Home | b4r

b4r

/ˈbar/ • nouns

Security Researcher and CTF Player with @Try4gain. Mostly into IDA reverse engineering, Wireshark forensics, curl web exploitation, and linux.

Besides security shit, I enjoy playing a pixel art games and watching anime.

Latest posts

an idor in openproject through meeting agenda items

cve-2026-49355 exposed private work package data through the single meeting agenda item api in openproject

b b4r
June 8, 2026
3 min read

vulnerability cve web exploitation idor
two quiet wallos bugs that still became CVEs

cve-2026-50198 and cve-2026-50199 in wallos were both small authenticated trust bugs, but both still crossed user boundaries in ways they should not have

b b4r
June 5, 2026
4 min read

vulnerability cve web exploitation
a neat little cve in filament

cve-2026-48067 came from a scope mismatch in filament AttachAction and AssociateAction

b b4r
May 25, 2026
2 min read

vulnerability cve web exploitation laravel
cross-tenant credential disclosure in itflow

cve-2026-47755 let a low-privileged authenticated user pull another client credentials and totp secrets in itflow

b b4r
May 25, 2026
3 min read

vulnerability cve web exploitation idor
six cves in one open-source e-commerce project

how i reported six shopper cves spanning authorization bypass, privilege escalation, race conditions, idor, and xss

b b4r
May 22, 2026
4 min read

vulnerability advisory cve web exploitation laravel
my first CVE, CVE-2026-44692

authenticated sharp users could download unrelated laravel storage objects through the generic download endpoint

b b4r
May 8, 2026
7 min read

vulnerability cve web exploitation laravel

See all posts →