Writeups.
Field notes from breaking AI-coded SaaS.
Vulnerability research published after coordinated disclosure with the vendor, or after a 7-day non-response window. Paid engagements appear only when the client has approved publication. New writeups roughly twice a month.
- 2026-07-10 cossistant CRIT A support-chat widget where knowing someone's email is enough to read their private conversations — on every site that installs it →
Cossistant is an open-source AI-and-human customer-support framework: an embeddable widget plus an agent dashboard. Its widget API identifies end-users the way Intercom does — you tell it who a visitor is — but unlike Intercom it never asks the customer's backend to prove it. The `identify` call accepts a client-supplied email with no signature, authenticated only by the public key that ships in every page's source. Because a conversation is readable by anyone who shares its contact, an attacker who knows a target's email can attach their own anonymous visitor to that contact and read the target's entire private support history — on any site running Cossistant. Confirmed end-to-end against a throwaway tenant. Disclosed privately on 2026-06-20 through the vendor's own security channel; published under the non-response policy after their stated 48-hour SLA lapsed with no acknowledgement.
- 2026-06-08 kelviq MED A Merchant-of-Record API that hands back its own webhook secrets, enumerates its whole seller base, and ships its internal schema on a public host →
Kelviq is a Merchant-of-Record platform for SaaS sellers — it moves money and brokers webhooks on their behalf. Its API returns the full webhook signing secret in plaintext on every list call, lets any logged-in user enumerate the complete seller base through a status-code differential, and serves a 209-endpoint OpenAPI schema plus live Swagger UI from a public, production-routable staging host. None of it is individually Critical; together it is a clean blueprint for forging webhook events and building a platform-wide phishing list. Disclosed privately on 2026-05-21 with a stated publish date; published under the non-response policy after that date passed with no reply.
- 2026-06-01 edgee HIGH Trust-elevation in an AI gateway: one unanchored regex turned tool output into harness reminders →
edgee is a token-compression gateway for coding agents. Its compressor preserves every `<system-reminder>` block in tool output verbatim while summarising everything around it. The check is unanchored — it does not distinguish reminders the agent harness emits (legitimate) from reminders that happen to appear inside a file the agent was asked to read (attacker-controlled). After compression, the attacker's reminder reaches the upstream model 1:1 with its salience amplified 14× in a representative case, and in the Read-tool path it lands in the exact position where Claude Code's harness emits its own reminders. A live test against `claude-opus-4-7` confirmed compliance with a soft injected instruction. Disclosed privately on 2026-05-25; published under the 7-day non-response policy.
- 2026-05-22 postiz CRITHIGHMED CVE-2026-48781 JWT confused-deputy: one Skool cookie became SUPERADMIN on a social-scheduling SaaS →
A free Skool account was enough to mint a JWT that elevated any user to SUPERADMIN on api.postiz.com and impersonate arbitrary tenants. The same forge primitive separately bypassed billing-enforcement on an unauthenticated public endpoint, and the crypto-payment IPN handler accepted attacker-chosen org_ids to grant lifetime PRO upgrades. Root cause: one JWT secret signed tokens for six distinct purposes with no `aud` claim, and the auth middleware trusted JWT body fields without re-resolving the user from the database. Disclosed via GHSA; fix shipped in 55 minutes; three public advisories — CVE-2026-48781 (Critical), CVE-2026-48783 (Medium), and GHSA-j7rp-5mgj-qgg9 (High) — assigned.
- 2026-05-06 clicky CRITHIGH Unauthenticated RCE on an unsandboxed macOS AI assistant via SSE tool-call injection →
A MITM attacker on the network can silently execute arbitrary shell commands on a Clicky user's machine by forging a single AI tool call in the response stream. No sandbox, no approval prompt, no indication to the user. Plus six more findings, including undisclosed conversation surveillance to a third-party analytics platform.
- 2026-05-04 outrank.so HIGH Supabase RLS quota bypass and unauthenticated Notion OAuth state forgery on an SEO SaaS →
An unauthenticated attacker can hijack a victim's Notion publishing pipeline without ever signing into Outrank. Four findings, two High, sharing one root cause: auth enforced in the app layer but missing from the data tier and several public API routes.
- 2026-04-01 parakeetai HIGH EMBARGOED Coordinated disclosure on an AI interview assistant — writeup embargoed until August 2026
Four findings on an AI assistant for live interviews and meetings — including SSRF via DNS rebinding, CORS null-origin with credentials, and a TOCTOU race on a quota-gated creation flow. Reported privately and fixed under coordinated disclosure. The detailed writeup is embargoed by agreement until approximately August 2026, when it will be republished in full on this site.
Want this for your product?
Same lens, before any attacker finds it.
- Price
- From $1,500 fixed.
- Finding promise
- Critical within 3 days or full refund.