logo

Dojo challenge #32 winners!

ID: 0a949877-c1ba-5fe4-ba11-2432ae5b9ce1

STIX ID: report--0a949877-c1ba-5fe4-ba11-2432ae5b9ce1

Feed Name: YesWeHack Blog | Cybersecurity Insights and Bug Bounty Trends| RSS Feed

Threat Score
65/100

Date Published: 2024-05-17

Date Updated: 2026-07-04

...
...

## Executive Summary This write-up describes a Python Class Pollution vulnerability in a web application's merge_config function that lets a crafted JSON payload mutate class internals (via attributes like __class__ and __globals__) to overwrite a COMMAND variable and achieve remote code execution; the author demonstrates a proof-of-concept that reads /tmp/flag.txt and provides mitigation advice including input validation and attribute access restriction.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.