Public research ledger · verified 11 Jul 2026

Every claim should open to evidence.

This ledger contains fourteen published GitHub security advisories with accepted CyberKareem Finder credit. Six of those advisories carry public CVE assignments; they are a subset of the fourteen, not an additional count. This is a verified floor from the public records reviewed on 11 July 2026, not an asserted lifetime total.

Published Finder credits
14
Including CVE assignments
6
Central CVE records live
2

Assigned identifiers · 01

Six public CVE assignments

Two CVE Program records are live. Four IDs are public on their published vendor advisories while central CVE.org synchronization remains pending.

  1. CVE-2026-61448Low · 2.1

    Parse Server

    Malformed Content-Type values could bypass an upload-extension blocklist and create stored XSS on affected storage adapters.

    Scoring
    CVSS 4.0
    Public state
    CVE Program published
    Published
    25 Jun 2026
    Remediation
    Fixed in 8.6.84 and 9.10.0-alpha.2
    Opens the primary public record in a new tab
  2. CVE-2026-59889Medium · 6.5

    Jackson Databind

    JsonView authorization rules could be bypassed for JsonUnwrapped properties during deserialization, enabling unauthorized writes.

    Scoring
    CVSS 3.1
    Public state
    CVE assigned — CVE.org record pending
    Published
    10 Jul 2026
    Remediation
    Fixed in 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1
    Opens the primary public record in a new tab
  3. CVE-2026-59979High · 8.3

    Yosemite-Crew

    Missing function-level authorization across FHIR and task-library or template routes enabled cross-tenant access.

    Scoring
    CVSS 3.1
    Public state
    CVE assigned — CVE.org record pending
    Published
    21 Jun 2026
    Remediation
    Fixed version not specified by the advisory
    Opens the primary public record in a new tab
  4. CVE-2026-59185High · 8.5

    identrail

    A client-supplied GitHub App installation ID could be bound to a workspace without ownership verification.

    Scoring
    CVSS 3.1
    Public state
    CVE assigned — CVE.org record pending
    Published
    20 Jun 2026
    Remediation
    Fixed version not specified by the advisory
    Opens the primary public record in a new tab
  5. CVE-2026-55890Medium · 4.8

    Grav

    Markdown image style handling allowed stored CSS/XSS-style injection as an incomplete fix of CVE-2026-42841.

    Scoring
    CVSS 3.1
    Public state
    CVE Program published
    Published
    17 Jun 2026
    Remediation
    Fixed in 2.0.0-rc.9
    Opens the primary public record in a new tab
  6. CVE-2026-55675Critical · 10.0

    saltyorg/docs

    A privileged workflow_run chain could execute untrusted fork code in a secret-bearing deployment context.

    Scoring
    CVSS 3.1
    Public state
    CVE assigned — CVE.org record pending
    Published
    15 Jun 2026
    Remediation
    Patched by workflow redesign; advisory lists no release version
    Opens the primary public record in a new tab

Published advisories · 02

Eight additional Finder credits

These are published security advisories with accepted Finder attribution. They do not currently carry public CVE IDs and are not counted as CVEs.

  1. GHSA-q567-cr4x-96w4Moderate · 5.4

    trigger.dev

    This published trigger.dev security advisory credits CyberKareem as Finder.

    Scoring
    CVSS version not stated in approved records
    Public state
    Published security advisory — no CVE
    Published
    9 Jul 2026
    Remediation
    Fixed in 4.5.2 and later
    Opens the primary public record in a new tab
  2. GHSA-v3j7-vqwv-5w5qMedium · 4.3

    OpenProject

    This published OpenProject security advisory credits CyberKareem as Finder.

    Scoring
    CVSS version not stated in approved records
    Public state
    Published security advisory — no CVE
    Published
    8 Jul 2026
    Remediation
    Fixed in 17.6.0
    Opens the primary public record in a new tab
  3. GHSA-8gg4-rvvv-cq96High · 8.8

    Grav API plugin

    This published Grav API plugin security advisory credits CyberKareem as Finder.

    Scoring
    CVSS version not stated in approved records
    Public state
    Published security advisory — no CVE
    Published
    29 Jun 2026
    Remediation
    Fixed in 1.0.6
    Opens the primary public record in a new tab
  4. GHSA-23vq-365v-qcmhMedium · 6.3

    Grav Flex Objects plugin

    This published Grav Flex Objects plugin security advisory credits CyberKareem as Finder.

    Scoring
    CVSS version not stated in approved records
    Public state
    Published security advisory — no CVE
    Published
    29 Jun 2026
    Remediation
    Fixed in 1.4.3
    Opens the primary public record in a new tab
  5. GHSA-4px8-7p53-282rMedium · 5.4

    Grav Login plugin

    This published Grav Login plugin security advisory credits CyberKareem as Finder.

    Scoring
    CVSS version not stated in approved records
    Public state
    Published security advisory — no CVE
    Published
    29 Jun 2026
    Remediation
    Fixed in 3.8.11
    Opens the primary public record in a new tab
  6. GHSA-r57j-5jm9-hpccCritical · 9.1

    Frigate

    This published Frigate security advisory credits CyberKareem as Finder.

    Scoring
    CVSS version not stated in approved records
    Public state
    Published security advisory — no CVE
    Published
    28 Jun 2026
    Remediation
    Fixed in 0.17.2 and later
    Opens the primary public record in a new tab
  7. GHSA-pqfr-m69j-4mq2High · 7.7

    Frigate

    This published Frigate security advisory credits CyberKareem as Finder.

    Scoring
    CVSS version not stated in approved records
    Public state
    Published security advisory — no CVE
    Published
    28 Jun 2026
    Remediation
    Fixed in 0.17.2 and later
    Opens the primary public record in a new tab
  8. GHSA-8643-cr38-p6qjModerate · 6.8

    Zipline

    This published Zipline security advisory credits CyberKareem as Finder.

    Scoring
    CVSS version not stated in approved records
    Public state
    Published security advisory — no CVE
    Published
    26 Jun 2026
    Remediation
    Fixed version not specified by the advisory
    Opens the primary public record in a new tab

Responsible disclosure

Private first. Public after coordination.

To initiate a disclosure conversation, use the contact page and do not include unpatched technical details in a public message.

Disclosure contact