articles.md

📑 Articles

A curated collection of vulnerability research articles and blog posts.
This file contains the full list of articles — the main README only highlights selected ones.

---

📝 Table of Contents

• AI
• Windows
• Linux
• Kubernetes & Cloud
• Containers
• Android & Mobile
• Web
• Bug Bounty
• Identity
• Supply Chain & Secrets
• Memory & Exploitation
• Cryptography
• Miscellaneous

---

AI

• N8Scape (Pyodide sandbox escape): 9.9 Critical Post-Auth RCE in n8n (CVE-2025-68668) by Vladimir Tokarev Ofek Itach, Jan 13, 2026
• BodySnatcher (CVE-2025-12420): A Broken Authentication and Agentic Hijacking Vulnerability in ServiceNow by Appomni, Jan 13, 2026
• Ni8mare  -  Unauthenticated Remote Code Execution in n8n (CVE-2026-21858) by Dor Attias, Jan 7, 2026
• Securing Perplexity’s AI Browser from a One-Click UXSS by s1r1us and sudi, November 24, 2025
• Anatomy of an LLM RCE (🔥) by Shaked Reiner, Oct 28, 2024

🪟 Windows

• Microsoft Windows Cloud Files Minifilter TOCTOU Privilege Escalation by Michele Campa, Oct 20, 2025
• Dynamic Debugging of dotnet Without Source Code by Denis Andzakovic, May 15, 2023
• Finding Running RPC Server Information with NtObjectManager by James Forshaw, Jun 26, 2022
• Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks (🔥) by Simon Zuckerbraun, ,March 17, 2022
• Windows Drivers Reverse Engineering Methodology by voidsec, Jan 20, 2022
• Pentester’S Windows NTFS Tricks Collection
• Offensive Windows IPC Internals 2: RPC by Carsten Sandker, Feb 21, 2021
• Offensive Windows IPC Internals 1: Named Pipes by Carsten Sandker, Jan 10, 2021
• Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472) (PDF) (🔥) by Tom Tervoort (Secura), Sep, 2020
• Windows Exploitation by Fu11Shade, May, 2020
• Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams by Omer Tsarfati, Apr 27, 2020
• Calling Local Windows RPC Servers from .NET by James Forshaw, Decemeber 17, 2019
• Windows‌ ‌Exploitation‌ ‌Tricks:‌ ‌Spoofing‌ ‌Named‌ ‌Pipe‌ ‌Client‌ ‌PID by James Forshaw, Sep 25, 2019‌
• The Definitive Guide on Win32 to NT Path Conversion Feb 29, 2016
• WATCHING THE WATCHDOG: PROTECTING KERBEROS AUTHENTICATION WITH NETWORK MONITORING (PDF) by Tal Be’ery and Michael Cherny, Nov 2015

Privilege Escalation

• Who’s on the Line? Exploiting RCE in Windows Telephony Service by Sergey Bliznyuk (PT Swarm), Jan 19, 2026
• Windows LPE Bug Hunting, Served by the Team’s Youngest: Part 1 (EN) , Dec 28, 2025
• The Guest Who Could: Exploiting LPE in VMWare Tools by Sergey Bliznyuk (PT Swarm), Jul 22, 2025
• Hijacking the Windows "MareBackup" Scheduled Task for Privilege Escalation by Clément Labro (itm4n), May 20, 2025
• A Practical Guide to PrintNightmare in 2024 by Clément Labro (itm4n), Jan 28, 2024
• From NETWORK SERVICE to SYSTEM by decoder, May 4, 2020
• Faxing Your Way to SYSTEM — Part Two (🔥🔥) by Yarden Shafir & Alex Ionescu, Apr 30, 2020 - Faxhell tool
• Windows DLL Hijacking (Hopefully) Clarified by Clément Labro (itm4n), Apr 24, 2020
• CVE-2020-0729: Remote Code Execution Through .LNK Files by Trend Micro Research Team, March 26, 2020
• CVE-2020-0863 - An Arbitrary File Read Vulnerability in Windows Diagnostic Tracking Service by Clément Labro (itm4n), March 18, 2020
• CVE-2020-0787 - Windows BITS - An EoP Bug Hidden in an Undocumented RPC Function by Clément Labro (itm4n), March 11, 2020
• From dropbox(updater) to NT AUTHORITY\SYSTEM by decoder, December 18, 2019
• Windows Privilege Escalation - DLL Proxying by Clément Labro (itm4n), Apr 18, 2019

