CVEs
| CVE | Target | Vulnerability |
|---|---|---|
| CVE-2026-XXXXX | Web Application | Session Logic Flaw |
| CVE-2026-XXXXX | Web Application | IDOR via Exposed API Docs |
| CVE-2026-28425 | Statamic CMS | RCE via Antlers-enabled Control Panel Inputs |
| CVE-2026-25759 | Statamic CMS | Privilege Escalation via Stored Cross-Site Scripting |
| CVE-2026-25633 | Statamic CMS | Missing Authorization Allows Access to Assets |
| CVE-2026-27593 | Statamic CMS | Account Takeover via Password Reset Link Injection |
| CVE-2026-XXXXX | Ghost CMS | Stored XSS in Embed Cards Leading to Owner Takeover |
| CVE-2026-31825 | Sylius | DQL Injection via API Order Filters |
| CVE-2026-31857 | Craft CMS | RCE via Relational Conditionals in the Control Panel |
| CVE-2026-31858 | Craft CMS | Blind SQL Injection via ElementSearchController |
| CVE-2026-32261 | Craft CMS (Webhooks) | RCE via Server-Side Template Injection |
| CVE-2026-32265 | Craft CMS (AWS S3) | Information Disclosure via BucketsController |
| CVE-2026-XXXXX | Craft CMS | Priv Esc via Stored XSS in Revision Context Menu |
| CVE-2026-32268 | Craft CMS (Azure Blob) | Information Disclosure via ContainerData Endpoint |
Vulnerability Disclosure Policy
This policy outlines my approach to vulnerability disclosure, providing a timeline for vendors to respond and remediate.
Upon identifying and reporting a vulnerability to a vendor, I initiate a 45-day countdown for the vendor to develop and release a patch addressing the identified issue.
If the vendor successfully patches the vulnerability within the 45-day timeframe, I will publicly disclose the vulnerability 30 days after the patch is released. This gap aims to provide users adequate time to apply the patch, enhancing their security posture before the vulnerability details become public knowledge.
If a vendor does not patch the vulnerability within the initial 45-day window, I will proceed with public disclosure immediately following the 45-day period.
Examples
- If a vendor issues a patch 35 days after initial vulnerability disclosure, public disclosure would be scheduled for day 65.
- If no patch has been released 45 days after initial vulnerability disclosure, public disclosure would occur on day 45.
Accelerated Disclosure
I reserve the right to publicly disclose ahead of schedule in unique circumstances, such as active exploitation or a public exploit. Such disclosures aim to equip the community with information necessary for risk mitigation.