This page contains a list of zeroday exploits published and identified by myself or by myself and members of my team working together as a group.

All exploits listed here were previously unidentified prior to being published. This is not a list of ALL of the exploits that I have found over the years, it is merely a list of the ones that I opted to make public. All findings here were responsibly disclosed to the affected software vendors prior to being published.

• OpenEMR Electronic Medical Records software – multiple critical vulnerabilities.
• PixWeaver – SQL Injection affectomg various Crimestoppers factions and hundreds of universities.
• uc-httpd Security Cameras – Local File Disclosure + Buffer Overflows.
• Adobe Illustrator – Cross Site Flashing.
• Camtasia Studio – Cross Site Flashing.
• Pulse Secure Connect VPN – XSS + CSRF.
• Simple Machine Forums – Multiple critical vulnerabilities.
• XenForo – “true persistence” XSS and Authentication Bypass
• Invision Power Board – Multiple Vulnerabilities.
• PHPBB – Multiple Vulnerabilities.
• MyBB – Multiple Vulnerabilities.
• PhpMyDomo Smart Home control panel – Multiple Vulnerabilities.
• Discord – app-level DoS.
• Electron – 1-click RCE via URI Scheme Abuse.
• SOLEO IPRelay – Local File Disclosure.
• PhpGroupWare Headlines Admin – SQL Injection.
• OS Commerce TemplateMonster – SQL Injection.
• Concrete5 CMS – App-level DoS via CSRF.
• X-Cart – RCE via PHP Code Injection.
• OpenCMS Alkacon Enterprise – Cross Site Scripting.
• LiveChatInc – Information Disclosure.
• TouchCommerce – Information Disclosure.
• mTopSoft HTML Password Lock – Cryptographic Bypass to leak passwords.
• Mozilla Firefox – Address Bar Spoofing via PunyCode Bypass.
• WebKit + Blink – frame restrictions bypass.
• FlashValley News Ticker – Cross Site Flashing.
• OpenMRS – XXE Injection.