Symbolic Links

• Piping Hot Fortinet Vulnerabilities (PDF) by Nir Chacko, November 2024
• Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 2 by Michael DePlante and Nicholas Zubrisky, July 31, 2024
• Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 1 by Michael DePlante and Nicholas Zubrisky, July 30, 2024
• Avast Anti-Virus privileged arbitrary file create on virus quarantine (CVE-2023-1585 and CVE-2023-1587) by Denis Skvortcov, April 26, 2023
• Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2 by Eviatar Gerzi, Apr 19, 2023
• Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 1 by Eviatar Gerzi, Feb 2, 2023
• Breaking Antivirus: Arbitrary file deletion using Symbolic link Apr 28, 2020
• An introduction to privileged file operation abuse on Windows by @clavoillotte
• Avira Optimizer Local Privilege Escalation by enigma0x3, August 29, 2019
• CVE-2019-13382: Local Privilege Escalation in SnagIt by enigma0x3, July 24, 2019
• CVE-2019-13142: Razer Surround 1.1.63.0 EoP by enigma0x3, July 5, 2019
• Avira VPN (2.15.2.28160) Elevation of Privilege through Insecure Update location by enigma0x3, March 20, 2019
• Razer Synapse 3 Elevation of Privilege by enigma0x3, January 21, 2019

---

🐧 Linux

• CVE-2021-22555: Turning \x00\x00 into 10000$ by Andy Nguyen (theflow@), 2021

---

☁️ Kubernetes & Cloud

• Kubernetes Remote Code Execution Via Nodes/Proxy GET Permission by Graham Helton, Jan 26, 2026
• What a Cluster: Local Volumes Vulnerability in Kubernetes by Tomer Peled, March 13, 2024
• Can't Be Contained: Finding a Command Injection Vulnerability in Kubernetes by Tomer Peled, September 13, 2023
• Azure DevOps CICD Pipelines - Command Injection with Parameters, Variables and a discussion on Runner hijacking by Sana Oshika, May 1, 2023
• Mitigating RBAC-Based Privilege Escalation in Popular Kubernetes Platforms by Yuval Avrahami, January 27, 2023
• Kubernetes Pod Escape Using Log Mounts by Daniel Sagi (from Aqua)
• Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration by Ofir Balassiano and David Orlovsky (Palo)
• SynLapse – Technical Details for Critical Azure Synapse Vulnerability by Tzah Pahima
• Kubernetes container runtime CRI-O has make-me-root flaw by Jessica Lyons, March 15, 2022
• Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities by Yuval Avrahami, March 8, 2022
• All Roads leads to GKE's Host : 4+ Ways to Escape (PDF) by Billy and Ramdhan, Oct 20, 2022
• Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances by Yuval Avrahami, September 9, 2021
• Escaping Virtualized Containers (PDF) by Yuval Avrahami, May 14, 2021
• Gaining Persistency on Vulnerable Lambdas by Yuval Avrahami, September 2, 2019
• Securing Jenkins: Active Directory and LDAP Services in a Jenkins Environment by Nimrod Stoler, Jan 29, 2019
• Tripping the Jenkins Main Security Circuit-Breaker: An Inside Look at Two Jenkins Security Vulnerabilities by Nimrod Stoler, Oct 12, 2018
• Jenkins Plugins – Aladdin’s Lamp and the Sultan of Threats by Nimrod Stoler, Sep 26, 2018
• CyberArk Labs Research: Securing Jenkins Java Web Start Agents by Nimrod Stoler, Sep 11, 2018
• Configuring and Securing Credentials in Jenkins by Nimrod Stoler, Aug 15, 2018

by Wiz

• CodeBreach: Infiltrating the AWS Console Supply Chain and Hijacking AWS GitHub Repositories via CodeBuild by Yuval Avrahami, Jan 15, 2026
• RediShell: Critical Remote Code Execution Vulnerability (CVE-2025-49844) in Redis, 10 CVSS score by Benny Isaacs and Nir Brakha, October 6, 2025
• Breaking NVIDIA Triton: CVE-2025-23319 - A Vulnerability Chain Leading to AI Server Takeover
• NVIDIAScape - Critical NVIDIA AI Vulnerability: A Three-Line Container Escape in NVIDIA Container Toolkit (CVE-2025-23266), July 17, 2025
• How Wiz found a Critical NVIDIA AI vulnerability:  Deep Dive into a container escape (CVE-2024-0132)
• IngressNightmare: CVE-2025-1974 - 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX
• Wiz Research finds architecture risks that may compromise AI-as-a-Service providers and consequently risk customer data; works with Hugging Face on mitigations
• Probllama: Ollama Remote Code Execution Vulnerability (CVE-2024-37032) – Overview and Mitigations
• GameOver(lay): Easy-to-exploit local privilege escalation vulnerabilities in Ubuntu Linux affect 40% of Ubuntu cloud workloads
• #BrokenSesame: Accidental ‘write’ permissions to private registry allowed potential RCE to Alibaba Cloud Database Services
• BingBang: How a simple developer mistake could have led to Bing.com takeover
• Wiz Research discovers "ExtraReplica"— a cross-account database vulnerability in Azure PostgreSQL
• ChaosDB explained: Azure's Cosmos DB vulnerability walkthrough

