- I’m an Independent Security Researcher from Italy, currently working in the cybersecurity sector mainly as Bug Bounty Hunter and Penetration Tester. I enjoy to play hacking competitions and get better. You can check writeups and other stuff on topics related to cybersecurity and Bug Bounty in this blog
- Some things I brag about
- CVE-2025-5062 Blind XSS leads to becoming Admin with full privileges on every website developed with Wordpress-Woocommerce (fixed in the version 9.4.3)
- CVE-2024-48917 XXE in the new version by using a payload in the encoding UTF-7, and adding at end of the file a comment with the value encoding=”UTF-8” to match the wrong regex in the code
- CVE-2024-47873 XXE via regex bypass by using UCS-4 and encoding guessing in PHPSpreadSheet
- CVE-2024-21627 Bypassing the Validate::isCleanHTML method leads to obtaining XSS in every input sanitized with that method in PrestaShop CMS
- CVE-2022-4105 Markdown injection leads to Stored XSS in KiwiTCMS library. Possibility to account takeover and exploitation of various endpoints.
- CVE-2023-27489 another Stored XSS in KiwiTCMS
- CVE-2023-32686 Stored XSS with weak WAF bypass and CSP bypass in KiwiTCMS.
- Telecom Italia's Responsible Disclosure Hall of Fame
- Identified hundreds of critical vulnerabilities across various companies through bug bounty platforms, earning top positions on leaderboards of well-known organizations
- A lot of things I can't share in public :(
- If you want contact me for a job, for my resume or only just ask me something, drop a line here :)
- Blog Posts