Bug Fixes
- Fixed Stored XSS vulnerability in production builds: Uploaded SVG files now work correctly in production mode (
npm start). Previously, files uploaded after build time returned HTTP 404 errors until the server was restarted. Files are now served dynamically through a new/api/uploads/API route with proper path traversal protection and MIME type validation.
Special thanks to @h0ng10 for identifying and reporting the issue.
Improvements
- Enhanced project documentation: Migrated from CLAUDE.md to Cursor rules and AGENTS.md for better integration with development environments.
- Updated README: Added new Repography statistics.
What's New
- Brute Force vulnerability walkthrough: Added walkthrough for the brute force flag challenge.
Documentation
- Fixed BOLA vulnerability documentation: Added missing
walkthroughSlugfield to the BOLA vulnerability.