---

🐳 Containers

• HEXACON 2025 - CUDA de Grâce by Valentina Palmiotti & Samuel Lovejoy (🔥) by Valentina Palmiotti & Samuel Lovejoy, Nov 24, 2025 - 🎥 Talk
• Docker Container Escape by Exploiting CGroups by Indigo Shadow, Nov 16, 2025
• Fun-reliable side-channels for cross-container communication by Ivan, Nov 12, 2025
• Container Escape Techniques: Breaking Out of Docker, Kubernetes, and Beyond by Rasoul, March 17, 2025
• Container Escapes 101 - Host memory meddling with ptrace by Natalie Somersall, Sep 5, 2025
• Exploit Notes - Docker Escape by hdks, Nov 2024
• Container Breakouts: Escape Techniques in Cloud Environments by Yosef Yaakov and Bar Ben-Michael, July 18, 2024
• Breaking Free: 26 Advanced Techniques to Escape Docker Containers by ElNiak Apr 8, 2024
• Reversing Windows Container, episode II: Silo by Lucas Di Martino, March 26, 2024
• Buildkit GRPC SecurityMode privilege check: Build-time container breakout (CVE-2024-23653) by Rory McNamara, Jan 31, 2024
• Buildkit mount cache race: Build-time race condition container breakout (CVE-2024-23651) by Rory McNamara, Jan 31, 2024
• Buildkit build-time container teardown arbitrary delete (CVE-2024-23652) by Rory McNamara, Jan 31, 2024
• Vulnerability: runc process.cwd and leaked fds container breakout (CVE-2024-21626) by Rory McNamara, Jan 31, 2024
• CVE-2022-0492 (Carpediem) explained by David Glance (CyberMnemosyne), Dec 26, 2023
• Reversing Windows Container, episode I: Silo by Lucas Di Martino, Sep 21, 2023
• Docker Security – Step-by-Step Hardening (Docker Hardening) by ReynardSec, October 16, 2023
• A new method for container escape using file-based DirtyCred by Choo Yi Kai, July 25, 2023
• Container breakout (overview) by Red Team, July 25, 2023
• Understanding Windows Containers Communication by Eviatar Gerzi, Sep 7, 2022
• corCTF 2022 CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel by D3vil, Aug 17, 2022
• Breakout from the Seccomp Unconfined Container by Gurkirat Singh, May 2, 2022
• Container escape using dirtypipe, March 19, 2022
• Escaping privileged containers for fun by Jordy Zomer, March 6, 2022
• New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape? by Yuval Avrahami, March 3, 2022
• How Docker Made Me More Capable and the Host Less Secure by Alon Zahavi, Feb 8, 2022
• Container escape techniques
• hide the current process executable file by Giuseppe Scrivano, Dec 21, 2021
• Container Host Breakout – Part 2 by Gurkirat Singh, Sep 11, 2021
• Container Host Breakout – Part 1 by Gurkirat Singh, Sep 11, 2021
• Container Breakout – Part 2 by Gurkirat Singh, Sep 10, 2021
• Container Breakout – Part 1 by Gurkirat Singh, Sep 10, 2021
• Container escape in 2021 (binfmt_misc) - PDF by Li Qiang, Sep 2, 2021
• The Real-Life Story of the First Mainframe Container Breakout by Ian Coldwater and Chad, Aug 5, 2021
• Microsoft Patched the Issue With Windows Containers That Enabled Silosca by Daniel Prizmant, Aug 5, 2021
• Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments by Daniel Prizmant, June 7, 2021
• Escaping Virtualized Containers (PDF) (🔥) by Yuval Avrahami, May 14, 2021 - 🎥 Talk
• Who Contains the Containers? (🔥) by James Forshaw, April 1, 2021
• The Strange Case of How We Escaped the Docker Default Container by Nimrod Stoler and Gilad Reti, March 4, 2021
• BitBucket Pipelines Kata Containers Virtual Machine Escape by Alex Chapman, Feb 28, 2021
• Towards Improving Container Security by Preventing Runtime Escapes (PDF), 2021
• Container Breakouts – Part 3: Docker Socket by Jan Harrie, July 30, 2020
• Container Breakouts – Part 2: Privileged Container by Jan Harrie, July 21, 2020
• Container Breakouts – Part 1: Access to root directory of the Host by Jan Harrie, July 15, 2020
• Windows Server Containers Are Open, and Here's How You Can Break Out by Daniel Prizmant, July 15, 2020
• Docker Container Breakout: Abusing SYS_MODULE capability! by Nishant Sharma, May 6, 2020
• Privileged Container Escape - Control Groups release_agent by Alex Chapman, Nov 19, 2020
• Privileged Container Escapes with Kernel Modules by TheXcellerator, Sep 27, 2020
• Security Analysis of User Namespaces and Rootless Containers by Anton Semjonov, Jan 2020
• What I Learned from Reverse Engineering Windows Containers by Daniel Prizmant, Dec 12, 2019
• Understanding Docker container escapes by Dominik Czarnota, July 19, 2019
• CVE-2019-11253: Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack by Rory McCune, Sep 27, 2019
• AppArmor can be bypassed by a malicious image that specifies a volume at /proc, Sep 22, 2019
• A Complendium of Container Escapes - PDF (🔥) by Brandon Edwards and Nick Freeman from Capsule8, August 2019
• Breaking Out of rkt – 3 New Unpatched CVEs by Yuval Avrahami, May 30, 2019
• The Route to Root: Container Escape Using Kernel Exploitation (🔥) by Nimrod Stoler, March 4, 2019
• Breaking out of Docker via runC – Explaining CVE-2019-5736 (🔥) by Yuval Avrahami, Feb 21, 2019
• An Exercise in Practical Container Escapology by Capsule8, Feb 21, 2019
• How I Hacked Play-with-Docker and Remotely Ran Code on the Host (🔥) by Nimrod Stoler, Jan 14, 2019
• Container Basics and Escapes by 0xn3va
• Container Breakout Vulnerabilities, by Rory McCune
• Csw2016 wang docker_escapetechnology by Wang, 2016
• Understanding and Hardening Linux Containers - PDF by NCC Group, Jun 29, 2016
• Abusing Privileged and Unprivileged Linux Containers - PDF by NCC Group, Jun 29, 2016
• PoC for Dirty COW (CVE-2016-5195) by scumjr, 2016
• Docker breakout exploit analysis (shocker) by Jen Andre, Jun 19, 2014
• Shocker / Docker Breakout PoC by Gabe Monroy, Jun 18, 2014
• shocker: docker PoC VMM-container breakout by Sebastian Krahmer, Jun 18, 2014
• Memory inside Linux containers by Fabio Kung, March 13, 2014

