Defense is built by those who know how to attack.
Vulnerability research and coordinated disclosures by Dennis Sepede - Co-Founder & CTO of Securitix Solutions. Every finding comes from manual source-code review and a working proof-of-concept, disclosed under a 90-day coordinated policy - with a growing focus on AI/LLM security.
| CVE | Target | Vulnerability | Severity |
|---|---|---|---|
| CVE-2026-38595 | im3x/Scriptables | OS Command Injection via filename | Critical 9.8 |
| CVE-2026-38600 | gohttpserver | Zip Slip - arbitrary file write → RCE | Critical 9.1 |
| CVE-2026-38601 | gohttpserver | Hardcoded session secret - auth bypass | Critical 9.1 |
A single bug class - custom authentication headers leaking across cross-origin redirects (CWE-200) - surfaced through manual review across six widely-used HTTP client libraries. These clients strip Authorization, Cookie, Proxy-Authorization and Host on redirect, but forward custom auth headers (X-API-Key, X-Auth-Token, Api-Key, ...) verbatim to the redirect target, leaking credentials to attacker-controlled hosts.
undici · node-fetch · follow-redirects · parnurzeal/gorequest · imroc/req · go-resty/resty
Outcomes span the full spectrum of real-world disclosure: a coordinated GHSA for follow-redirects, an upstream fix in go-resty PR #1136, and spec-compliance pushback from others - each documented per advisory below.
| ID | Target | Vulnerability | Severity | Identifier | Status | Date |
|---|---|---|---|---|---|---|
| VDR-001 | gohttpserver | Zip Slip - Arbitrary File Write | Critical (9.1) | CVE-2026-38600 | No upstream fix (project unmaintained) | 2026-03-19 |
| VDR-002 | gohttpserver | Hardcoded Session Secret - Auth Bypass | Critical (9.1) | CVE-2026-38601 | No upstream fix (project unmaintained) | 2026-03-19 |
| VDR-003 | im3x/Scriptables | OS Command Injection via Filename | Critical (9.8) | CVE-2026-38595 | No upstream fix (project unmaintained) | 2026-04-14 |
| VDR-004 | nodejs/undici | Custom Auth Headers Leak on Cross-Origin Redirect | Medium | - | Closed by maintainer (not planned) |
2026-03-20 |
| VDR-005 | node-fetch | Custom Auth Headers + proxy-authorization Leak on Cross-Origin Redirect | Medium | Pending | Awaiting maintainer | 2026-03-20 |
| VDR-006 | parnurzeal/gorequest | Custom Auth Headers Leak on Cross-Domain Redirect | High (7.4) | Pending | Awaiting maintainer | 2026-03-20 |
| VDR-007 | imroc/req | Custom Auth Headers Leak on Cross-Domain Redirect | High (7.4) | Pending | Awaiting maintainer | 2026-03-20 |
| VDR-008 | go-resty/resty | Custom Auth Header Leak via SetHeaderAuthorizationKey | Medium | Pending | Fixed in PR #1136 | 2026-03-20 |
| VDR-009 | follow-redirects | Custom Auth Headers Leak (axios dependency) | Medium | GHSA-r4q5-vmmm-2653 | Coordinated disclosure | 2026-03-20 |
| VDR-010 | phpk/godoos | Critical Path Traversal on 14+ unauthenticated endpoints | Critical (9.8) | Pending | Awaiting maintainer | 2026-03-20 |
The following four vulnerabilities have been submitted to MITRE and are awaiting CVE assignment. Public advisories will be published once CVE IDs are issued.
| Target | Vulnerability | CWE |
|---|---|---|
| Tzahi12345/YoutubeDL-Material | Argument Injection via customArgs/additionalArgs | CWE-88 |
| develon2015/Youtube-dl-REST | OS Command Injection via recode parameter | CWE-78 |
| LiangYang666/ChatGPT-Web | Insecure Deserialization via .pkl upload | CWE-502 |
| ltzheng/agent-studio | Insecure Deserialization via jsonpickle.decode | CWE-502 |
All vulnerabilities are discovered through manual source code review and confirmed with working proof-of-concept exploits before disclosure. Reports are submitted via GitHub Security Advisory or the project's designated security contact, following a 90-day coordinated disclosure policy.
- Vulnerabilities are reported privately to maintainers before any public disclosure
- Maintainers are given 90 days to release a fix
- Public disclosure occurs after the fix is released or after the 90-day deadline
- Proof-of-concept code is minimal and non-weaponized
- Website: dennis.d-enterprise.cc · securitixsolutions.com
- LinkedIn: dennis-sepede-cybersecurity
- GitHub: @Den-Sec