Blog

Vulnerability research writeups, offensive security notes, and AI engineering posts. Mostly long-form, mostly technical, no filler.

Latest: April 29, 2026·9 min read

~/blog

$

title: When || becomes a vulnerability: CVE-2026-40776 in WordPress Eventin
cve: CVE-2026-40776
severity: 7.5 (HIGH)
cwe: CWE-862
read_time: 9 min
published: April 29, 2026

$ls ~/blog/

Latest writeup

1 post

April 29, 2026·9 min read
When || becomes a vulnerability: CVE-2026-40776 in WordPress Eventin
How a public REST endpoint dispensing wp_rest nonces, plus a single || operator in three permission callbacks, collapsed authorization for 10,000+ WordPress sites running the Eventin plugin.
CVE-2026-40776
CVSS 7.5 · HIGH
CWE-862

More writeups in the pipeline

New posts on vulnerability research, AppSec patterns, and AI engineering land here as they ship. For collaborations or one-off questions, get in touch directly.

Get in touch

Blog

Latest writeup

When || becomes a vulnerability: CVE-2026-40776 in WordPress Eventin

More writeups in the pipeline