https://discord.gg/WytKH65ZR join up for research, help, documentation, and more useful information for those interested.
Credit for the objdump finding goes to someone who beat me to it (and has a better PoC): https://github.com/4D4J/objdump-Out-Of-Bounds-write
New drops today ;) Biggest thing yet (DELAYED, I PROMISE THE WAIT WILL BE WORTH IT! After this, you guys will usually get one new PoC a day)
I've also noticed a surprising amount of "security researchers" aren't able to adjust the PoC to work in their environment. I will broaden the PoCs for those select few...
If you wish to collaborate/discuss with me, contact me on discord @ashdfrkl
Sharing this repo keeps me motivated to continue dropping my findings for you all.
A consolidated archive of my public proof-of-concept and vulnerability research writeups.
Most folders contain one of my former standalone PoC repos, preserved with its original README and tracked files. New research entries are added directly here as self-contained folders.
Contributed Research (by Unrealisedd)
The following entries were contributed via PR:
| Folder | Description |
|---|---|
openvpn-UAF-BYOVD |
ovpn-dco-win kernel driver CNG key UAF + crash PoC |
storsvc-dll-hijack-lpe |
StorSvc LoadLibraryW("SprintCSP.dll") without LOAD_LIBRARY_SEARCH_SYSTEM32 |
dam-sys-kernel-bugs |
dam.sys: 3 kernel bugs from standard user (BSOD + confused deputy + Defender freeze) |
seb-service-auth-bypass-lpe |
Safe Exam Browser SYSTEM service auth bypass → RCE as SYSTEM via log injection |
defender-signature-lock-bypass |
CVE-2026-45498 patch bypass: FILE_SHARE_READ locks Defender signatures |
discord |
Discord Desktop RCE attack paths |
wazuh |
Wazuh stack BOF + SCA DoS |
nextcloud |
XXE file read/SSRF + SSRF protection bypass |
n8n-ssrf-via-oauth2 |
SSRF via OAuth2 callback in n8n |
fluentbit-infinite-dos |
Fluent Bit collectd parser unauth DoS loop |
librenms-RCE-chain |
LibreNMS SSTI to RCE chain |
overwolf-updater-lpe-poc |
Overwolf Updater forged Authenticode cert + insecure service DACL → SYSTEM LPE |
spacedesk-service-lpe-poc |
spacedesk service Everyone full-control DACL → SYSTEM in 3 commands |
woodpecker-yaml-cr-injection |
Woodpecker CI pipeline RCE via \r YAML injection bypass |
retroarch-chd-map-heap-overflow |
RetroArch libchdr integer overflow → heap OOB write on 32-bit |
defender-ntlm-coercion-poc |
Windows Defender NTLM coercion: standard user forces SYSTEM credential leak via UNC scan |
| Folder | Source | Tracked entries |
|---|---|---|
7zip-rar5-motw-chain-poc |
bd9533f532c1e4ee6af783b9bb49d1133c600e2c |
3 |
anydesk-printer-com-impersonation-poc |
7491303301093b2d40bee9dadf6b38f757ce78e0 |
4 |
c-ares-tcp-uaf-calc-poc |
direct entry, June 24, 2026 | 7 |
curl-smtp-expn-recipient-crlf-injection |
direct entry, July 1, 2026 | 3 |
defender-ntlm-coercion-poc |
direct entry, July 6, 2026 | 3 |
discourse-scoped-api-key-preauth-bypass |
direct entry, July 3, 2026 | 3 |
docker-cp-copyout-destination-escape |
d1367b1381736d7f961ac808ce88d4e24a633adc |
5 |
firefox-smartwindow-private-url-exfil-poc |
direct entry, June 24, 2026 | 3 |
floci-apigateway-vtl-rce-poc |
direct entry, June 23, 2026 | 3 |
flowise-mcp-env-case-bypass-poc |
ed9fab0086674f1b16467990b33bb9299e93429e |
3 |
ffmpeg-rasc-dlta-calc-poc |
direct entry, June 26, 2026 | 7 |
ghidra-12.1.2-rce-ace-calc-poc |
52dee6362990c03c0d753d074c85428824d46368 |
9 |
gitea-act-runner-container-options-poc |
f06d78fb111732f3e7737f4c07e77ef94c4b64bf |
4 |
gogs-admin-csrf-git-hook-rce-poc |
direct entry, July 1, 2026 | 3 |
imagemagick-gs-delegate-hijack-poc |
8140e8ee0ed78beaf5e8303a795b70b138f5891b |
