Final-year master's student in cybersecurity focused on vulnerability research, exploit development, and offensive security.
- Currently : Offensive Security Intern @ CIH Bank, Casablanca
- DevSecOps Intern @ Evidence Way, Casablanca
- Manager of Intern's Security Solution's Team @ Microtech Leaders, Chicago (Remote)
- Cybersecurity Engineering Intern @ CIH Bank, Casablanca
- Microsoft MSRC Leaderboard Q3 2025: #60
- Microsoft MSRC Leaderboard Q4 2025: #48
- Google VRP Honorable Mention
Here are some of the disclosed vulnerabilities I found in my research :
- CVE-2025-55319: Command Injection Leading to RCE
- CVE-2025-64660: Improper Access Control Leading to RCE
- CVE-2026-21257: Elevation of Privilege Vulnerability
- CVE-2026-21256: Remote Code Execution Vulnerability
- CVE-2025-62214: Command Injection Leading to Local Code Execution
- CVE-2025-66294: Remote Code Execution via SSTI through Twig Sandbox Bypass
- CVE-2025-66301: Broken Access Control in Form Modification
- CVE-2026-1207: SQL Injection in RasterField Band Index Parameter
- CVE-2025-61674: Stored XSS via Editor Settings
- CVE-2025-61676: Stored XSS via Branding Styles
- CVE-2025-49136: Sprig Template Injection Leads to Environment Variable Disclosure
- CVE-2025-52277: Stored Cross-Site Scripting Vulnerability
- Listmonk auxiliary module for CVE-2025-49136
- Grav CMS chain module combining CVE-2025-66294 and CVE-2025-66301
- From Zero to SOC Homelab — Building a fully integrated Security Operations Center with automated defense-in-depth
- Windows Hooking Explained — API hooking techniques for offensive and defensive security
- Email: nakkouchtarek@gmail.com
- LinkedIn: linkedin.com/in/tareknakkouch
- Medium: @nakkouchtarek
- Portfolio: nakkouchtarek.github.io