Mohammed Lachhab

Security Engineer LinkedIn

Mohammed Lachhab is a Security Engineer at Ostorlab, where he combines hands-on security research with content strategy. He conducts in-depth research on vulnerabilities, cybersecurity tools, and emerging threats to produce educational content that is both technically accurate and accessible. All articles are reviewed by the engineering team for technical rigor, helping Ostorlab communicate complex security topics clearly to professionals and security teams.
Articles by Mohammed Lachhab

Security

Twenty CRM Serverless Functions Expose Critical RCE and Permanent Unauthenticated Backdoor Risk (CVE-2026-26720) - PoC & Exploit

A technical breakdown of CVE-2026-26720, a CVSS 9.8 Critical authenticated Remote Code Execution vulnerability in Twenty CRM (≤ v1.15.0). Any workspace member can create and execute serverless functions that run unsandboxed with full access to process.env, leaking APP_SECRET, PG_DATABASE_URL, and all server-side credentials. When combined with webhook-triggered workflows exposed via PublicEndpointGuard, a single authenticated attacker can install a permanent unauthenticated RCE backdoor accessible from anywhere on the internet.

Mohammed Lachhab
Wed 15 April 2026

Security

CVE-2026-2599 : Unauthenticated PHP Object Injection → WP_HTML_Token POP Chain

A technical breakdown of CVE-2026-2599, a CVSS 9.8 Critical unauthenticated PHP Object Injection ...

Wed 25 March 2026

Security

GHSA-cr3w-cw5w-h3fj: 1-Click RCE in Saltcorn

Analysis of GHSA-cr3w-cw5w-h3fj, a CVSS 9.7 critical XSS-to-RCE vulnerability in Saltcorn (≤ 1.5....

Wed 11 March 2026

Security

CVE-2026-1357: Unauthenticated RCE in WPvivid Backup Plugin

A technical breakdown of CVE-2026-1357, a CVSS 9.8 critical unauthenticated remote code execution...

Fri 20 February 2026