cve-2026-48067 came from a scope mismatch in filament AttachAction and AssociateAction
cve-2026-47755 let a low-privileged authenticated user pull another client credentials and totp secrets in itflow
how i reported six shopper cves spanning authorization bypass, privilege escalation, race conditions, idor, and xss