---

📱 Android & Mobile

---

Web

• GatewayToHeaven: Finding a Cross-Tenant Vulnerability in GCP's Apigee by Omer Amiad, Jan 28, 2026
• CVE-2026-23958 Compromises Admin Accounts on DataEase ; Enterprise BI at Risk by Nir Zadok and Eyal Paz, Jan 21, 2026
• Do Smart People Ever Say They’re Smart? (SmarterTools SmarterMail Pre-Auth RCE CVE-2025-52691) by Piotr Bazydlo (@chudyPB) and Sina Kheirkhah (@SinSinology), Jan 8, 2026
• Guest Post: How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets by Sharon Brizinov, Jul, 2025 -> Linkedin post.
• Breaking Oracle’s Identity Manager: Pre-Auth RCE (CVE-2025-61757) by Adam Kues and Shubham Shah, November 20, 2025
• How I Found a Critical Password Reset Bug in the BB program(and Got $4,000)
• Account Takeover via Password Reset without user interactions
• Shockwave Identifies Web Cache Deception and Account Takeover Vulnerability affecting OpenAI's ChatGPT by Gal Nagli, July 15, 2024
• CVE-2024-25153: Remote Code Execution in Fortra FileCatalyst by Tom Wedgbury, March 13, 2024
• ChatGPT Account Takeover - Wildcard Web Cache Deception (🔥) by Harel, Feb 4, 2024
• Sandwich Attack UUIDv1 by 0xLupin, Jan 12, 2024
• Hacking Chess.com and Accessing 50 Million Customer Records by Sam Curry, Dec 16, 2020
• We Hacked Apple for 3 Months: Here’s What We Found by Sam Curry, Oct 7, 2020
• Old but GOLD Dot Dot Slash to Get the Flag — Uber Microservice by Ron Chan, April 7, 2019
• Tutorial One: Open Url Redirects by Zseano, Sep 14, 2017
• Tutorials by zseano by Zseano, Sep 14, 2017
• Web Cache Deception Attack (🔥) by Omer Gil, Feburary 27, 2017

