Public research ledger · verified 11 Jul 2026
Every claim should open to evidence.
This ledger contains fourteen published GitHub security advisories with accepted CyberKareem Finder credit. Six of those advisories carry public CVE assignments; they are a subset of the fourteen, not an additional count. This is a verified floor from the public records reviewed on 11 July 2026, not an asserted lifetime total.
- Published Finder credits
- 14
- Including CVE assignments
- 6
- Central CVE records live
- 2
Assigned identifiers · 01
Six public CVE assignments
Two CVE Program records are live. Four IDs are public on their published vendor advisories while central CVE.org synchronization remains pending.
- CVE-2026-61448Low · 2.1Opens the primary public record in a new tab
Parse Server
Malformed Content-Type values could bypass an upload-extension blocklist and create stored XSS on affected storage adapters.
- CVE-2026-59889Medium · 6.5Opens the primary public record in a new tab
Jackson Databind
JsonView authorization rules could be bypassed for JsonUnwrapped properties during deserialization, enabling unauthorized writes.
- CVE-2026-59979High · 8.3Opens the primary public record in a new tab
Yosemite-Crew
Missing function-level authorization across FHIR and task-library or template routes enabled cross-tenant access.
- CVE-2026-59185High · 8.5Opens the primary public record in a new tab
identrail
A client-supplied GitHub App installation ID could be bound to a workspace without ownership verification.
- CVE-2026-55890Medium · 4.8Opens the primary public record in a new tab
Grav
Markdown image style handling allowed stored CSS/XSS-style injection as an incomplete fix of CVE-2026-42841.
- CVE-2026-55675Critical · 10.0Opens the primary public record in a new tab
saltyorg/docs
A privileged workflow_run chain could execute untrusted fork code in a secret-bearing deployment context.
Published advisories · 02
Eight additional Finder credits
These are published security advisories with accepted Finder attribution. They do not currently carry public CVE IDs and are not counted as CVEs.
- GHSA-q567-cr4x-96w4Moderate · 5.4Opens the primary public record in a new tab
trigger.dev
This published trigger.dev security advisory credits CyberKareem as Finder.
- GHSA-v3j7-vqwv-5w5qMedium · 4.3Opens the primary public record in a new tab
OpenProject
This published OpenProject security advisory credits CyberKareem as Finder.
- GHSA-8gg4-rvvv-cq96High · 8.8Opens the primary public record in a new tab
Grav API plugin
This published Grav API plugin security advisory credits CyberKareem as Finder.
- GHSA-23vq-365v-qcmhMedium · 6.3Opens the primary public record in a new tab
Grav Flex Objects plugin
This published Grav Flex Objects plugin security advisory credits CyberKareem as Finder.
- GHSA-4px8-7p53-282rMedium · 5.4Opens the primary public record in a new tab
Grav Login plugin
This published Grav Login plugin security advisory credits CyberKareem as Finder.
- GHSA-r57j-5jm9-hpccCritical · 9.1Opens the primary public record in a new tab
Frigate
This published Frigate security advisory credits CyberKareem as Finder.
- GHSA-pqfr-m69j-4mq2High · 7.7Opens the primary public record in a new tab
Frigate
This published Frigate security advisory credits CyberKareem as Finder.
- GHSA-8643-cr38-p6qjModerate · 6.8Opens the primary public record in a new tab
Zipline
This published Zipline security advisory credits CyberKareem as Finder.
Responsible disclosure
Private first. Public after coordination.
To initiate a disclosure conversation, use the contact page and do not include unpatched technical details in a public message.
Disclosure contact