About
I'm 0x4C616E, an offensive security practitioner focused on red teaming, ethical hacking, and vulnerability research. This blog is where I publish deep-dive research: CVE analysis, red team techniques, detection engineering, and tool breakdowns. Every article is researched in depth and reviewed before publishing.
Security research & CVEs
Vulnerabilities I've discovered and responsibly disclosed through HackerOne and vendor security programs:
- CVE-2026-34916 — Revive Adserver: PHP code injection via delivery limitations, leading to remote code execution during banner delivery (CWE-94, CVSS 8.8 High) — advisory
- CVE-2026-34917 — Revive Adserver: improper authentication — low-privileged web session IDs reusable against the admin-only XML-RPC API (CWE-287, CVSS 4.3 Medium) — advisory
- CVE-2026-8327 — Concrete CMS: password change without reauthentication and session-hardening bypass via unwhitelisted profile fields (CVSS 4.0: 5.3) — release notes
- CVE-2026-7887 — Concrete CMS: OAuth 2.0 authorization-code flow bypassed account status checks, letting suspended or banned users obtain valid API tokens (CVSS 4.0: 2.3) — release notes
- CVE-2026-7890 — Concrete CMS: server-side request forgery in the RSS Displayer block via unvalidated feed URLs (CVSS 4.0: 2.1) — release notes
Responsible disclosure
All content here is for educational and defensive purposes. I don't publish working exploits for unpatched systems, and analysis of offensive techniques is always paired with detection and mitigation guidance.