Skip to content
View xeloxa's full-sized avatar
🎯
Focusing
🎯
Focusing

Organizations

@Nolva-Security

Block or report xeloxa

Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
xeloxa/README.md

Welcome! 👋 View my resume ↗

I'm an Ethical Hacker & Penetration Tester passionate about Cloud, Web App & Application Security. I focus on offensive security and actively contribute to open-source projects.

🚀 My Projects

  • HackPaper - My personal blog where I share deep dives into cloud security, research, and technical articles.
  • s3finder - A tool for discovering and analyzing open S3 buckets
  • Temodar Agent - AI-powered WordPress plugin/theme security analysis platform with Semgrep-based static analysis and agent-assisted investigation workflows
  • aws-clf-c02-notlari - AWS Certified Cloud Practitioner study notes

More projects coming soon! 🛠️

🏆 BBP - VDP

🛡️ My Security Contributions

Repository Stars Fix
gofiber/fiber GitHub Repo stars Reported cache middleware query-string key collision / response mix-up (GHSA-35hp-hqmv-8qg8, CVE-2026-30246) · ↗ Advisory
NousResearch/hermes-agent GitHub Repo stars Reported ACP auth / approval hardening issues and fixes · ↗ #13468 · ↗ #13471 · ↗ #13525
EvoMap/evolver GitHub Repo stars Reported RCE, arbitrary file write, and prototype pollution issues · ↗ GHSA-j5w5-568x-rq53 · ↗ GHSA-r466-rxw4-3j9j · ↗ GHSA-2cjr-5v3h-v2w4
lukilabs/craft-agents-oss GitHub Repo stars Fixed path traversal in STORE_ATTACHMENT IPC handler (v0.3.2) · ↗ Advisories
NoeFabris/opencode-antigravity-auth GitHub Repo stars Set 0600 permissions for credential storage · ↗ #353

More contributions coming soon! 🔜

🔍 My CVEs

CVE ID Status CVSS Description
CVE-2026-42076 ✅ Published 9.8 Remote Code Execution in EvoMap Evolver < 1.69.3
CVE-2026-1993 ✅ Published 8.8 Privilege escalation in ExactMetrics <= 9.0.2
CVE-2026-1992 ✅ Published 8.8 Arbitrary plugin installation in ExactMetrics <= 9.0.2
CVE-2026-42075 ✅ Published 8.1 Arbitrary file write in EvoMap Evolver < 1.69.3
CVE-2026-30246 ✅ Published 6.5 Cache response mix-up in gofiber/fiber < 3.2.0
CVE-2026-42077 ✅ Published 5.2 Prototype pollution in EvoMap Evolver < 1.69.3
CVE-2026-1857 ✅ Published 4.3 SSRF vulnerability in Kadence Blocks <= 3.6.1
CVE-2026-2633 ✅ Published 4.3 Unauthorized media upload in Kadence Blocks <= 3.6.1

More coming soon! 🔜

💥 My Exploits

CVE ID Exploit Exploit-DB Description
CVE-2024-28397 ↗ GitHub ↗ 52532 Remote Code Execution in Js2Py
CVE-2026-31431 ↗ GitHub ↗ Vulners Copy Fail - Local Privilege Escalation
CVE-2026-23918 ↗ GitHub ↗ 52577 Apache HTTP Server - HTTP/2 Double Free

xeloxa's GitHub streak xeloxa's GitHub stats

Pinned Loading

  1. temodar-agent temodar-agent Public

    Temodar Agent is an AI-powered WordPress plugin and theme security analysis platform built for security researchers, product security teams, auditors, and defenders. It combines AI agent workflows,…

    Python 58 11

  2. CVE-2026-23918-Apache-H2-PoC CVE-2026-23918-Apache-H2-PoC Public

    Proof-of-Concept exploit for CVE-2026-23918 (Apache mod_http2 double-free). Features multi-mode DoS (Rapid-RST, Slow-Drip) and passive RCE/vulnerability detection for Apache 2.4.66.

    Python 20 6

  3. s3finder s3finder Public

    A high-performance CLI tool for discovering AWS S3 buckets using intelligent name generation. Combines traditional wordlist scanning with LLM-powered suggestions to find buckets that other tools miss.

    Go 13 1

  4. copyfail-exploit copyfail-exploit Public

    Copy Fail (CVE-2026-31431) LPE exploit. A clean, multi-arch Python reimplementation targeting the Linux kernel AF_ALG page cache vulnerability.

    Python 16 2

  5. aws-clf-c02-notlari aws-clf-c02-notlari Public

    Bu repository, AWS Certified Cloud Practitioner sınavı için aldığım notları ve sınav ipuçlarını içeren bir yönlendirme kaynağıdır. Notlar "AWS SkillBuilder - AWS Cloud Practitioner Essentials" kurs…

    4 1

  6. CVE-2024-28397-Js2Py-RCE-Exploit CVE-2024-28397-Js2Py-RCE-Exploit Public

    Professional exploit for CVE-2024-28397: Js2Py Sandbox Escape leading to Remote Code Execution (RCE). Includes modular payload generation.

    Python 2 1