[ 01_OVERVIEW ]

D6fault is an American security researcher known for identifying and responsibly disclosing cybersecurity vulnerabilities in government and corporate systems.

At age 13, he began his practical training on TryHackMe, where he has completed over 300+ rooms, developing hands-on expertise across penetration testing, and web application security. By the age of 14, D6fault had reported several security issues affecting U.S. government entities, including the Department of Defense, Department of Education, and the Department of Health and Human Services (HHS).

His work focuses on vulnerability discovery, ethical disclosure, and improving system security through responsible reporting and educational content creation.

[ 02 CVEs ]

CVE-2026-23695

SEVERITY: MEDIUM AFFECTED: Cockpit CMS <= 2.14.0

Stored cross-site scripting vulnerability in the "Set" field type's Display template option. User-supplied input is processed by an unsafe function and rendered using Vue's v-html directive without sanitization, allowing an authenticated attacker with specific permissions to inject JavaScript that executes in other users' browsers.

CVE-2026-46393

SEVERITY: HIGH (7.1) AFFECTED: @haxtheweb/haxcms-nodejs

Authenticated server-side request forgery vulnerability. By leveraging the createSite endpoint, an authenticated attacker can trick the HAXcms backend into sending requests to and reading responses from arbitrary internal services or unintended local resources, enabling data exfiltration.

CVE-2026-46401

SEVERITY: MEDIUM (5.3) AFFECTED: HAXcms < 26.0.0

Improper session management flaw where authentication tokens remain valid after logout. When a user logs out, their session is not properly terminated, allowing attackers to continue using the session for session hijacking and unauthorized access to private site outlines and settings.

[ 03_HALL_OF_FAME ]