support with 14 modes to OpenRGB - the first implementation for this chip on Linux.

Read more →

Recent

all →
>_

OmniGen2: Unauthenticated RCE via Pickle Deserialization in BAAI's Reward Server

A critical unauthenticated RCE vulnerability in OmniGen2's reward server infrastructure. The Flask-based servers deserialize raw HTTP POST bodies with pickle.loads() without any authentication, giving instant code execution to anyone with network access.

CVERCE
>_

sglang: Unauthenticated RCE via Pickle Deserialization in ZMQ Transport (Disaggregated Serving)

A critical unauthenticated RCE vulnerability in sglang's ZMQ transport layer for disaggregated serving. ZMQ PULL sockets bind to all interfaces and deserialize messages with pickle.loads() - no auth, no validation. Distinct from CVE-2025-10164 which only covers the HTTP API.

CVERCE
>_

openDCIM: From SQL Injection to RCE via Config Poisoning

Three chained vulnerabilities in openDCIM turn a missing authorization check into unauthenticated remote code execution on Docker deployments.

CVERCESQL Injection
>_

CVE-2026-27743 through CVE-2026-27747: Five Vulnerabilities in SPIP Plugins

Five vulnerabilities across SPIP plugins: two SQL injections, two RCE (one unauth, one auth), and reflected XSS. Same template engine, same mistakes, different entry points.

CVERCESQLi
>_

CVE-2025-71243: AI-Assisted Reversal of SPIP Saisies RCE in 30 Minutes

From VulnCheck advisory to working PoC in 30 minutes. Full AI-assisted reversal of CVE-2025-71243, an unauthenticated PHP code injection in SPIP's Saisies plugin affecting versions 5.4.0 through 5.11.0.

CVERCESPIP
>_

MajorDoMo Revisited: What I Missed in 2023

In 2023 I found CVE-2023-50917 in MajorDoMo. In 2026, AI agents found 8 more bugs I completely missed.

CVESecurity Research
Rick Astley

NEVER GONNA
GIVE YOU UP

You were warned.