How do you decide what to research?

Targets where a single bug has high blast radius — shared infrastructure (Kubernetes, Apache, Linux kernel), high-deployment OSS, or critical-path WordPress plugins.

What is your disclosure timeline?

Standard 90-day coordinated disclosure. Vendor contact, fix timeline, then public CVE assignment via NVD/MITRE. Earlier disclosure if there is active exploitation.

Yes — every CVE has a corresponding PoC repo on github.com/SnailSploit, linked from the detail page. Published only after the patch is available.

Do you accept disclosure requests?

I report vulnerabilities I find. For services that include vulnerability research on your stack, see /services.

snailsploit[$]

⌘K live

cves
disclosed
2025–2026

23 published · MITRE/NVD
+ vendor-side TelSender removal
updated 2026.05

23 cves
disclosed.

The full disclosure ledger. Container & cluster infrastructure, Apache foundation, cross-language OSS, and the WordPress plugin ecosystem. Sorted by blast radius — critical and high first within each group. Every entry references a coordinated disclosure with the upstream maintainers.

ghsa advisories →kernel patches →

01 · ledger · 23

Coordinated disclosure with each upstream. Embargo-respected. References are linked from each NVD record.

full ledger.

container & cluster infrastructure

1 cve

CVE-2026-3288Kubernetes ingress-nginxConfig injection → RCE8.8high

apache foundation

2 cves

CVE-2026-30911Apache Airflow CoreMissing authentication8.1high

CVE-2026-32794Apache Airflow (Databricks provider)TLS verification bypass4.8med

cross-language oss

5 cves

CVE-2026-43884WWBN/AVideo · PHPSSRF — HTTP redirect & DNS rebinding bypass7.7high

CVE-2026-31899CairoSVG · PythonExponential DoS — recursive amplification7.5high

CVE-2026-32809ouch-org/ouch · RustSymlink escape — arbitrary file overwrite7.4high

CVE-2026-33693activitypub-federation-rust · RustSSRF — 0.0.0.0 bypass in fediverse federation6.5med

CVE-2026-32885ddev/ddev · GoZipSlip — path traversal in archive extraction6.5med

wordpress plugin ecosystem

15 cves

CVE-2026-3596Riaxe Product CustomizerPrivilege escalation9.8crit

CVE-2026-1313MimeTypes Link IconsSSRF8.3high

CVE-2026-3599Riaxe Product CustomizerSQL injection7.5high

CVE-2025-9776CatFoldersSQL injection via CSV import6.5med

CVE-2025-12163OmniPressStored XSS6.4med

CVE-2026-2717HTTP HeadersCRLF injection5.5med

CVE-2026-0811Advanced CF7 DBCSRF5.4med

CVE-2026-13143D FlipBookMissing authentication5.3med

CVE-2026-3594Riaxe Product CustomizerInformation disclosure5.3med

CVE-2026-3595Riaxe Product CustomizerUnauthenticated user deletion5.3med

CVE-2025-11171ChartifyMissing authentication5.3med

CVE-2025-11174Document Library LiteUnauth info disclosure5.3med

CVE-2026-0814Advanced CF7 DBMissing authentication4.3med

CVE-2025-12030ACF to REST APIIDOR4.3med

CVE-2026-1208Welcart Friendly FunctionsCSRF → settings update4.3med

Plus: TelSender — stored XSS that resulted in vendor-side plugin removal.
Detail pages for individual CVEs are intentionally not built — the NVD record is canonical, and we don't want to become a stale mirror. For deep dives on specific findings, see the writeups in research or the upstream commit linked from NVD.

02 · how

The boring bits that matter. Coordinated disclosure, not opportunism.

disclosure protocol.

Coordination first

Every CVE here was reported privately to the maintainer first. Public disclosure timed to the patch — not the maintainer's convenience, but the patch.

NVD canonical

We don't maintain a parallel writeup database. The NVD record is canonical. We link to it, not around it.

No bug bounty pressure

These are reported because they need to be reported, not because someone is paying. Means the bar for what gets disclosed isn't economic.

Upstream credit

Maintainers get credit in the patch and the writeup. We don't take credit for fixes we didn't write.

23 cvesdisclosed.

full ledger.

disclosure protocol.

23 cves
disclosed.