• Beatriz Fresno Naumova
• Junior Pentester at Advens
• Final-year Computer Engineering student at the University of Salamanca

• Identification and exploitation of vulnerabilities in:

  • Web applications
  • Software
  • Infrastructure across public institutions and private organizations

• Vulnerability Research:

  • CVE discovery and publication
  • Proof of Concept (PoC) development

• Active participation in CTF (Capture The Flag) competitions as continuous offensive security training

• I am in a continuous learning process, expanding my technical skills through hands-on practice and progressively advanced cybersecurity certifications.

• Host of Hack The Box Salamanca, a Spanish-speaking ethical hacking community:
  • Practical and theoretical sessions
  • Technical talks
  • Collaborative challenge solving
• I enjoy working as a security researcher, discovering vulnerabilities in:
  • Web applications
  • Software
  • Infrastructure of both public and private institutions and reporting them responsibly
• Creator of custom vulnerable machines for training platforms:
  • The Hacker Labs: Facultad, CryptoLabyrinth
  • DockerLabs: Elevator, Pequeñas Mentirosas
• Member of the INCIBE Cybercooperators Program
• Interested in the impact of quantum computing on cybersecurity
• I share writeups, projects, scripts, and tools on my blog as part of continuous learning

• Technical writeups from various cybersecurity platforms published on my GitHub
• Scripts designed to automate and optimize CTF challenge solving
• Personal projects and experimentation in offensive security and quantum computing

• CVE-2025-52392 - Brute-force login vulnerability (Soosyze CMS)
• CVE-2025-60427 - Broken access control (LibreTime)
• CVE-2025-12630 - Arbitrary option disclosure (WordPress plugin)
• CVE-2025-11699 - Insufficient session cookie invalidation (nopCommerce)
• CVE-2025-64746 - Improper permission handling (Directus)
• CVE-2025-71164 - Reflected XSS in editor component (Typesetter CMS ≤ 5.1)
• CVE-2025-71165 - Reflected XSS in admin interface (Tools / Status) (Typesetter CMS ≤ 5.1)
• CVE-2025-71166 - Reflected XSS in admin status messages (Typesetter CMS ≤ 5.1)
• CVE-2025-15549 – Stored XSS via SVG upload in File Management (FluentCMS ≤ 0.0.5)
• CVE-2025-15550 – Cross-Site Request Forgery in GraphQL endpoint (birkir prime ≤ 0.4.0.beta.0)
• CVE-2025-71177 – Stored XSS via package creation and search functionality (LavaLite CMS ≤ 10.1.0)

• CVE-2025-9140 - SQL Injection PoC (Lingdang CRM 8.6.4.7)
  https://www.exploit-db.com/exploits/52420

• CVE-2025-52392 - Brute-force authentication PoC (Soosyze CMS 2.0)
  https://www.exploit-db.com/exploits/52416

• CVE-2025-10327 - Remote Command Execution (RPi-Jukebox-RFID 2.8.0)
  https://www.exploit-db.com/exploits/52468

• CVE-2025-10666 - Stack-based Buffer Overflow (DoS) PoC (D-Link DIR-825 Rev.B ≤ 2.10)
  https://www.exploit-db.com/exploits/52469

• CVE-2025-10370 - Stored Cross-Site Scripting (XSS) PoC (RPi-Jukebox-RFID 2.8.0)
  https://www.exploit-db.com/exploits/52470

• CVE-2024-23334 - Directory Traversal PoC (aiohttp ≤ 3.9.1)
  https://www.exploit-db.com/exploits/52474

• CVE-2025-24514 / CVE-2025-1974 / CVE-2025-1097 / CVE-2025-1098 - FD Injection to RCE (Ingress-NGINX Admission Controller v1.11.1)
  https://www.exploit-db.com/exploits/52475

• CVE-2025-32023 - Remote Code Execution via HyperLogLog overflow (Redis ≥ 8.0.0, < 8.0.3)
  https://www.exploit-db.com/exploits/52477

• CVE-2025-24054 - NTLM Hash Disclosure Spoofing (Windows 10 / 11)
  https://www.exploit-db.com/exploits/52478

• CVE-2023-4911 - Local Privilege Escalation (glibc “Looney Tunables” ≤ 2.38)
  https://www.exploit-db.com/exploits/52479

• CVE-2025-24054 - Spoofing Vulnerability (Windows 10.0.17763.7009)
  https://www.exploit-db.com/exploits/52480

📄 Detailed technical analysis, advisories and additional PoCs are available on my blog.