About me

About me

I am Adrian Junge (vurlo). I started programming in school, and back then I could not have imagined how deep that rabbit hole would go. My first deeper technical interest was algorithms, competitive programming, and the occasional LeetCode problem. Over time that problem-solving curiosity pulled me further into cybersecurity. Today I study computer science at Karlsruhe Institute of Technology (KIT) with a focus on cybersecurity, work in applied computer science at FZI Forschungszentrum für Informatik, and play CTFs with my university team KITCTF. Lately, I have been digging deeper into bug bounty work, coordinated disclosure, and CVE hunting.

This page is meant as a record of what I have worked on and learned from: reproduced bugs, writeups, disclosures, certificates, and a few milestones along the way.

CVEs

10 entries

Joomla CMS

High CVE-2026-48898 CWE-284 Privilege escalation through com_users batch task

Summary

Joomla CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 were affected by an improper access check in the com_users batch task. Authenticated attackers could abuse the batch flow to escalate privileges.

Disclosure timeline

  1. Reported to the Joomla Security Strike Team.
  2. Confirmation of the issue and initial patch development.
  3. Fixed in Joomla CMS 5.4.6 and 6.1.1 and CVE assigned.

Joomla CMS

Moderate CVE-2026-35222 CWE-89 Writeup Authenticated blind SQL injection in com_tags 15 min read

Summary

Joomla CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 were affected by improper validation of order clauses in com_tags. Authenticated attackers could manipulate generated SQL and infer database contents through blind SQL injection.

Disclosure timeline

  1. Reported to the Joomla Security Strike Team.
  2. First acknowledgment.
  3. Confirmation of the issue and initial patch development.
  4. Fixed in Joomla CMS 5.4.6 and 6.1.1 and CVE assigned.

Joomla CMS

Moderate CVE-2026-35221 CWE-89 Writeup Authenticated blind SQL injection in com_finder 15 min read

Summary

Joomla CMS 5.4.0 through 5.4.5 and 6.0.0 through 6.1.0 were affected by improperly constructed filter clauses in the com_finder search query. Authenticated attackers could influence the SQL query and infer database contents through blind SQL injection.

Disclosure timeline

  1. Reported to the Joomla Security Strike Team.
  2. First acknowledgment.
  3. Confirmation of the issue and initial patch development.
  4. Fixed in Joomla CMS 5.4.6 and 6.1.1 and CVE assigned.

ChurchCRM

High CVE-2026-39334 CWE-89 Authenticated blind SQL injection in SettingsIndividual.php

Summary

In ChurchCRM 7.0.5, settings input handled by SettingsIndividual.php could be used by an authenticated user to influence a SQL query. The issue enabled blind SQL injection behavior that could expose sensitive database contents.

Disclosure timeline

  1. Report published to ChurchCRM and initial triage.
  2. GitHub advisory published and CVE assigned.

ChurchCRM

High CVE-2026-39330 CWE-89 Authenticated blind SQL injection in PropertyAssign.php

Summary

In ChurchCRM 7.0.5, property assignment handling in PropertyAssign.php exposed a blind SQL injection path for authenticated users. Attackers could infer database contents and potentially alter application data through injected SQL.

Disclosure timeline

  1. Report published to ChurchCRM and initial triage.
  2. GitHub advisory published and CVE assigned.

ChurchCRM

High CVE-2026-39329 CWE-89 Authenticated blind SQL injection in EventNames.php

Summary

In ChurchCRM 7.0.5, event-name management in EventNames.php exposed SQL injection behavior to authenticated users with access to the affected configuration path. Successful exploitation could expose or modify ChurchCRM database records.

Disclosure timeline

  1. Report published to ChurchCRM and initial triage.
  2. GitHub advisory published and CVE assigned.

ChurchCRM

High CVE-2026-39327 CWE-89 Authenticated SQL injection in MemberRoleChange.php

Summary

In ChurchCRM 7.0.5, authenticated users with group and role management privileges could inject SQL through the MemberRoleChange.php role update flow. Depending on deployment configuration, this could provide database read/write access and potential privilege escalation.

Disclosure timeline

  1. Report published to ChurchCRM and initial triage.
  2. GitHub advisory published and CVE assigned.

ChurchCRM

High CVE-2026-39326 CWE-89 Authenticated blind SQL injection in PropertyTypeEditor.php

Summary

In ChurchCRM 7.0.5, property type editing in PropertyTypeEditor.php accepted authenticated input that could influence SQL statements. The issue could lead to database compromise, including data extraction or modification.

