• 

  SupaPwn: Hacking Our Way into Lovable's Office and Helping Secure Supabase

  We hacked our way into Lovable's office by demoing SupaPwn — a chain that could potentially enable region-wide tenant takeover: event-trigger privilege window, DB superuser, host RCE, SUID escalation, exposed configs, orchestration takeover

  s s1r1us

  r rootxharsh

  z zayne

  l liveoverflow

  ・ November 17, 2025

  research
• 

  Introducing Hacktron AI: An autonomous penetration test of Gumroad

  At Hacktron, we're building collaborative AI agents that act as autonomous security researchers. Learn more about our approach and our AI-driven pentest on Gumroad.

  z zayne

  s s1r1us

  ・ August 14, 2025

  research essay
• 

  Executing arbitrary Python code from a comment

  How a Python comment can turn a file into a ZIP polyglot, tricking the interpreter into running code. Insights from a UIUCTF 2025 challenge and Python's ZIP parsing quirks.

  z zayne

  ・ July 28, 2025

  research
• 

  Hacktron finds pre-auth RCE in Dassault Delmia Apriso

  For years, this vulnerability hid in plain sight — missed by multiple audits and even used in production by Apple. In just ten minutes, Hacktron exposed a full pre‐auth RCE path.

  r rootxharsh

  ・ June 3, 2025

  research
• 

  Hacktron finds another pre-auth RCE variant in Ivanti EPMM

  Hacktron AI uncovers a new pre-authenticated RCE variant in Ivanti EPMM by identifying a fresh EL injection sink.

  r rootxharsh

  ・ May 16, 2025

  research

• CVE-2022-23597: Remote code execution on Element Desktop

  We achieved full RCE on Element Desktop by chaining iframe injection, Electron misconfigs, and a V8 exploit to bypass sandboxing and access Node.js APIs from a subframe.

  s s1r1us

  T TheGrandPew

  ・ August 13, 2022

  research electrovolt

• Remote code execution on Discord Desktop

  How a chain of XSS, CSP bypass, and Electron misconfigs led to full remote code execution on Discord Desktop. We walk through the technical details, steps, and lessons learned.

  s s1r1us

  ・ July 29, 2022

  research electrovolt

• CVE-2021-43908: Remote code execution in VSCode restricted mode

  How we achieved remote code execution in Visual Studio Code's Restricted Mode by chaining origin leaks, CSP bypasses, and webview message handler flaws.

  s s1r1us

  T TheGrandPew

  ・ June 29, 2022

  research electrovolt