EverydaySparkling

Latest — 25 Mar 2025

Stored Cross Site Scripting in webERP

A stored XSS vulnerability in webERP (≤v4.15.2, 5.0.0.rc+13) allows script injection via the Narrative field in orders, leading to privilege escalation. This was a fun one to create, but despite providing a demo and a simple fix, the vendor stopped responding after initial contact.

More issues

Cross Site Scripting in OpenXE v1.12

A cross-site scripting (XSS) vulnerability was found in OpenXE versions up to 1.12. Manipulating the Notizen argument on the Ticket Bearbeiten page could allow attackers to inject malicious scripts. Successful exploitation requires user interaction. CVE-2025-2130.

First CVE: SQL Injection in PiHome v1.77

As a web developer with a strong interest in security, I recently decided to hunt for vulnerabilities just for fun—and it led to my first-ever CVE! 🎉 I discovered an SQL Injection vulnerability in PiHome v1.77, a smart home automation system, earning CVE-2025-1184. The Discovery While exploring PiHome’s

Passing the Certified Web Exploitation Expert (CWEE) – January 2025

After months of dedication and persistence, I finally passed the Certified Web Exploitation Expert (CWEE) in January 2025! This certification was one of the toughest I’ve tackled, testing deep web security knowledge and advanced exploitation techniques. My first attempt in summer 2024 ended unsuccessfully, and my second attempt didn’

Passing the Hack The Box Certified Bug Bounty Hunter (CBBH) – May 2024

As an eCommerce developer, security is essential. In May 2024, I earned the Hack The Box Certified Bug Bounty Hunter (CBBH) certification, enhancing my web security skills. This hands-on training helped me understand real-world vulnerabilities to build more secure online platforms.

About

EverydaySparkling

I specialize in eCommerce development and enjoy exploring vulnerabilities, bug bounties, and secure coding practices to build safer web applications.

More issues

Subscribe to EverydaySparkling