Here, I catalog the vulnerabilities I've discovered, the corresponding write-ups containing details of the weaknesses, and insights into their impact and remediation.
| CVE ID | Vulnerability Title | Severity/CVSS | Published | Write-Up |
|---|---|---|---|---|
| CVE-2025-63918 | wmjordan PDFPatcher <= 1.1.3.4663 Directory Traversal in Image Export Functionality | 6.2 | Nov 17, 2025 | Read the full write-up |
| CVE-2025-63917 | wmjordan PDFPatcher <= 1.1.3.4663 XML External Entity (XXE) Injection | 7.1 | Nov 17, 2025 | Read the full write-up |
| CVE-2025-63916 | luotengyuan MyScreenTools <= 2.2.1.0 OS Command Injection in GIF Compression Tool | 8.1 | Nov 17, 2025 | Read the full write-up |
| N.A. | Microsoft 365 Copilot For Work: Image Data Exfiltration From SharePoint | Low | Mar 22, 2025 | Read the full write-up |
| CVE-2025-1548 | iteachyou Dreamer CMS(梦想家 CMS 内容管理系统)4.1.3 Remote File Inclusion | 5.1 | Feb 21, 2025 | Read the full write-up |
| CVE-2025-1543 | iteachyou Dreamer CMS(梦想家 CMS 内容管理系统)4.1.3 Path Traversal | 5.3 | Feb 21, 2025 | Read the full write-up |
| CVE-2025-1084 | Mindskip xzs-mysql (武汉思维跳跃科技有限公司 - 学之思开源考试系统) 3.9.0 Cross-Site Request Forgery (CSRF) | 3.9 | Feb 6, 2025 | Read the full write-up |
| CVE-2025-1083 | Mindskip xzs-mysql (武汉思维跳跃科技有限公司 - 学之思开源考试系统) 3.9.0 CORS Misconfiguration | 2.8 | Feb 6, 2025 | Read the full write-up |
| CVE-2025-1082 | Mindskip xzs-mysql (武汉思维跳跃科技有限公司 - 学之思开源考试系统) 3.9.0 Stored Cross Site Scripting (XSS) | 3.5 | Feb 6, 2025 | Read the full write-up |
| CVE-2024-13199 | Mtons mblog 3.5.0 Search Function Reflected Cross Site Scripting (XSS) | 3.2 | Jan 8, 2025 | Read the full write-up |
| CVE-2024-13198 | Mtons mblog 3.5.0 Login Observable Response Discrepancy | 3.4 | Jan 8, 2025 | Read the full write-up |
| CVE-2024-13032 | Antabot White-Jotter 0.2.2 Server-Side Request Forgery (SSRF) | 5.1 | Dec 29, 2024 | Read the full write-up |
| CVE-2024-13031 | Antabot White-Jotter 0.2.2 Reflected Cross-Site Scripting (XSS) | 5.1 | Dec 29, 2024 | Read the full write-up |
| CVE-2024-13029 | Antabot White-Jotter 0.2.2 Server-Side Request Forgery (SSRF) | 5.3 | Dec 29, 2024 | Read the full write-up |
| CVE-2024-13028 | Antabot White-Jotter 0.2.2 Observable Response Discrepancy | 6.3 | Dec 29, 2024 | Read the full write-up |
| CVE-2024-12995 | Ruifang-Tech (上海锐昉科技有限公司) Rebuild 3.8.6 Stored Cross Site Scripting (XSS) | 5.3 | Dec 27, 2024 | Read the full write-up |
| CVE-2024-12990 | Ruifang-Tech (上海锐昉科技有限公司) Rebuild 3.8.6 Open Redirect | 5.3 | Dec 27, 2024 | Read the full write-up |
| CVE-2024-55452 | Dromara UJCMS <= 9.6.3 Arbitrary URL Redirection Via Block Item Upload | 5.4 | Dec 17, 2024 | Read the full write-up |
| CVE-2024-55451 | Dromara UJCMS <= 9.6.3 Authenticated SVG-based Stored Cross Site Scripting (XSS) | 4.8 | Dec 17, 2024 | Read the full write-up |
| CVE-2024-12665 | Ruifang-Tech (上海锐昉科技有限公司) Rebuild 3.8.5 Task Comment Attachment Upload Stored Cross Site Scripting (XSS) | 3.5 | Dec 16, 2024 | Read the full write-up |
| CVE-2024-12664 | Ruifang-Tech (上海锐昉科技有限公司) Rebuild 3.8.5 Project Task Comment Stored Cross Site Scripting (XSS) | 3.5 | Dec 16, 2024 | Read the full write-up |
| CVE-2024-12663 | FunnyZPC mee-admin 1.6 Login Username Observable Response Discrepancy | 3.7 | Dec 16, 2024 | Read the full write-up |
| CVE-2024-12483 | Dromara UJCMS <= 9.6.3 User ID /users/id Insecure Direct Object Reference (IDOR) | 3.7 | Dec 11, 2024 | Read the full write-up |
I extend my gratitude to the vendors and security teams who cooperated during the responsible disclosure process. Your dedication to improving application security is invaluable.