aydinnyunus
EN | TR

About Me

$ whoami

I'm Yunus, a security researcher exploring the latest in cybersecurity, software development, and open-source technologies. I enjoy sharing knowledge, discovering vulnerabilities, and contributing to the security community through talks and projects.

I've had the fortune to present some of my research at well-known cybersecurity conferences such as Black Hat Sector, BSidesBCN, and IWCON. In this blog, you'll find write-ups on the research I've done and vulnerabilities I've discovered along the way.

Certifications: AWS Cloud Practitioner | eWAPTXv2 | EMAPT

My Passions

I'm most passionate about researching security vulnerabilities in open-source software and CI/CD systems. I focus on finding and responsibly disclosing security issues that impact developers and the software supply chain.

My Background

I started my journey in cybersecurity with a focus on vulnerability research and responsible disclosure. I've discovered and reported multiple CVEs in popular open-source projects, helping improve the security posture of the software ecosystem.

Achievements & Recognition

  • Microsoft Hall of Fame (x2) - Recognized for responsible vulnerability disclosure
  • Google Bug Hunter Program - Honorable Mention
  • STMCTF 6th Place - Turkey's longest-running CTF competition, team OutLawz finished 6th among 200 competitors and 50 teams (2022)
  • Turkcell UniBounty 1st Place - First place in university bug bounty competition (2022)
  • Siemens Hall of Fame - Acknowledged for security research contributions
  • Harvard University - Thank You Letter for responsible disclosure
  • Twente University Hall of Fame - Recognized for coordinated vulnerability disclosure
  • AVL Hall of Fame - Acknowledged for responsible vulnerability reporting
  • BASF Hall of Fame - Recognized for security research
  • Deutsche Telekom Hall of Fame - Acknowledged for security contributions
  • HoneyWell Hall of Fame - Recognized for product security research
  • OsTicket - Stored XSS vulnerability discovery and responsible disclosure
  • T-Mobile Hall of Fame - Acknowledged for bug bounty contributions
  • Utrecht University Hall of Fame - Recognized for responsible disclosure

CVEs Discovered

  • CVE-2025-3777 - Hugging Face Transformers improper input validation vulnerability in image_utils.py allows URL username injection bypass (Low)
  • CVE-2025-66019 - pypdf's LZWDecode streams can be manipulated to exhaust RAM (Moderate)
  • CVE-2024-54000 - MobSF vulnerability allows SSRF due to the allow_redirects=True parameter (High)
  • CVE-2024-29409 - nest allows a remote attacker to execute arbitrary code via the Content-Type header (Moderate)
  • CVE-2024-27763 - XPixelGroup BasicSR Command Injection (Moderate)
  • GHSA-w228-rfpx-fhm4 - cg vulnerable to an Open Redirect Vulnerability on Referer Header (Moderate)
  • CVE-2024-29190 - SSRF Vulnerability on assetlinks_check(act_name, well_knowns) in mobsfscan (High)
  • CVE-2015-5521 - Cross-site scripting (XSS) vulnerability in BlackCat CMS 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the name in a new group to backend/groups/index.php