---

Bug Bounty

• How I made $64k from deleted files — a bug bounty story by Sharon Brizinov, Apr 22, 2025
• $10,500 Bounty: A Grammarly Account Takeover Vector by Monika sharma
• awesome-google-vrp-writeups by xdavidhu, 2020

---

🌐 Identity

• One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens by Dirk-jan Mollema, September 17, 2025
• Forging Passkeys: Exploring the FIDO2 / WebAuthn Attack Surface by vmfunc, June 20, 2025
• WebAuthn Under Attack: How Trojans Can Compromise Your Credentials (PDF) by Aditya Mitra and Anisha Ghosh, Sep 16, 2023 - GitHub Issue
• Bypassing Windows Hello Without Masks or Plastic Surgery by Omer Tsarfati, Jul 17, 2023
• Abusing FIDO2 passkeys to take over Global Administrators in Entra ID by Max Rozendaal

OAuth

• Common OAuth Vulnerabilities by Jose Catalan and Szymon Drosdzol, Jan 30, 2025
• Millions of Accounts Vulnerable due to Google’s OAuth Flaw by Dylan Ayrey, Jan 13, 2025 - 🎥 Talk
• Understanding OAuth 2.0 and its Common Vulnerabilities by Vaadata, January 9, 2025
• Account hijacking using “dirty dancing” in sign-in OAuth-flows (🔥) by Frans Rosén
• OAuth Non-Happy Path to ATO by Omid Rezaei
• Common OAuth Vulnerabilities by Jose Catalan and Szymon Drosdzol, Jan 30, 2025
• Third Party Services Takeover using Oauth Misconfiguration by Ronak Patel, Dec 13, 2024
• OAuth Account Hijacking via redirect_uri by Ryan G. Cox, Dec 10, 2024
• The OAuth Oversight: When Configuration Errors Turn into Account Hijacks by ProwlSec, Nov 4, 2024
• Uber - Navigating the Complexities of redirect_uri: A Bug Bounty Journey by Ron Chan, Jun 14, 2024
• Writeup: Keycloak open redirect (CVE-2023-6927) (🔥🔥) by Pontus Hanssen and Kasper Karlsson, January 11, 2024
• Google OAuth is Broken (Sort Of) (🔥) by Dylan Ayrey, December 15, 2023
• nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover by Omer Cohen, June 20, 2023
• OAuth 2.0 Hunting Methodology by KathanP19, Sep 18, 2022
• OAuth 2.0 Vulnerabilities by 0xn3va
• Make Redirection Evil Again: URL Parser Issues in OAuth by Chinese University, March 29, 2019
• [Google VRP] SSRF in Google Cloud Platform StackDriver by Ron Chan, Dec 19, 2019
• [Uber] redirect_uri is difficult to do it right (🔥) by Ron Chan, Nov 22, 2017
• [Uber 8k Bug] Login CSRF + Open Redirect = Account Take Over by Ron Chan, August 7, 2017
• Facebook's Moves - OAuth redirect_uri bypass by Paulos Yibelo, June, 2016
• Oauth 2.0 redirection bypass cheat sheet by N B Sri Harsha, Apr, 2016
• CSRF Vulnerability in OAuth 2.0 Client Implementations by Stephen Sclafani, Apr 6, 2011

by Aviad Carmel from Salt

• Traveling with OAuth — Account Takeover on Booking.com (🔥) - 🎥 Talk
• Salt Labs exposes a new vulnerability in popular OAuth framework, used in hundreds of online services
• Oh-Auth — Abusing OAuth to take over millions of accounts
• Security Flaws within ChatGPT Ecosystem Allowed Access to Accounts On Third-Party Websites and Sensitive Data
• Over 1 Million websites are at risk of sensitive information leakage — XSS is dead. Long live XSS

---

🔑 Supply Chain & Secrets

• Guest Post: How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets

---

🧩 Memory & Exploitation

---

🔐 Cryptography

---

🌀 Miscellaneous

• Trust Me, I’m a Robot: Can We Trust RPA With Our Most Guarded Secrets? (🔥) by Nimrod Stoler
• CVE-2019-1306: Are you my Index? by Mikhail Shcherbakov

---

CTFs WriteUps

Containers

• Contain Me If You Can - Wiz Cloud CTF July by Jason Walker, Aug 31, 2025

---

⭐ Feel free to contribute — add new articles under the correct section, keep entries alphabetized, and provide a short description.