A (non-exhaustive) list of disclosed security vulnerabilities discovered by Radman Siddiki:

• CVE-2025-61787: Command Injection on Windows in Deno
• GHSA-wqm4-c3rp-jfr2: Regular Expression Denial-of-Service in ParserPower MediaWiki extension through link functions
• CVE-2025-11175: Regular Expression Denial-of-Service in DiscussionTools MediaWiki extension, allowing Denial-of-Service attacks against Wikipedia servers
• CVE-2025-56648: Lack of Origin Validation allows malicious websites to send XMLHTTPRequests to JavaScript bundler Parcel's development server and read the response to steal source code when developers visit them while running the server
• Cross-Site WebSocket Hijacking in JavaScript bundler Parcel's development server allows malicious websites to steal developers' source code when they visit them while running it
• HTTP Request Smuggling in the JavaScript runtime Bun
• Personally Identifiable Information leak due to SVG CSS sanitisation bypass in the Scratch block-based programming language's GUI
• Cross-Site Websocket Hijacking in the Farm JavaScript build tool's development server allowed malicious websites to steal developers' source code when they visit them while running it
• CVE-2025-48068: Cross-Site Websocket Hijacking in the Next.js JavaScript web framework's development server allowed malicious websites to steal developers' source code when they visit them while running it
• CVE-2025-25200: Regular Expression Denial-of-Service in the koa JavaScript web framework
• CVE-2025-32076: Regular Expression Denial-of-Service in the VisualData MediaWiki extension
• CVE-2024-47840: Stored Cross-Site Scripting in the Apex MediaWiki skin
• CVE-2024-40613: Regular Expression Denial-of-Service in Gadgets MediaWiki extension gave Wikipedia admins the ability to carry out Denial-of-Service attacks against its servers
• Regular Expression Denial-of-Service in the MassEditRegex MediaWiki extension
• Stored Cross-Site Scripting through interface messages in the OreDict MediaWiki extension
• CVE-2024-34500: Stored Cross-Site Scripting through interface message in the UnlinkedWikibase MediaWiki extension
• Cross-Site Request Forgery and Stored Cross-Site Scripting in the WikiForum MediaWiki extension
• CVE-2021-46147: Cross-Site Request Forgery in the MassEditRegex MediaWiki extension
• Insufficient Logging in the DataDump MediaWiki extension
• Improper Access Control in the DataDump MediaWiki extension
• CVE-2021-32774: Cross-Site Request Forgery in the DataDump MediaWiki extension
• Stored Cross-Site Scripting via sitename in the ScratchWikiSkin MediaWiki skin
• GHSA-9f3w-c334-jm2h: Cross-Site Request Forgery in the Report MediaWiki extension