Avoiding the paradox: A native full-read SSRF and one‑shot DoS in SvelteKit
Published in zhero_web_security, 2026
CVE-2025-67647
Research & Things
Unlocking Reflected XSS in the Astro framework
Published in zhero_web_security, 2025
CVE-2025-64764
Astro framework and standards weaponization
Published in zhero_web_security, 2025
CVE-2025-64525
Next.js : Cache Poisoning to DoS via a 204 response (no research paper)
Published in zhero_web_security, 2025
CVE-2025-49826
Eclipse on Next.js: Conditioned exploitation of an intended race-condition
Published in zhero_web_security, 2025
CVE-2025-32421
React-Router : Pre-render data spoofing + CPDoS (no research paper)
Published in zhero_web_security, 2025
CVE-2025-43865 + CVE-2025-43864
React Router and the Remix’ed path
Published in zhero_web_security, 2025
CVE-2025-31137
Next.js and the corrupt middleware: the authorizing artifact
Published in zhero_web_security, 2025
CVE-2025-29927
Nuxt, show me your payload - a basic CP DoS
Published in zhero_web_security, 2025
CVE-2025-27415
Next.js, cache, and chains: the stale elixir
Published in zhero_web_security, 2025
CVE-2024-46982
Next.js and cache poisoning: a quest for the black hole
Published in zhero_web_security, 2024
CVE-2024-XXXX
WAF as a weapon and DOS as a bullet
Published in zhero_web_security, 2024