kyun0 Research

independent security research

Public notes for coordinated vulnerability disclosure, vendor acknowledgements, and product security research.

StatusActively researching

Notes published3

Last updatedJune 2026

About

Web application security, mobile platforms, binary analysis, and cloud/API attack surfaces. Research is driven by curiosity — findings are handled with care for the people affected, not just the systems involved.

web · XSS / SQLi / SSRF mobile · iOS / Android binary / reversing cloud / API

Research notes

open-source hardening · June 2026 MERGED

Ray runtime_env zip extraction hardening

Open-source hardening contribution that improved Ray's runtime_env zip extraction path validation through upstream PR #63786.

StatusMerged

ClassHardening

DetailPR #63786

coordinated disclosure · June 2026 CVE-2026-48020

Traefik StripPrefix route-level auth bypass

Public note for a path normalization issue in Traefik where StripPrefix middleware could affect route-level authorization boundaries.

StatusPatched / Public

SeverityHigh

DetailGHSA-xf64-8mw2-4gr2

coordinated disclosure · May 2026 WITHHELD

Access control boundary issue

Public placeholder for a Broken Access Control finding. Vendor and product details remain withheld.

StatusPatch in progress

ClassBroken Access Control

DetailWithheld

→ all notes (3)

Disclosure policy

I contact the vendor before anything goes public.
I give reasonable time to patch — usually 90 days.
Exploit details stay private until a fix is out.
When I publish, I share what's useful for defense, not attack.

Contact

Reach out directly for coordinated disclosure. Include the product, a rough description, and your preferred timeline.

loaner.16.bland@icloud.com