Offensive security researcher focused on web and browser exploitation. Passionate about uncovering, reproducing, and tinkering with intricate bugs in high-impact, widely used software.
Security Advisories
CVE-2026-24486- Arbitrary file write via a non-default configuration in python-multipart.CVE-2026-22256- Salvo is vulnerable to reflected XSS in the list_html function.CVE-2026-22257- Salvo is vulnerable to stored XSS in the list_html function by uploading files with malicious names.CVE-2025-58362- Flaw in URL path parsing could cause path confusion in Hono.CVE-2025-59139- Body Limit Middleware Bypass in Hono.CVE-2025-53535- Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes in better-auth.GHSA-hq75-xg7r-rx6c- Routing Bug Can Lead to Cache Deception in better-call.
Bounties
Co-reported 4 critical bugs
- Account takeover via XSS in a multi-million-user website, reported through a private program ($4,500 bounty).
- Web2/XSS in
require_paymentfunction inx402.fastapi.middlewarePython package can lead to ATO or funds stealing in github.com/coinbase/x402 ($2,000 bounty). - Web2/XSS in the basic HTML paywall in
@x402/express,@x402/hono,@x402/nextpackages can lead to ATO or Funds Stealing in github.com/coinbase/x402 ($200; severity dispute). - NULL pointer dereference in a blockchain library allowing full denial of service, reported through a private program ($400; scope dispute).
CTF Experience (Awards)
- Cyber Odyssey 2024: Secured first place in Cyber Odyssey 2024, the biggest CTF competition in Morocco, winning a total of 80,000 DH with my team FC2MK, focused on Web challenges.
- MCSC National CTF 2024: Secured second place with my team FC2MK, winning a total of 10,000 DH, focused on Web challenges.
- NULL Hat Morocco 2025: Secured the second place with my team FC2MK focusing on Web challenges.
- The International Days of Ethical Hacking (IDEH) v7 CTF: Secured the third place with my team FC2MK, winning a total of 3,000 DH, focusing on Web challenges.
N.B.
All external resources mentioned in all of my writings are included solely for their technical content; the views, backgrounds, or actions of the creators do not reflect my endorsement.
Public PGP key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGgnSroBDADjo3QhZqTaMLBX4ZwMe20noRF/M3B0ANlus4iEf9YBZ0ktKCuC
