Writeups

Security vulnerability writeups and research.

high / h3 / Apr 8, 2026

One Uppercase Letter Breaks Every Nuxt App

h3 powers every Nuxt app but only recognized 'chunked' in lowercase. Send 'ChunKed' instead and you get request smuggling.

critical / Tolgee / Apr 7, 2026

Reading /etc/passwd via Translation Upload in Tolgee

Tolgee's XML translation importers ship with zero security config. Upload a crafted file, read anything from the server. Confirmed on their cloud platform.