Disclosure timeline

  1. Report published to ChurchCRM and initial triage.
  2. GitHub advisory published and CVE assigned.

ChurchCRM

High CVE-2026-39325 CWE-89 Authenticated blind SQL injection in SettingsUser.php

Summary

In ChurchCRM 7.0.5, user settings handling in SettingsUser.php exposed an authenticated blind SQL injection path. Attackers could infer and extract database data through timing-based or boolean blind SQL techniques.

Disclosure timeline

  1. Report published to ChurchCRM and initial triage.
  2. GitHub advisory published and CVE assigned.

ChurchCRM

High CVE-2026-39319 CWE-89 Second-order SQL injection via FundRaiserEditor.php

Summary

ChurchCRM 7.1.2 and earlier allowed stored input from FundRaiserEditor.php to become executable SQL later in the fundraiser workflow. This second-order SQL injection could lead to database compromise once the malicious stored value was processed.

Disclosure timeline

  1. Report published to ChurchCRM and initial triage.
  2. GitHub advisory published and CVE assigned.

Bug bounties

1 finding

Firedancer

Medium CWE-617 Race condition in the netshred module

Summary

Before Frankendancer Mainnet v0.910.40000 a race condition in the netshred module could lead to a remotely triggerable Denial of Service.

Disclosure timeline

  1. Reported to Immunefi via the Firedancer v1 audit competition.
  2. First acknowledgment.
  3. Confirmation of the issue, initial patch development and acknowledgment that the finding is also valid for the Frankendancer bug bounty program.
  4. Fixed in Frankendancer Mainnet v0.910.40000.
  5. Bounty payout not happened yet...

Created CTF Challenges

2 challenges

Scanwich Station

Hard Web Pwn GPNCTF 2026 Writeup 14 min read

Summary

Hybrid web and pwn challenge about mass assignment, QR-code decoding, signed integer overflow, and GLIBC dynamic symbol poisoning. Published for GPNCTF 2026.

Smile at me

Hard Web GPNCTF 2025 Writeup 11 min read

Summary

Web challenge about URL parser differentials, strict CSP, and an XS-Leak using Scroll-to-Text Fragment behavior with lazy-loaded images. Published for GPNCTF 2025.

Certificates

1 certificate

Hack The Box Certified Penetration Testing Specialist

Certificate Writeup 8 min read

Summary

Completed the HTB CPTS path and passed the practical exam on the first attempt, including a full penetration-test report for the exam environment. The work focused on disciplined enumeration, Active Directory attack paths, web findings, and reproducible reporting.

Talks

1 talk

KITCTF Web Intro

Slides Overview

Summary

Introductory web security talk for KITCTF.

Relevant achievements

11 events

KITCTF

CTF Team KITCTF

Summary

Selected KITCTF team results across international CTFs and finals qualifiers.

Timeline

  1. KITCTF #3 at GlacierCTF 2025 #3 at GlacierCTF.
  2. FluxKITtens #6 at Google CTF 2025 #6 at Google CTF as the FluxKITtens merger team (FluxFingers and KITCTF), qualifying for the Hackceler8 finals in Mexico.
  3. KITCTF #3 at SwampCTF 2025 #3 at SwampCTF.
  4. KITCTF at SnakeCTF 2024 finals Qualified for and participated in the SnakeCTF finals in Italy.
  5. KITCTF #3 at GlacierCTF 2024 #3 at GlacierCTF, qualifying for DHM 2025 as KITCTF team.
  6. KITCTF #1 at SwampCTF 2024 #1 at SwampCTF.

DHM

CTF Competition DHM

Summary

Deutsche Hacking Meisterschaft (CSCG finals).

Timeline

  1. DHM 2025 participation Participated in the DHM finals after qualifying through CSCG.
  2. DHM 2024 #1 Placed #1 at the Deutsche Hacking Meisterschaft.

CSCG

CTF Competition CSCG

Summary

Cyber Security Challenges Germany: Qualified for DHM in 2024 and 2025.

Timeline

  1. CSCG 2025 top 10 global & DHM qualification Qualified for DHM again and finished top 10 globally.
  2. CSCG 2024 DHM qualification Qualified for DHM through CSCG.

Immunefi

Bug bounty Audit Competition Immunefi Bug Bounty Immunefi Audit Competition

Summary

Immunefi bug bounty & audit platform for smart contracts and DeFi projects.

Timeline

  1. Firedancer v1 audit competition Participated in the Firedancer v1 audit competition.