kr7owOxgT2v0SL6yNXdBNW2wZK1XQ0Fymv2w7qdkDBQFUSbeDmva8oJdmKNZwo4d
JAF3Op8880QWPHlkb6y+m8wReZxgvYVyxOMLLE566Ham0EGpgA2VM64ZE2YJHMzK
ICbMJIuBEM5ea/7iEPIyldn2p6ojS7AxZmETQeII0ZqiWTsnAtNtLNB3Wa3Yun2k
a1MR2P3YpSbaZKekBDgSggT1J8/lU7+Cwbuuy7IrykmG6+2DQ6TqpkzivPWoyrXJ
Kkx8trGPtZ0nPESarBOu2Ey+ktEkaDC3ce5Yc5gspEpDAtMqzMT1ZUdaJCwI2XgY
jkwY4Xn/HeNut+dePfJqqd4vpsk/99GTpz+ispjfoOIrdGz09tzp1OJlVXwrCHZd
3kDXNUcDUBTDzjly+vYUSJdmWjUt10j7UsLVSr/a8BcswFotl9EyaTegY8KgNMUk
boxgm0suvW7CIm8AEQEAAbQNY2hhcmdlciB3aGVyZYkBzgQTAQoAOBYhBHcAd2S8
TfTcYr46ybyo7/rRyNxlBQJoJ0q6AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
AAoJELyo7/rRyNxlTJQL/1yIkeMjW7yRcxAe5ySaEtWMA90RJb8lq64VEvCOnnzq
Nzy+bqfjyijmax9pGzezi5MIGnHeGvfq2i0flJre64BwS0ODBT+Qo1sZCQ3t8cUA
AHgapn2nrksAgjHk5v3xtwoUKMD8vHG5iQyhpprmghhbu05G42W0YYakjnxkHpME
iHN7iy9NsufmG/y2N75t1EMuR7A27qBG8xnWwobM8/pwo1FJ91ybuPmEr0DbanFH
bi/yfjjjAAmtxsmycO0mdZNsoA1qUdHASK0cMGkK7+Gvb51lzEdh5bfUyvRucC6M
iGZKZbYdibs0Qe3WfCADVw/Nl6765p74Th9pxoQCGLRBUgqIeUBqh8r2pWsozdI2
u06/494a4IpdjA0Ah9J+7AMtMRQyTwtWet8AOdb7fIkX9UMXCgUu5KlusjoMScIT
e2SFqsARbNTGPfWeYRTHYXpQXoXdUWP4WmPAJu+sBQSgSKKGu2IOrQqGpFypjgZe
bMi5XrcQXVZH/XemM7B1qbkBjQRoJ0q6AQwAwa4Isbqm/zqlL9HVa8BI9cnZKNBD
+8ygi1jmBiUxV2prlTb21JsrlNxvCGhc3gOISYhmqadr1U0Fbml98Ne5wktQXU5X
khLxdgStLn66oCvxGuf6ClM7SasCnbl9czkA3oK+o8MHa8r+FJhN7UyM0O49m4DR
/XjMNJ5uzY7uH+MR1ML95+qcU9HoSKzfZBAiXVgBBq1Hzi+yalLQgQrkrrnTes87
2EWUdCkpgj/o6QuuTtxTvvgzGsMa2MZjkbskQAaCtMGYAvpfOdJ9GkTXEOHEzChz
M8D2+O9p7Qx5Sw5krmYEYuX4u6LiFrcZnAxjde97GlH3AHi+aR6DhYuSShr3oTxC
a32cJ7hTHJZVwD28Bp2kgusO7gusS3blJEV16c69lAn8j6FnyWz9rsSulPyDBIhs
bvNs4L2Yb52FGnc+CJl/VK2kUHDAS9Ud5h+5WQEZmj2IALlo8CMU0+m+5GYpgDxt
sVIiabSEnywSRD4SmG16+8ZVsTyMVqqo+Gv1ABEBAAGJAbYEGAEKACAWIQR3AHdk
vE303GK+Osm8qO/60cjcZQUCaCdKugIbDAAKCRC8qO/60cjcZWQGC/4ttS0Tc1Ic
2HgZAGEzsO3+FjkzsgH2c9T9peZl+DlfV0+UUexFKUmwuPY1ReMcpQk5J/Bm9Z7W
dUeRb5uG+sjs8DghMn1icMcjbaPJbYKolD9GeuhCVjYfHQdHwgXem7fCTr815gAS
OOCZe8ajMlE5TG6w4K1j+fxxVpmzTSO0bmTg1HvjwOSoq9rQK0tMW4RGYgD/co0o
Upurz1HMP85Wt2y6ltVulsMCJIWjG3si8XuPjLso7GBdD3YSKzgJYhwuC12RRBWF
4C3IJOerpQzkKgoXYQfkpGBXz6+z+FmQqPevQg14X0+kZ5mAXezZcTpH3cZitLoh
xS2wV5QkepYFEqNO5ePIuE6CWqhyeGskzgYsQxnv94e8jM9eMRMzxgJuipWJuu8Q
Woh70x/2vBzGqLcL6ZFS7VpH17pg/hwIAs0rPl2IX2D1nKoNPgBztfHiRktgT4R0
WT+Ba6zZYIVrhHmz51ROJT2Mi9fmT2yDNTJFpnCc3A+M9SBs4ZM4lz8=
=OLNE
-----END PGP PUBLIC KEY BLOCK-----