$ ls ~/exploits
exploits
CVEs I turned into working proof-of-concept code — writeup here, full exploit on GitHub.
> Jul 12, 2026
CVE-2025-55182: React2Shell — RCE in React Server Components
React2Shell — a prototype-pollution flaw in React Server Components' FormData deserialization that reaches child_process.execSync for unauthenticated RCE on React 19.x, with a working Python PoC.
[cve][rce][prototype-pollution][react][poc]
> Jul 12, 2026
CVE-2025-27515: Laravel file-upload validation bypass — polyglot JPEG/PHP PoC
A PoC lab for CVE-2025-27515: bypassing Laravel's array/wildcard file-upload validation with a JPEG+PHP polyglot to smuggle a webshell past MIME and extension filters, driven by a Python exploit against a vulnerable upload endpoint.
[cve][laravel][file-upload][webshell][poc]
> Jul 12, 2026
CVE-2021-44228: Log4Shell RCE — end-to-end PoC lab
A dockerized Log4Shell lab — vulnerable Spring Boot + Log4j 2.14.1 app, a marshalsec LDAP + HTTP payload server, and a Node.js exploit that drives JNDI injection all the way to remote code execution.
[cve][log4j][rce][jndi][poc]