About
Learn more about his
Expert Cyber Security Consultant & Back-End Developer
Tağmaç started to learn software at a young age, turned this hobby into a business and started to earn money during his secondary school years by working freelance.
Tağmaç, who went deeper into the software languages, found vulnerabilities on the projects he wrote and started researching how to close these vulnerabilities and stepped into Cyber Security.
He found his first vulnerability at the age of 13, in a web application he developed himself. Tağmaç, who wanted to improve himself in this field, started to do security research. It found and reported vulnerabilities in many web/mobile, browser plug-ins and computer software. Sometimes when him get bored, it finds security vulnerabilities in some open source applications and prepares exploitation code and presents them on the platform called Exploit-DB.
Tağmaç, who likes to challenge, learn programming languages that he does not know, develop new projects with those programming languages, and constantly learn something new, continues to do new tests and research on more than 10 servers of his own at home.
He still works as a vulnerability researcher in his spare time.
- Birthday: 15 January
- Website: tagmachan.com
- City: Ankara, TURKEY
- Degree: Master
- Email: [email protected]
- Freelance: Available
Developed Projects
Vulnerabilities Found in Enterprise Products
Programming Language that Basically knows
Developed Exploit Codes
Total CVEs
Skills
Resume
Check His Resume
Summary
He has spent 9+ years working on Development, Server Installation, Network Configuration and Cyber Security. According to his place, the blue team took part in the red team according to his place.
- Web Application [ Black-Gray-White Box ] Pentest
- Mobil Application [ Black-Gray-White Box ] Pentest
- Network Application [ Black-Gray-White Box ] Pentest
- Microservice Application [ Black-Gray-White Box ] Pentest
- Cloud [ Black-Gray-White Box ] Pentest
- Television and Television Application BlackBox Pentest
- EDR Bypass
- Windows/Linux/CentOS Server Configuration & Management
- Network Firewall Configuration & Management
- Web Firewall Configuration & Management & Testing
- Malware Analysis
- SIEM Configuration & Management
- BackEnd Development
Education
Master's Degree in Cyber Security
2023 - 2025
Ahmet Yesevi University
Management Information Systems
2018 - 2023
Anadolu University
Computer Programming
2013 - 2015
Cumhuriyet University
Professional Experience
Senior Cyber Security Consultant
2022 - Present
Presidency of the Republic of Türkiye Cumhuriyeti
- Red Teaming Service
- Development
Cyber Security Consultant & Backend Developer
2023 - 2024
beIN Media Group
- Red Teaming Service
- Development
Senior Cyber Security Expert
2022 - Present
BilgeAdam Technology
- Red Teaming Service
- Consulting
Cyber Security Expert & Backend Developer
2018 - 2022
beIN Media Group
- Red Teaming Service
- BackEnd Development
- Full-Stack Development
Cyber Security Researcher & Backend Development
2015 - 2018
FreeLancer
- Red Teaming Service
- BackEnd Development
- Full-Stack Development
Cyber Security Researcher & IT Consultant
2013 - 2015
Cumhuriyet University
- Red Teaming Service
- Server Installation, Management, Configuration
- VMesxi Management
- Network Configuration & Management
Exploits & Projects
Source Code Repository
| Type | Name | Category | Description | Date |
|---|---|---|---|---|
| AccessContextFuzzer - Burp Suite Extension | Project | A Burp Suite extension for automated access control bypass, path traversal, and Web Cache Deception testing. Features 40+ header spoofing techniques, smart anomaly detection, and a four-phase WCD exploitation pipeline — lab-proven on official PortSwigger Web Security Academy challenges. | Wed May 27 2026 | |
