Writeups of disclosed bugs, reverse engineering notes, and experiments in automated recon — by Nick Mykhailyshyn, offensive security engineer and bug bounty hunter.https://whoareme.com/https://whoareme.com/blog/cspt-account-takeover-2fa-bypass/https://whoareme.com/blog/cspt-account-takeover-2fa-bypass/A client-side path traversal in the front-end's URL builder turned into arbitrary PUT/DELETE on the API, then chained with an inherited-property lookup bug to bypass 2FAThu, 16 Apr 2026 00:00:00 GMTwhoaremehttps://whoareme.com/blog/ghost-cms-ssrf-cve-2020-8134/https://whoareme.com/blog/ghost-cms-ssrf-cve-2020-8134/How Ghost's embed-anything input let an authenticated publisher pivot the server into cloud metadata endpoints - and what the fix actually changed.Mon, 09 Mar 2020 00:00:00 GMTwhoareme