About Me

$ whoami

I'm Yunus, a security researcher exploring the latest in cybersecurity, software development, and open-source technologies. I enjoy sharing knowledge, discovering vulnerabilities, and contributing to the security community through talks and projects.

I've presented my research at cybersecurity conferences including Black Hat Sector, BSidesBCN, and IWCON. This blog contains write-ups on my research and the vulnerabilities I've discovered.

Certifications: AWS Cloud Practitioner | eWAPTXv2 | EMAPT

My Passions

I'm most passionate about researching security vulnerabilities in open-source software and CI/CD systems. I focus on finding and responsibly disclosing security issues that impact developers and the software supply chain.

My Background

I started in cybersecurity focusing on vulnerability research and responsible disclosure. I've discovered and reported multiple CVEs in popular open-source projects.

Achievements & Recognition

• Microsoft Hall of Fame (x2) - Recognized for responsible vulnerability disclosure
• Google Bug Hunter Program - Honorable Mention
• Red Hat - Vulnerability acknowledgement
• STMCTF 6th Place - Turkey's longest-running CTF competition, team OutLawz finished 6th among 200 competitors and 50 teams (2022)
• Turkcell UniBounty 1st Place - First place in university bug bounty competition (2022)
• Siemens Hall of Fame - Acknowledged for security research contributions
• Harvard University - Thank You Letter for responsible disclosure
• Twente University Hall of Fame - Recognized for coordinated vulnerability disclosure
• AVL Hall of Fame - Acknowledged for responsible vulnerability reporting
• BASF Hall of Fame - Recognized for security research
• Deutsche Telekom Hall of Fame - Acknowledged for security contributions
• HoneyWell Hall of Fame - Recognized for product security research
• OsTicket - Stored XSS vulnerability discovery and responsible disclosure
• T-Mobile Hall of Fame - Acknowledged for bug bounty contributions
• Utrecht University Hall of Fame - Recognized for responsible disclosure

CVEs Discovered - records

• CVE-2026-21883 - Bokeh server Cross-Site WebSocket Hijacking (CSWSH) vulnerability due to incomplete origin validation in match_host function
• CVE-2026-22787 - html2pdf.js Cross-Site Scripting (XSS) vulnerability due to unsanitized user input in innerHTML (High)
• CVE-2026-0562
• CVE-2026-0560
• CVE-2026-0558
• CVE-2025-3777 - Hugging Face Transformers improper input validation vulnerability in image_utils.py allows URL username injection bypass (Low)
• CVE-2025-66019 - pypdf's LZWDecode streams can be manipulated to exhaust RAM (Moderate)
• CVE-2025-69660
• CVE-2025-69661
• CVE-2025-69662
• CVE-2024-54000 - MobSF vulnerability allows SSRF due to the allow_redirects=True parameter (High)
• CVE-2024-29409 - nest allows a remote attacker to execute arbitrary code via the Content-Type header (Moderate)
• CVE-2024-27763 - XPixelGroup BasicSR Command Injection (Moderate)
• GHSA-w228-rfpx-fhm4 - cg vulnerable to an Open Redirect Vulnerability on Referer Header (Moderate)
• CVE-2024-29190 - SSRF Vulnerability on assetlinks_check(act_name, well_knowns) in mobsfscan (High)
• CVE-2024-32356
• CVE-2024-32357
• CVE-2024-28607
• CVE-2024-28608
• CVE-2015-5521 - Cross-site scripting (XSS) vulnerability in BlackCat CMS 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the name in a new group to backend/groups/index.php