Welcome to my blog.

From Learning to Root: How I Found a Remote Code Execution Vulnerability in Twenty CRM Code reviews and web application security aren’t exactly my wheelhouse. I wanted to change that, so I challenged myself to audit open-source codebases and look for potential security gaps. I chose Twenty, a popular open-source CRM with over 38,000 stars on GitHub. While exploring their serverless module implementation, I came across a file that immediately caught my eye: packages/twenty-server/src/engine/core-modules/serverless/drivers/local....

First off, I would like to thank Joe Helle (TheMayor) for his excellent medium article and his inspiration that this is possible, as well as Rana Khalil and her fantastic course teaching the technical side. If you get a chance to join either of their discords, I highly recommend it. After reading TheMayor’s article, I said, “getting a CVE would be cool, but I don’t have the skill.” I know a lot of brilliant people who do not have CVEs....