馃悰 Bug Hunting

Methodology notes and (sanitized) findings from my vulnerability research. Disclosures only appear here after coordination with the affected party.

CVEs (23)

Source on GitHub
high
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
GHSA-v9xm-ffx2-7h35 CVE-2026-32730 npm 路 apostrophe
high
Dagu SSE Authentication Bypass in Basic Auth Mode
GHSA-9wmw-9wph-2vwp CVE-2026-31882 npm 路 dagu
high
h3 Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
GHSA-22cc-p3c6-wpvm CVE-2026-33128 npm 路 h3
high
Parse Server MFA Recovery Codes Not Consumed After Use
GHSA-4hf6-3x24-c9m8 CVE-2026-31875 npm 路 parse-server
high
Parse Server NoSQL Injection via Token Type in Password Reset and Email Verification
GHSA-vgjh-hmwf-c588 CVE-2026-30941 npm 路 parse-server
high
Parse Server Protected Fields Bypass via Logical Query Operators
GHSA-72hp-qff8-4pvv CVE-2026-30962 npm 路 parse-server
moderate
h3 Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read
GHSA-wr4h-v87w-p3r7 npm 路 h3
moderate
Hono Prototype Pollution Possible Through __proto__ Key Allowed in parseBody({ dot: true })
GHSA-v8w9-8mx6-g223 npm 路 hono
moderate
Parse Server LDAP Injection via Unsanitized User Input in DN and Group Filter Construction
GHSA-7m6r-fhh7-r47c CVE-2026-31828 npm 路 parse-server
moderate
Parse Server requestKeywordDenylist Keyword Scan Bypass Through Nested Object Placement
GHSA-q342-9w2p-57fp CVE-2026-30938 npm 路 parse-server
moderate
Parse Server SQL Injection via Query Field Name (PostgreSQL)
GHSA-c442-97qw-j6c6 CVE-2026-32234 npm 路 parse-server
moderate
Parse Server User Enumeration via Email Verification Endpoint
GHSA-w54v-hf9p-8856 CVE-2026-31901 npm 路 parse-server
moderate
SiYuan Cross-Origin WebSocket Hijacking via Authentication Bypass (Unauthenticated Information Disclosure)
GHSA-xp2m-98x8-rpj6 CVE-2026-32815 go 路 github.com/siyuan-note/siyuan/kernel
moderate
SiYuan RCE via Malicious Bazaar Package and Marketplace XSS
GHSA-v3mg-9v85-fcm7 go 路 siyuan
moderate
SiYuan RCE via Stored XSS in Notebook Name (Mobile Interface)
GHSA-qr46-rcv3-4hq3 CVE-2026-32751 go 路 github.com/siyuan-note/siyuan/kernel
moderate
SiYuan Stored XSS to RCE via Unsanitized Bazaar Package Metadata
GHSA-mvpm-v6q4-m2pf CVE-2026-33067 go 路 github.com/siyuan-note/siyuan/kernel
moderate
SiYuan Stored XSS to RCE via Unsanitized Bazaar README Rendering
GHSA-4663-4mpg-879v CVE-2026-33066 go 路 github.com/siyuan-note/siyuan/kernel
moderate
SiYuan SVG Sanitizer Bypass via <animate> Element (Unauthenticated XSS)
GHSA-5hc8-qmg8-pw27 CVE-2026-31807 go 路 github.com/siyuan-note/siyuan/kernel
moderate
SiYuan SVG Sanitizer Bypass via Whitespace in javascript: URI (Unauthenticated XSS)
GHSA-pmc9-f5qr-2pcr CVE-2026-31809 go 路 github.com/siyuan-note/siyuan/kernel
moderate
smol-toml Denial of Service via TOML Documents Containing Thousands of Consecutive Commented Lines
GHSA-v3rj-xjv7-4jmq npm 路 smol-toml
moderate
wger Stored XSS via Unescaped License Attribution Fields
GHSA-6f54-qjvm-wwq3 CVE-2026-40353 pip 路 wger
low
Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback
GHSA-g2qj-prgh-4g9r CVE-2026-34969 go 路 github.com/nhost/nhost
low
Nhost Storage MIME Type Spoofing via Trusted Client Content-Type Header
GHSA-g9f6-9775-hffm CVE-2026-33221 go 路 github.com/nhost/nhost

馃悰 Bug Hunting Methodology

How I approach vulnerability research and bug hunting, recon, common bug classes, and disclosure flow.

May 13, 2026
Bug Hunting Methodology Recon Web Security
漏 2026 Keshav Locknauth 路 0xkakashi