Profile

View CV
Valentin Lobstein

Identify(eventCtx *EventContext) bool

Valentin Lobstein

@Chocapikk

Offensive Security Engineer and exploit developer, specialized in vulnerability research, reverse engineering, and production-grade exploit development.

Active in offensive tooling, automation, and large-scale attack surface analysis. Contributor to open-source projects, notably Metasploit, with a focus on reliable, real-world exploitation rather than standalone PoCs.

Team

B

Balgo Security

The crew I hack with

C

Christ Bowel

Blog →
R

Roland Hack

X →
T

Trhacknon

Professional Experience

10/2025 - Present

Paris, France

LeakIX , Security Researcher

  • - Writing plugins for vulnerability detection on the platform
  • - Setting up R&D labs to reproduce n-day vulnerabilities
  • - Vulnerability monitoring and research
01/2024 - 10/2025

Paris, France

Onepoint , Offensive Security Intern (Pentesting focus)

  • - Conducted penetration tests and security assessments, with a focus on web application testing
  • - Performed security evaluations for APIs and mobile applications targeting clients in critical sectors: finance, banking, insurance, and the public sector
  • - Identified vulnerabilities with potential impact on sensitive infrastructures
08/2022 - 01/2024

Antony, France

UPFRONT TECHNOLOGIES , Offensive Security Intern (Pentesting focus)

  • - Participation in penetration tests and security assessments, contributing to various technical engagements
  • - Performed audits and vulnerability assessments
  • - Developed offensive security skills while training for the eJPT and OSWP certifications

Education

2022 - 2025

Paris, France

Master's Degree - Cybersecurity and Computer Science (Technical Expert track)

Oteria Cyber School

2020 - 2022

Strasbourg, France

Bachelor's Degree in Computer Science, specialization in Web Development

University of Strasbourg

2018 - 2020

Haguenau, France

High School Diploma (French Scientific Baccalaureate - Engineering Sciences option)

Heinrich Nessel High School

Contributions

11/2023 - Present

Contributor, The Metasploit Project

  • - Top contributor in 2024/2025
  • - Development of exploit modules for Metasploit
  • - Creation and enhancement of payloads and auxiliary modules
  • - Contribution to the community by adding new offensive features
08/2022 - Present

Hunter & Moderator, LeakIX

  • - Monitoring of CVEs and 0-day vulnerabilities
  • - Moderation of submitted vulnerability reports
  • - Reporting security flaws to CERTs or affected entities
  • - Writing PoCs to support plugin development

Skills

Pentest WebExploit DevelopmentVulnerability ResearchMobile PentestCyber MonitoringForensicAPI PentestTooling & AutomationDev Open SourceReverse EngineeringProject Management & Deliverable Ownership

Technical Arsenal

Languages

Python Python
Go Go
Lua Lua
PHP PHP
Ruby Ruby
C C
Bash Bash
JavaScript JavaScript

Tools

Me
Metasploit
Burp Suite Burp Suite
Nm
Nmap
Wireshark Wireshark
Docker Docker
Git Git

Platforms

Linux Linux
Kali Kali
NixOS NixOS
Windows Windows

Projects

pgread Read PostgreSQL data files without credentials - forensics, data recovery, and security research tool
WPProbe A fast WordPress plugin enumeration tool
LFIHunt LFI Exploitation Tool in Python
LeakPy LeakIX API Interaction Tool in Python

Awards

2025
CVE-2025-34433 to CVE-2025-34442 - Multiple vulnerabilities in AVideo (Unauthenticated RCE, File Upload, IDOR, Open Redirect, Info Disclosure) - CVE.org
2025
CVE-2025-34452 - Streama Path Traversal + SSRF to Arbitrary File Write - CVE.org
08/2025
CVE-2025-34147 to CVE-2025-34152 - Shenzhen Aitemi M300 Wi-Fi Repeater (MT02) - VulnCheck
08/2025
CVE-2025-2611 - ICTBroadcast <= 7.4 - VulnCheck
03/2025
CVE-2025-30007, CVE-2025-30008 - Vembu BDRSuite <= 7.5.0.1 Unauthenticated Stored XSS - CVE.org
03/2025
Multiple vulnerabilities in Xorcom CompletePBX <= 5.2.35 (CVE-2025-2292, CVE-2025-30004, CVE-2025-30005, CVE-2025-30006) - VulnCheck
03/2025
Stored XSS in MagnusBilling 7.x (CVE-2025-2609, CVE-2025-2610) - VulnCheck
06/2024
SVGTranslate RCE - Wikimedia
05/2024
Mocodo Online <= 4.2.6 (CVE-2024-35373, CVE-2024-35374) - CVE.org
05/2024
Themify Builder < 7.5.8 - CVE-2024-3032 - CVE.org
04/2024
AVideo - CVE-2024-31819 - CVE.org
04/2024
DerbyNet (CVE-2024-30920 to CVE-2024-30929, CVE-2024-31818) - CVE.org
04/2024
Philips Hall of Honors 2024 - Philips
01/2024
Vinchin Backup (CVE-2024-22899 to CVE-2024-22903, CVE-2024-25228) - CVE.org
01/2024
Siemens Hall of Thanks 2024 - Siemens
12/2023
MajorDoMo (CVE-2023-50917) - CVE.org
12/2023
Recognition by WPScan for LFI-to-RCE escalation in Extensive VC Addons for WPBakery Page Builder - WPScan
11/2023
Hall of Fame de Ferrari - Ferrari
09/2023
Recognition by Amazon for discovering a critical vulnerability in their bug bounty program - Amazon

Certifications

11/2024
Learn Intermediate Go Course - Codecademy
11/2024
Learn Go Course - Codecademy
11/2023
API Penetration Testing - APIsec University
05/2023
eJPT (eLearnSecurity Junior Penetration Tester) - INE
03/2023
Certified Network Security Practitioner - The SecOps Group
02/2023
Certified AppSec Practitioner - The SecOps Group
10/2022
CompTIA Pentest+ - CompTIA

Source Code & PoCs

All my exploits, PoCs, and security tools are open source. Check out my repositories for vulnerability research and tooling.

Access Repositories →

Hall of Fame

Amazon Amazon - 2023 Ferrari Ferrari - 2023 Siemens Siemens - 2024 Philips Philips - 2024 Wikimedia Wikimedia - 2024

Thanks

Oteria Cyber School·Metasploit Framework team·LeakIX