About me

I am Application Security Researcher, static code analysis enthusiast, former Application Security Engineer, former Software Engineer with a solid development background. I have been on many sides: as a software developer, internal security auditor, external reporter, bug bounty submitter and triager.

I have started as a desktop and backend C++/C# developer. While one part of me enjoyed creating programs, my other passion always was finding cracks and breaking things. After some time I’ve moved into the Information Security field where I feel I found a balance: I enjoy writing security tools and performing technical security assessments. In my free time I like researching security of third party products (both closed and open source).

Open source projects I am or was actively developing:

Security Code Scan - Security static code analysis for C# and VB.NET.
Electronegativity - Vulnerability patterns detector for JavaScript/TypeScript Electron applications.

You can find me on Twitter, GitHub, Linkedin and you can reach me at jarlob📧gmail.com

Disclosures:

Path traversal in youtube-dl and yt-dlp leading to RCE - CVE-2024-38519
Insufficient markdown sanitization in nuget.org - CVE-2024-37304
LDAP injection in Redash - CVE-2020-36144
Several memory access violations in stb_image and stb_vorbis - CVE-2023-45676 and others
Buffer Overflow in uchardet
Buffer Overflows in Notepad++ - CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166
Stack exhaustion in jsonxx - CVE-2022-23460
Double free in jsonxx - CVE-2022-23459
Deserialization vulnerability in Orckestra C1 CMS - CVE-2022-24789
Arbitrary file write during TAR extraction in Apache Hadoop - CVE-2022-26612
Path traversal in the OWASP Enterprise Security API (ESAPI)- CVE-2022-23457
Partial path traversal in Apache Felix Atomos
Partial path traversal in Apache Karaf - CVE-2022-22932
Partial path traversal in Apache Pinot
Partial path traversal in Apache James Server - CVE-2022-22931
Path traversal in SharpZipLib - CVE-2021-32840, CVE-2021-32841, CVE-2021-32842
Path traversal in SharpCompress - CVE-2021-39208
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution in npm/arborist- CVE-2021-39135
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization in npm/node-tar - CVE-2021-37713
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links in npm/node-tar - CVE-2021-37712
Unauthenticated file read in Emby - CVE-2021-32833
Unauthenticated arbitrary file read in Jellyfin - CVE-2021-21402
Remote Code Execution and Local Elevation of Privileges in GoSign App
Weak JSON Web Token (JWT) signing secret in YApi - CVE-2021-27884
Undocumented template expression evaluation in the gajira-comment GitHub action - CVE-2020-14189
Undocumented template expression evaluation in the gajira-create GitHub action - CVE-2020-14188
Remote code execution (RCE) and elevation of privileges (EoP) in SmartStoreNET - CVE-2020-27996, CVE-2020-27997
Arbitrary code execution in DatabaseSchemaReader - CVE-2020-26207
Arbitrary Code Execution in FastReports - CVE-2020-27998
SQL Injection in Mailtrain - CVE-2020-24617
Path traversal vulnerability in Adobe git-server - CVE-2020-9708
Local privilege elevation vulnerability in Composer Windows installer - CVE-2020-15145
Authenticode signature validation bypass in Autodesk Dynamo BIM (CVE-2020-7079) and SoundSwitch
Authorization bypass in Tele2.lt self service website
Arbitrary code execution in Resource.NET (not fixed)
Arbitrary code execution in dnSpy
Path Traversal in Aspose.ZIP for .NET
RCE in Joplin desktop client
SQL injection in Xataface. (The fix)
SQL injection in PHP-MySQLi-Database-Class