My research on CVE-2025-49113 is out. Happy reading! #CVE #roundcube #poc @FearsOff

7. And that's how you bypass Cloudflare WAF using. Cloudflare’s own rules 😎.No IP leaks, no magic tricks. Just read the docs and follow my tips 😉.

6. Send the request. No challenge, no CAPTCHA, no block. Just a clean 200 OK. Your payload goes straight to the origin 🎯

5. That's your way in. Craft a POST request and prepend junk data to reach the limit. Put your SQLi payload after that. Cloudflare won't see it. The WAF gives up scanning after the limit is reached.

4. Just check Cloudflare's own docs 👀. Cloudflare only inspects the body of a request up to a certain size. Enterprise: 128 KB.Everyone else: much lower

3. You start hunting for the real IP. Shodan, Censys, subdomains. Hours go by. Nothing works. Cloudflare is doing its job well. But what if I told you there's a way around it?.

2. You're testing a login form. There's SQLi in the password field. You try something like:.password' or 1='. 1. But instead of a response, Cloudflare hits you with:."Attention Required! | Cloudflare".Brutal.

How to bypass Cloudflare WAF?.@FearsOff #bugbountytips #cloudflare #waf #bypass. 1. Found an SQL injection but getting blocked by Cloudflare?.Here's a pro tip 😏

@FearsOff Since many other teams have already released their PoC, here’s mine: Also, the previously blurred parts of the article are now visible.

Files from the video on github but without PoC

The exploit for CVE-2025-49113 is already available for sale on the dark web. I feel sorry for anyone who hasn’t upgraded to the newest version yet. Doomsday is coming, believe me. #roundcube #CVE @FearsOff

@FearsOff @GoDaddy @cPanel @Hostinger @Namecheap.

If you’re using cPanel, Plesk, ISPConfig, or DirectAdmin, you’re likely in the line of fire for CVE-2025-49113 – all of them bundle Roundcube by default. If your server/website exposes any of these ports: 2083, 2086, 2087, or 2096, you’re vulnerable. #CVE #roundcube @FearsOff.

The correct CVE ID now is CVE-2025-49113.

check PoC demo now

Here is a PoC demonstration for you guys! #roundcube #cve #fearsoff .

Excited to share that I reported CVE-2025-48745, Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization. This bug has existed undetected for 10 years and affects over 53 Million hosts. Details and PoC will be published soon. We're giving time to all affected parties to.

RT @mar1hachem: 🚨 Coinbase Breach = Bug Bounty Reality Check 🚨. Yesterday, bribed support agents leaked about 1% of @coinbase users’ perso….

🥈 Scored the 2nd-highest bounty on @Hacker0x01 and broke into the Top 10 leaderboard three times in the past 30 days! Huge thanks to @cryptocom for trusting us with their security—now, back to hunting. 🐛🚀.#BugBounty #EthicalHacking #Cybersecurity

RT @FearsOff: 🚨 Another Major Milestone Unlocked! 🚨. We’re proud to announce that FearsOff has officially claimed the #1 spot on @Official_….