Note
Hi there! I'm Valentin Lobstein (aka Chocapikk), Security Engineer & Exploit Developer @ LeakIX.
Passionate about vulnerability research, exploit development, and internet-wide vulnerability detection.
Committed to sharing knowledge and building open-source tools
π¨ CVE Contributions
| CVE Identifier | Description | Links |
|---|---|---|
| π CVE-2025-34433, CVE-2025-34441, CVE-2025-34442 | Unauthenticated RCE chain in AVideo via predictable salt bruteforce | Blog Β· VulnCheck |
| π CVE-2025-34452 | Path Traversal + SSRF in Streama leading to arbitrary file write | Blog Β· VulnCheck |
| π CVE-2025-34147 to CVE-2025-34152 | Multiple unauthenticated OS command injection vulnerabilities in the Shenzhen Aitemi M300 Wi-Fi Repeater (MT02). Affects: extap2g SSID, WISP-mode ssid, WPA2 key, PPPoE user, PPPoE passwd, time param in /protocol.csp?. Allows remote root code execution within Wi-Fi range. |
Part 1 Β· Part 2 |
| π CVE-2025-2611 | ICTBroadcast <= 7.4 β Unauthenticated RCE via cookie injection | GitHub |
| π CVE-2025-2609 & CVE-2025-2610 | Stored XSS in MagnusBilling 7.x (one unauthenticated) | Blog Β· VulnCheck |
| π CVE-2025-2292, CVE-2025-30004, CVE-2025-30005 & CVE-2025-30006 | Authenticated vulnerabilities in Xorcom CompletePBX β€ 5.2.35 | File Disclosure Β· Command Injection Β· Path Traversal Β· Reflected XSS |
| π CVE-2024-31819 | Unauthenticated RCE in WWBN AVideo via systemRootPath |
GitHub |
| π CVE-2024-30920 to CVE-2024-30929, CVE-2024-31818 | Research and exploitation in DerbyNet | GitHub |
| π CVE-2024-22899 to CVE-2024-22903, CVE-2024-25228 | Exploit chain in Vinchin Backup & Recovery | GitHub |
| π CVE-2024-3032 | Themify Builder < 7.5.8 β Open Redirect | WPScan |
| π CVE-2023-50917 | Remote Code Execution in MajorDoMo | GitHub |
π§° Skills & Languages
π Repositories
| Tool | Description | Link |
|---|---|---|
| WPProbe | Fast WordPress plugin enumeration | GitHub |
| LFIHunt | Scan & exploit Local File Inclusion (LFI) | GitHub |
| LeakPy | Query LeakIX.net API via Python | GitHub |
π Hall Of Fame
π¨ Exploit Development & PoC
All PoCs and Metasploit modules consolidated in:
Chocapikk/msf-exploit-collection
βοΈ LeakIX
-
Security Engineer
-
Notable finding: Massive PSaux ransomware attack affecting 22,000 CyberPanel instances (BleepingComputer)
-
Follow on Twitter: @leak_ix
πΆ Spotify
π§ Warning: May contain questionable bangers and guilty pleasures.
π All my work was done while vibing to tracker, synthwave, tribe / hardtek / frenchcore & video game music. It's here for a reason.
Caution
Please use the information and exploits provided in my repositories for educational purposes and responsible disclosure only. I am not responsible for any misuse or damage caused by using these tools, scripts, or exploits.