hack.do — GeistHaus

WinBoat: Drive by Client RCE + Sandbox escape.

Dec 15, 2025

A remote webpage can abuse an unauthenticated guest HTTP API to compromise the Windows guest container, then feed a malicious app entry leading to Linux host code execution on click.

https://hack.do/posts/winboat-guest-service-host-rce/

Matt Austin

Aug 25, 2025

https://hack.do/about/

RCE in buf CLI (from http://buf.build)

Mar 7, 2025

A malicious protobuf registry can return a file:// verification URL during device auth; the buf CLI opens it via the OS default handler (e.g. macOS open), enabling client-side code execution during login.

https://hack.do/posts/buf-cli-registry-login-rce/

CVE-2025-48938 - GitHub CLI RCE

Feb 22, 2025

Remote Code Execution in Github “GH” CLI via custom GitHub Enterprise Server

https://hack.do/posts/cve-2025-48938/

CVE-2021-30618 - Chrome Headless Remote Debugging RCE via XSS

Jan 15, 2024

Abusing XSS and CSRF for Remote Code Execution in Google Chrome

https://hack.do/posts/cve-2021-30618/

Thinking Outside the Sandbox: Decoding and Defeating Node.js Permissions

Dec 16, 2023

A tour of Node.js’s experimental permission controls (module policy + process permissions), plus practical bypasses and the fixes that closed them.

https://hack.do/posts/thinking-outside-the-sandbox/

Burp Suite RCE via Chrome Remote Debugging

Oct 10, 2023

Burp Suite remote code execution by leveraging the Chrome remote debugging interface when crawling or scaning.

https://hack.do/posts/burp-suite-rce/

CVE-2023-30587 - Node.js Permission Bypass via Inspector Module

Sep 15, 2023

Process-based permissions can be bypassed with the “inspector” module in Node.js

https://hack.do/posts/cve-2023-30587/

jsonwebtoken: String Payload Parsing Inconsistency Leads to Auth Bypass

Feb 3, 2023

A string-vs-object handling mismatch can create surprising type confusion: apps that mutate assumed-object payloads before signing may be bypassed if untrusted input is a string that later verifies as an object.

https://hack.do/posts/node-jsonwebtoken-string-payload-auth-bypass/

Node.js Permission Bypass via WASI Module

Jan 15, 2023

Restrictions made with the –experimental-permission flag can be bypassed with the built-in wasi module

https://hack.do/posts/nodejs-wasi-permission-bypass/

CVE-2020-17091 - Microsoft Teams Desktop RCE via Missing Context Isolation

Nov 16, 2020

Remote Code Execution in Microsoft Teams Desktop Application due to missing contextIsolation flag in authentication windows

https://hack.do/posts/cve-2020-17091/

Docker Desktop (formaly Kitematic) Container Escape and RCE via “Web Preview”

Sep 17, 2019

A malicious Docker image can escape its container and execute code on the host by abusing Kitematic’s Electron Web Preview webview without contextIsolation.

https://hack.do/posts/docker-kitematic-rce/

Ghost CMS: Privilege Escalation via Post Preview

Apr 29, 2019

An underprivileged Ghost user can create a post with javascript, that when previewed by and admin will execute and elevate privileges.

https://hack.do/posts/ghost-code-injection-privilege-escalation/

CVE-2018-15685 - Electron WebPreferences Remote Code Execution

Jul 30, 2018

Remote Code Execution vulnerability in Electron affecting apps with the ability to open nested child windows due to WebPreferences not being inherited properly

https://hack.do/posts/cve-2018-15685/

XSS in Outlook Adaptive Cards via Action.OpenUrl

Mar 18, 2018

Adaptive cards in Outlook (and other products) do not properly validate the “Action.OpenUrl” leading to XSS

https://hack.do/posts/outlook-adaptive-cards-xss/

Unsafe Code Execution in static-eval

Oct 16, 2017

Two issues in the static-eval node module that can lead to remote code execution.

https://hack.do/posts/static-eval/

Elmowned - Hacking Elmo

Oct 16, 2017

Build project for an IoT Elmo to prank my friend.

https://hack.do/posts/elmowned/

Visual Studio Code 1.9.1: Arbitrary Code Execution via Markdown Preview

Feb 13, 2017

Previewing a malicious Markdown file in VS Code 1.9.1 can lead to arbitrary code execution.

https://hack.do/posts/vscode-markdown-preview-rce/