| CVE-2025-69460 - Simple Image Gallery 1.0 - Remote Code Execution (Unauthenticated) - Exploit Code | Exploit | CVE-2025-69460: Unauthenticated Remote Code Execution (RCE) vulnerability in Simple Image Gallery 1.0. Zero-day discovery and exploit by Tağmaç 'Tagoletta'. | Wed Jan 21 2026 | |
| CVE-2025-69459 - Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) - Exploit Code | Exploit | CVE-2025-69459: Broken Access Control vulnerability allowing Admin Account Creation in Movie Rating System 1.0. Zero-day discovery and exploit by Tağmaç 'Tagoletta'. | Wed Jan 21 2026 | |
| CVE-2025-69458 - Movie Rating System 1.0 - SQL Injection to RCE (Unauthenticated) - Exploit Code | Exploit | CVE-2025-69458: Unauthenticated SQL Injection to Remote Code Execution (RCE) vulnerability in Movie Rating System 1.0. Zero-day discovery and exploit by Tağmaç 'Tagoletta'. | Wed Jan 21 2026 | |
| CVE-2025-69457 - Responsive Tourism Website 3.1 - Remote Code Execution (Unauthenticated) - Exploit Code | Exploit | CVE-2025-69457: Unauthenticated Remote Code Execution (RCE) vulnerability in Responsive Tourism Website 3.1. Zero-day discovery and exploit by Tağmaç 'Tagoletta'. | Wed Jan 21 2026 | |
| CVE-2023-38890 – Online Shopping Portal 3.1 Remote Code Execution - Exploit Code | Exploit | CVE-2023-38890: Unauthenticated SQL Injection to Remote Code Execution (RCE) vulnerability in Online Shopping Portal 3.1. Zero-day discovery and exploit by Tağmaç 'Tagoletta'. | Wed Jan 21 2026 | |
| Daily CVE Reporter | Project | Daily CVE Reporter is an automated security tool designated to keep researchers updated on the latest vulnerabilities. It fetches new CVEs from the National Vulnerability Database every 24 hours, automatically detects if a Proof of Concept (PoC) exploit exists, and presents the data in a clean, interactive HTML report. | Tue Dec 30 2025 | |
| Daily AbuseIP Collector | Project | The Daily AbuseIP Collector is a .NET 9.0 console application designed to run as a background service within a Docker container. Its primary purpose is to automatically fetch, filter, and store a list of abusive IP addresses from a public blocklist into a MongoDB database. | Sun Dec 15 2024 | |
| Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated) - Exploit Code | Exploit | Zero-Day Exploit Code for Traffic Offense Management System RCE. | Wed Aug 18 2021 |
Blog
His Works
SSRF to Cloud Credentials: Stealing AWS IAM Tokens via Metadata API
Thu May 28 2026How a single Server-Side Request Forgery vulnerability can escalate to full AWS/GCP/Azure account compromise by targeting cloud instance metadata services — and why the 452% SSRF surge in 2024 matters.
HTTP Request Smuggling: Exploiting Front-End/Back-End Parsing Desync
Thu May 28 2026How attackers exploit disagreements between front-end and back-end servers on where HTTP requests begin and end — and chain CL.TE desync attacks into account takeover, firewall bypass, and cache poisoning.
Blind SSTI to RCE: Exploiting Template Engines Without Output
Thu May 28 2026How attackers detect and exploit Server-Side Template Injection when the application returns no output — using timing delays, DNS callbacks, and engine fingerprinting to achieve full remote code execution.
Prototype Pollution to RCE: Node.js Gadget Chains Explained
Wed May 27 2026How injecting properties into JavaScript's Object.prototype poisons the entire Node.js process — and how gadget chains turn that pollution into remote code execution, demonstrated via CVE-2024-38999 in RequireJS.
Single-Packet Race Condition: Sub-Millisecond Web Exploitation
Wed May 27 2026How the single-packet attack technique eliminates network jitter to exploit sub-millisecond race conditions in web applications — and how CVE-2024-58248 in nopCommerce was exploited using Burp Suite.
Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server
Wed May 27 2026How Orange Tsai's Confusion Attacks exploit URL decoding inconsistencies across Apache modules to chain ACL bypass, SSRF, and unauthenticated RCE — #1 web hacking technique of 2024.