A Post Title That Took Over Your Account

A post title got reflected into a script tag, which gave me stored XSS. From there I pulled the victim’s session token from an API endpoint and reset their password without the old one. One click, full account takeover.

June 22, 2026 · 4 min · Youssef Elsayyad

Unauthenticated DB Access and Account Takeover via a Leaked Staging Domain

A hostname referenced inside a production JavaScript bundle pointed at a staging environment where every /api/admin/* route was reachable without authentication, including one that returned a password reset link for any user ID.

May 9, 2026 · 5 min · Youssef Elsayyad