5 |
ladybird-wasm-esm-host-function-rce-poc |
direct entry, July 1, 2026 | 2 |
libarchive-zip-debuginfod-size-boundary |
direct entry, July 1, 2026 | 6 |
libssh2-cve-2026-55200-poc |
direct entry, June 23, 2026 | 3 |
libssh2-publickey-list-calc-poc |
direct entry, June 25, 2026 | 10 |
lunar-modrinth-chain-poc |
ffd02120708b6503f11585858ce3724872f3b7a7 |
6 |
mybb-limited-acp-to-admin |
1610e0373943c2f6562a99f917d3a3d1fdd9056d |
5 |
nextcloud-federated-share-bearer-token-poc |
direct entry, July 3, 2026 | 3 |
nextjs-unstable-cache-object-argument-collision |
direct entry, July 1, 2026 | 3 |
nodebb-activitypub-attributedto-local-uid-spoof-poc |
direct entry, July 1, 2026 | 3 |
nghttp2-nghttpx-upgrade-queue-poison-poc |
direct entry, June 26, 2026 | 3 |
nmap-ipv6-extlen-wrap-poc |
direct entry, June 23, 2026 | 4 |
objdump-dlx-calc-poc |
7df01e4e20c7375a89e8ccf760526c52eb6ad582 |
41 |
openvpn-connect-echo-script-ace-poc |
d2f904d9272d4388c9862131d40e32e072e85e38 |
8 |
php857-streambucket-soap-rce-rpoc |
direct entry, June 26, 2026 | 6 |
pillow-imagecms-output-mode-oob-poc |
direct entry, July 1, 2026 | 3 |
postgres-ri-owner-switched-cast-poc |
direct entry, July 4, 2026 | 3 |
qemu-cxl-type3-mailbox-escape-poc |
direct entry, July 1, 2026 | 7 |
redis-vset-duplicate-hnsw-id-rce-poc |
direct entry, July 3, 2026 | 3 |
rustdesk-session-permission-pocs |
direct entry, June 25, 2026 | 17 |
systeminformer-phsvc-trusted-host-lpe-poc |
direct entry, June 24, 2026 | 3 |
vlc-vp9-reschange-crash-poc |
fae72b82f24d03cf2fb9cb55fbb2e7774f684ff3 |
3 |
This section applies to the former standalone repositories listed above by commit hash.
The consolidation was checked from fresh GitHub clones on June 23, 2026 before the old standalone repos were removed.
The check compared each former standalone repo's HEAD tree against the matching folder here using Git tree data rather than a loose filesystem diff. For every tracked entry, the check required:
- the same relative path;
- the same Git object type;
- the same tree mode, including executable bits;
- the same Git blob ID.
Matching Git blob IDs means the tracked file bytes are identical. The check covered 12 repos and 96 tracked entries with zero mismatches.
This repository preserves the contents of those PoCs. Repository-level metadata such as stars, issues, pull requests, releases, and separate Git history remain in the original repository histories.
Direct entries, including c-ares-tcp-uaf-calc-poc, curl-smtp-expn-recipient-crlf-injection, discourse-scoped-api-key-preauth-bypass, ffmpeg-rasc-dlta-calc-poc, firefox-smartwindow-private-url-exfil-poc, floci-apigateway-vtl-rce-poc, gogs-admin-csrf-git-hook-rce-poc, ladybird-wasm-esm-host-function-rce-poc, libarchive-zip-debuginfod-size-boundary, libssh2-cve-2026-55200-poc, libssh2-publickey-list-calc-poc, nextcloud-federated-share-bearer-token-poc, nextjs-unstable-cache-object-argument-collision, nodebb-activitypub-attributedto-local-uid-spoof-poc, nghttp2-nghttpx-upgrade-queue-poison-poc, nmap-ipv6-extlen-wrap-poc, php857-streambucket-soap-rce-rpoc, pillow-imagecms-output-mode-oob-poc, postgres-ri-owner-switched-cast-poc, qemu-cxl-type3-mailbox-escape-poc, redis-vset-duplicate-hnsw-id-rce-poc, rustdesk-session-permission-pocs, and systeminformer-phsvc-trusted-host-lpe-poc, are tracked by this repository's commit history.
Do NOT, under any circumstances, use any material in this repository maliciously. This is good-faith, open-disclosure vulnerability research intended to get more people interested in exploring this area of cybersecurity.
Cybercrime is cringe.