{"id":22799790,"url":"https://github.com/chocapikk/chocapikk","last_synced_at":"2026-03-19T23:43:16.751Z","repository":{"id":209117253,"uuid":"718050578","full_name":"Chocapikk/Chocapikk","owner":"Chocapikk","description":null,"archived":false,"fork":false,"pushed_at":"2025-09-24T14:25:22.000Z","size":670,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-09-24T16:29:20.307Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Chocapikk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-11-13T09:17:02.000Z","updated_at":"2025-09-24T14:25:26.000Z","dependencies_parsed_at":"2024-03-17T07:27:18.972Z","dependency_job_id":"94b811f8-f2d0-44df-b9b5-dd346ee70fa8","html_url":"https://github.com/Chocapikk/Chocapikk","commit_stats":null,"previous_names":["chocapikk/chocapikk"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Chocapikk/Chocapikk","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FChocapikk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FChocapikk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FChocapikk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FChocapikk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Chocapikk","download_url":"https://codeload.github.com/Chocapikk/Chocapikk/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FChocapikk/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279116226,"owners_count":26107197,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-15T02:00:07.814Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-12T07:09:58.435Z","updated_at":"2026-03-19T23:43:16.743Z","avatar_url":"https://github.com/Chocapikk.png","language":null,"funding_links":["https://ko-fi.com/Chocapikk"],"categories":[],"sub_categories":[],"readme":"# Valentin Lobstein\n\n**Security Researcher \u0026 Exploit Developer**\n\n[Blog](https://chocapikk.com) · [Twitter](https://twitter.com/Chocapikk_) · [LinkedIn](https://www.linkedin.com/in/valentin-l1337/) · [Ko-fi](https://ko-fi.com/Chocapikk)\n\n---\n\n### Highlights\n\n- **CVE-2025-2611** - ICTBroadcast unauth RCE via cookie injection - **Added to VulnCheck KEV** ([writeup](https://github.com/Chocapikk/CVE-2025-2611) · [KEV](https://www.vulncheck.com/blog/ictbroadcast-kev))\n- **CVE-2025-34147 to 34152** - 6 unauth command injections in Aitemi M300 WiFi Repeater - **Referenced by CERT-FR** ([writeup](https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root/) · [CERT-FR](https://www.cert.ssi.gouv.fr/actualite/CERTFR-2025-ACT-052/))\n- **CVE-2026-28515 to 28517** - 3 chained vulns in openDCIM: missing auth + SQLi + command injection = unauth RCE ([writeup](https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/))\n- **CVE-2026-27174 to 27181** - 8 vulns in MajorDoMo: 3 critical RCE, SQLi, 3 XSS ([writeup](https://chocapikk.com/posts/2026/majordomo-revisited/))\n- **CVE-2024-22899 to 22903** - Exploit chain in Vinchin Backup \u0026 Recovery ([exploit](https://github.com/Chocapikk/CVE-2024-22899-to-22903-ExploitChain))\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eAll CVEs\u003c/b\u003e\u003c/summary\u003e\n\n| CVE | Description | Links |\n|-----|-------------|-------|\n| CVE-2026-28515 to CVE-2026-28517 | 3 chained vulns in openDCIM: unauth RCE on Docker | [Blog](https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/) · [Exploit](https://github.com/Chocapikk/opendcim-exploit) |\n| CVE-2026-27743 to CVE-2026-27747 | 5 vulns in SPIP plugins: 2 SQLi, 2 RCE, 1 XSS | [Blog](https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/) |\n| CVE-2026-27174 to CVE-2026-27181 | 8 vulns in MajorDoMo: 3 RCE, SQLi, 3 XSS | [Blog](https://chocapikk.com/posts/2026/majordomo-revisited/) |\n| CVE-2026-26220 | Unauth RCE via Pickle in LightLLM | [Blog](https://chocapikk.com/posts/2026/lightllm-pickle-rce/) |\n| CVE-2026-26215 | Unauth RCE via Pickle in manga-image-translator | [Blog](https://chocapikk.com/posts/2026/manga-image-translator-pickle-rce/) · [VulnCheck](https://www.vulncheck.com/advisories/manga-image-translator-shared-api-unsafe-deserialization-rce) |\n| CVE-2025-34433, CVE-2025-34441, CVE-2025-34442 | Unauth RCE chain in AVideo | [Blog](https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/) · [VulnCheck](https://www.vulncheck.com/advisories/avideo-unauthenticated-rce-via-predictable-installation-salt) |\n| CVE-2025-34452 | Path Traversal + SSRF in Streama | [Blog](https://chocapikk.com/posts/2025/streama-path-traversal-ssrf/) · [VulnCheck](https://www.vulncheck.com/advisories/streama-subtitle-download-path-traversal-and-ssrf-leading-to-arbitrary-file-write) |\n| CVE-2025-34147 to CVE-2025-34152 | 6 unauth command injections in Aitemi M300 - **CERT-FR** | [Part 1](https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root/) · [Part 2](https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/) · [CERT-FR](https://www.cert.ssi.gouv.fr/actualite/CERTFR-2025-ACT-052/) |\n| CVE-2025-30007 \u0026 CVE-2025-30008 | Unauth XSS in Vembu BDRSuite | [Blog](https://chocapikk.com/posts/2025/bdrsuite/) |\n| CVE-2025-2611 | ICTBroadcast unauth RCE - **VulnCheck KEV** | [GitHub](https://github.com/Chocapikk/CVE-2025-2611) · [VulnCheck KEV](https://www.vulncheck.com/blog/ictbroadcast-kev) |\n| CVE-2025-2609 \u0026 CVE-2025-2610 | Stored XSS in MagnusBilling | [Blog](https://chocapikk.com/posts/2025/magnusbilling) · [VulnCheck](https://vulncheck.com/advisories/magnusbilling-logs-xss) |\n| CVE-2025-2292, CVE-2025-30004 to CVE-2025-30006 | Auth vulns in Xorcom CompletePBX | [VulnCheck](https://vulncheck.com/advisories/completepbx-file-disclosure) |\n| CVE-2024-31819 | Unauth RCE in AVideo | [GitHub](https://github.com/Chocapikk/CVE-2024-31819) |\n| CVE-2024-35373 \u0026 CVE-2024-35374 | 2 unauth RCE in Mocodo | [Blog](https://chocapikk.com/posts/2024/mocodo-vulnerabilities/) |\n| CVE-2024-30920 to CVE-2024-30929, CVE-2024-31818 | Research in DerbyNet | [GitHub](https://github.com/Chocapikk/derbynet-research) |\n| CVE-2024-22899 to CVE-2024-22903, CVE-2024-25228 | Exploit chain in Vinchin Backup \u0026 Recovery | [GitHub](https://github.com/Chocapikk/CVE-2024-22899-to-22903-ExploitChain) |\n| CVE-2024-3032 | Themify Builder Open Redirect | [WPScan](https://wpscan.com/vulnerability/d130a60c-c36b-4994-9b0e-e52f7f99387/) |\n| CVE-2023-50917 | RCE in MajorDoMo | [GitHub](https://github.com/Chocapikk/CVE-2023-50917) |\n\n\u003c/details\u003e\n\n---\n\n### Tools\n\n- [**pik**](https://github.com/Chocapikk/pik) - Exploit framework \u0026 SDK for Go\n- [**wpprobe**](https://github.com/Chocapikk/wpprobe) - Fast WordPress plugin enumeration (800+ stars, in Kali Linux)\n- [**LFIHunt**](https://github.com/Chocapikk/LFIHunt) - Scan \u0026 exploit Local File Inclusion\n- [**msf-exploit-collection**](https://github.com/Chocapikk/msf-exploit-collection) - All my Metasploit modules in one place\n\n---\n\n### Hall of Fame\n\n[Ferrari](https://www.ferrari.com/fr-FR/hall-of-fame-responsible-disclosure-programme) · [Siemens](https://www.siemens.com/global/en/products/services/cert/hall-of-thanks.html) · [Philips](https://www.philips.com/a-w/security/coordinated-vulnerability-disclosure/hall-of-honors.html) · [Wikimedia](https://security.wikimedia.org/hall-of-fame/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchocapikk%2Fchocapikk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchocapikk%2Fchocapikk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchocapikk%2Fchocapikk/lists"}