visitor@0xManticore:~$whoami

0xManticore

Saleh Elsayed (Senior Cybersecurity Consultant)

I am an offensive security specialist. I run penetration tests and red team engagements across web, API, mobile, network, Active Directory, and cloud environments, and I do vulnerability research and bug bounty hunting. My work is finding the way in before someone else does, then writing it up clearly enough to get fixed.

Hall of Fame

Cisco
Adobe
Amazon
Brave
OPPO
X (Twitter)
Xiaomi
Expedia
Booking.com
Yelp
Kiwi.com

and many more across public and private programs

  • 5+yrsin offensive security
  • 2000+vulnerabilities found
  • 10+industry certifications
  • 4published CVEs

Certifications

  • OSEP badge, OffSec Experienced Penetration TesterOffSec Experienced Penetration Tester
  • OSWE badge, OffSec Web ExpertOffSec Web Expert
  • OSCP badge, OffSec Certified ProfessionalOffSec Certified Professional
  • OSWP badge, OffSec Wireless ProfessionalOffSec Wireless Professional
  • CRT badge, CREST Registered Penetration TesterCREST Registered Penetration Tester
  • CPSA badge, CREST Practitioner Security AnalystCREST Practitioner Security Analyst
  • CWES badge, Hack The Box Certified Web Exploitation SpecialistHack The Box Certified Web Exploitation Specialist
  • KLCP badge, Kali Linux Certified ProfessionalKali Linux Certified Professional

Work History

Research and CVEs

  1. CVE-2026-7798CVSS 5.4 · Medium

    FluentCRM · CRM and email marketing platform

    An unauthenticated request could make the application issue server-side requests to attacker-chosen destinations, a path toward internal services. Affected up to version 2.9.87.

  2. CVE-2026-39449CVSS 7.1 · High

    Contact Form to Any API · WordPress plugin, IT Path Solutions

    An unauthenticated attacker could run script in a visitor’s browser through a crafted request, affecting all plugin versions up to 3.0.3.

  3. CVE-2026-57326CVSS 6.1 · Medium

    Business Directory · WordPress plugin, Strategy11

    An unauthenticated attacker could run script in the browser of a user viewing an affected page. Fixed in version 6.4.23.

Competitions and awards

Speaking

  • Black Hat MEA2024

    Speaker

    Prompt Injection: A Newly Emerging Threat in the World of Artificial Intelligence

    Riyadh, one of the largest cybersecurity conferences in the region.

    speaker profile

Get in touch

The fastest way to reach me is email. I am happy to talk about assessments, research, disclosure, or anything else on this page.