security research & disclosure // 0x00001800 permissions read execute
Reported findings
Reported · 2026
World Monitor — Real-Time Global Intelligence Platform
Tauri 2 · Rust · TypeScript · 58.6k★ open-source project
github.com/koala73/worldmonitor/pull/1103 — view public disclosure ↗
IPC command exposure
Identified unsafe inter-process command surface between the application’s frontend and backend, allowing unintended command execution across the IPC boundary.
Renderer-to-sidecar trust-boundary analysis
Mapped privilege and trust weaknesses across the renderer and Node.js sidecar boundary, revealing paths where the renderer could influence privileged sidecar operations.
Fetch-patch credential injection architecture
Uncovered a credential-injection vector in the network fetch-patching layer where attacker-controlled inputs could be smuggled into credentialed requests.
Cache key injection — WM-2026-001
Raw user queries in search-gdelt-documents.ts were interpolated directly into Redis cache keys with no length bound and no hashing, enabling cache-key poisoning and key-space exhaustion. Fixed with a 500-char cap and SHA-256 keying.
Weak hash collision surface — WM-2026-002
The attacker-controlled ?context= parameter in get-country-intel-brief.ts was hashed with FNV-1a (52-bit, non-cryptographic), creating a practical collision surface for cache poisoning. Replaced with truncated SHA-256 (64-bit).