About me
I am Adrian vurlo
Junge. I started programming during school and I started programming on small projects. Today I study computer science at Karlsruhe Institute of Technology (KIT), work around applied computer science at FZI Forschungszentrum für Informatik, and playing CTF with my university team KITCTF. I recently started with bug bounty and CVE hunting.
This page collects the real-world security side of my work: CVEs, disclosed bug bounties, certificates, and some relevant milestones.
CVEs
Joomla CMS Privilege escalation through com_users batch task High CVE-2026-48898
- Project
- Joomla CMS
- CVE ID
- CVE-2026-48898
- Tested version
- Joomla CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 affected
- Impact
- Authenticated attackers could escalate privileges through the affected com_users batch task.
Summary
An improper access check in the Joomla com_users batch task could allow privilege escalation.
Disclosure timeline
- Reported to the Joomla Security Strike Team.
- Confirmation of the issue and initial patch development.
- Fixed in Joomla CMS 5.4.6 and 6.1.1 and CVE assigned.
Joomla CMS Authenticated blind SQL injection in com_tags Moderate CVE-2026-35222
- Project
- Joomla CMS
- CVE ID
- CVE-2026-35222
- Tested version
- Joomla CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 affected
- Impact
- High-impact authenticated blind SQL injection. Authenticated attackers could manipulate SQL queries and infer database contents.
Summary
Improper validation of order clauses in Joomla com_tags could allow an authenticated attacker to trigger blind SQL injection behavior.
Disclosure timeline
- Reported to the Joomla Security Strike Team.
- First acknowledgment.
- Confirmation of the issue and initial patch development.
- Fixed in Joomla CMS 5.4.6 and 6.1.1 and CVE assigned.
Joomla CMS Authenticated blind SQL injection in com_finder Moderate CVE-2026-35221
- Project
- Joomla CMS
- CVE ID
- CVE-2026-35221
- Tested version
- Joomla CMS 5.4.0-5.4.5 and 6.0.0-6.1.0 affected
- Impact
- High-impact authenticated blind SQL injection. Authenticated attackers could manipulate search-query SQL and infer database contents.
Summary
Improperly built filter clauses in the Joomla com_finder search query could allow authenticated blind SQL injection.
Disclosure timeline
- Reported to the Joomla Security Strike Team.
- First acknowledgment.
- Confirmation of the issue and initial patch development.
- Fixed in Joomla CMS 5.4.6 and 6.1.1 and CVE assigned.
ChurchCRM Authenticated blind SQL injection in SettingsIndividual.php High CVE-2026-39334
- Project
- ChurchCRM
- CVE ID
- CVE-2026-39334
- Tested version
- ChurchCRM 7.0.5
- Impact
- Authenticated database query manipulation and sensitive data extraction through blind SQL injection.
Summary
ChurchCRM settings input could be used by an authenticated user to influence a SQL query in SettingsIndividual.php and confirm injection through blind SQL techniques.
GitHub advisories
References
Disclosure timeline
- Report published to ChurchCRM and initial triage.
- GitHub advisory published and CVE assigned.
ChurchCRM Authenticated blind SQL injection in PropertyAssign.php High CVE-2026-39330
- Project
- ChurchCRM
- CVE ID
- CVE-2026-39330
- Tested version
- ChurchCRM 7.0.5
- Impact
- Authenticated attackers could infer database contents and potentially alter application data through injected SQL.
Summary
ChurchCRM property assignment handling exposed a blind SQL injection path through PropertyAssign.php for authenticated users.
GitHub advisories
References
Disclosure timeline
- Report published to ChurchCRM and initial triage.
- GitHub advisory published and CVE assigned.
ChurchCRM Authenticated blind SQL injection in EventNames.php High CVE-2026-39329
- Project
- ChurchCRM
- CVE ID
- CVE-2026-39329
- Tested version
- ChurchCRM 7.0.5
- Impact
- Authenticated SQL injection could expose or modify ChurchCRM database records.
Summary
ChurchCRM event-name management exposed SQL injection behavior reachable by authenticated users with access to the affected event configuration path.
GitHub advisories
References
Disclosure timeline
- Report published to ChurchCRM and initial triage.
- GitHub advisory published and CVE assigned.
ChurchCRM Authenticated SQL injection in MemberRoleChange.php High CVE-2026-39327
- Project
- ChurchCRM
- CVE ID
- CVE-2026-39327
- Tested version
- ChurchCRM 7.0.5
- Impact
- Database read/write access through injected SQL, with potential privilege escalation depending on deployment configuration.
Summary
ChurchCRM allowed authenticated users with group and role management privileges to inject SQL through the MemberRoleChange.php role update flow.
GitHub advisories
References
Disclosure timeline
- Report published to ChurchCRM and initial triage.
- GitHub advisory published and CVE assigned.
ChurchCRM Authenticated blind SQL injection in PropertyTypeEditor.php High CVE-2026-39326
- Project
- ChurchCRM
- CVE ID
- CVE-2026-39326
- Tested version
- ChurchCRM 7.0.5
- Impact
- Authenticated database compromise through SQL injection, including data extraction or modification.
Summary
ChurchCRM property type editing accepted input that could influence SQL statements in PropertyTypeEditor.php when reached by an authenticated user.
GitHub advisories
References
Disclosure timeline
- Report published to ChurchCRM and initial triage.
- GitHub advisory published and CVE assigned.
ChurchCRM Authenticated blind SQL injection in SettingsUser.php High CVE-2026-39325
- Project
- ChurchCRM
- CVE ID
- CVE-2026-39325
- Tested version
- ChurchCRM 7.0.5
- Impact
- Authenticated attackers could infer and extract database data through timing-based or boolean blind SQL techniques.
Summary
ChurchCRM user settings handling exposed an authenticated blind SQL injection path in SettingsUser.php.
GitHub advisories
References
Disclosure timeline
- Report published to ChurchCRM and initial triage.
- GitHub advisory published and CVE assigned.
ChurchCRM Second-order SQL injection via FundRaiserEditor.php High CVE-2026-39319
- Project
- ChurchCRM
- CVE ID
- CVE-2026-39319
- Tested version
- ChurchCRM 7.1.2 and earlier affected
- Impact
- Second-order SQL injection could lead to database compromise after malicious stored input is processed.
Summary
ChurchCRM allowed stored input from FundRaiserEditor.php to become executable SQL later in the affected fundraiser workflow.
GitHub advisories
References
Disclosure timeline
- Report published to ChurchCRM and initial triage.
- GitHub advisory published and CVE assigned.
Bug bounties
Certificates
Hack The Box Certified Penetration Testing Specialist
Completed the HTB CPTS path and passed the practical exam on the first attempt.
- Built a full penetration-test report for the exam environment.
- Focused on disciplined enumeration, Active Directory attack paths, web findings, and reproducible reporting.
Relevant achievements
Firedancer v1.0 audit competition (TBA)
DHM 2025 - 7th place
Placed #7 at the Deutsche Hacking-Meisterschaft 2025.
- Onsite CTF competition with CSCG as the individual qualifiers focused on practical security challenges across categories such as web, crypto, reversing, pwn, networking, and forensics.
DHM 2024 - 1st place
Placed #1 at the Deutsche Hacking-Meisterschaft 2024.
- Onsite CTF competition with CSCG as the individual qualifiers focused on practical security challenges across categories such as web, crypto, reversing, pwn, networking, and forensics.