Behind CVE-2025–26206: What I Found, How I Found It, and Why It Matters.

There’s a myth that you need years of formal training to find real, impactful vulnerabilities. But that’s not how many of us got started. History shows that breakthroughs often come from people asking questions others don’t, regardless of age.

Dylan became Microsoft’s youngest security researcher at 13. Jackson Henry was helping defend orgs against cybercrime by 17. Why? Because thinking differently matters more than ticking experience checkboxes. You don’t always know what not to try — and that’s a superpower.

I was 13 when I first asked, “How do hackers actually work?”

That question stuck.

Most adults would’ve waved it off. My parents didn’t. Instead of locking down my screen time, they let me explore.

I started with YouTube tutorials, random forums, and long hours trying to figure out how the web actually works. The learning curve was brutal, but I had something most adults don’t: time, and the freedom to fail often.

Finding CVE-2025–26206 wasn’t some lightning strike moment. It was months of focused testing, late nights, and refusing to quit just because things got hard.

I was digging through the Sell Done Storefront app, testing how it handled sessions and authentication. One night at 2 AM, I spotted it: The index.html component was allowing state-changing requests without CSRF protection.

CSRF vulnerabilities occur when three conditions align:

1. 1.A relevant action exists: something the attacker wants to induce


2. 2.Cookie-based session handling: the application relies solely on session cookies to identify users


3. 3.No unpredictable request parameters: the attacker can craft requests without knowing secret values

The Selldone Storefront vulnerability existed due to the absence of anti-CSRF tokens. This meant an attacker could craft malicious requests that would be executed by an authenticated user without their knowledge, leading to privilege escalation.

Here’s how a CSRF attack typically works (using a hypothetical banking example for illustration):

A legitimate bank transfer request might look like:

POST /transfer HTTP/1.1
Host: bank.com
Cookie: sessionid=abc123
Content-Type: application/x-www-form-urlencoded

amount=100&to_account=12345

An attacker could create a malicious webpage with this form:

<form action="https://bank.com/transfer" method="POST" id="malicious">
  <input type="hidden" name="amount" value="5000">
  <input type="hidden" name="to_account" value="attacker123">
</form>
<script>document.getElementById('malicious').submit();</script>

When a logged-in user visits this malicious page, their browser automatically sends their session cookie with the request. The bank’s server, seeing a valid session cookie, processes the transfer without the user’s knowledge.

In CVE-2025–26206, the same principle applied to privilege escalation. An attacker could trick authenticated users into performing unintended actions that elevated the attacker’s privileges within the Selldone Storefront application.

Discovering a bug is only half the job. Reporting it responsibly is the rest.

As a student, I was nervous reaching out to a software vendor. The imposter syndrome was real. But I learned something important: in security, what you know matters more than who you are.

Responsible disclosure best practices followed:

• 1.Wrote clear documentation including the exact product version affected, proof-of-concept code, steps to reproduce, and impact assessment


• 2.Built proof-of-concept exploits that demonstrated the vulnerability without causing harm


• 3.Contacted the vendor privately using their published security contact information

Waited out the 90-day disclosure period — the industry standard timeline that gives vendors time to develop and deploy patches

The 90-day disclosure timeline has become an industry standard. This framework allows:

• 1.90 days for the vendor to develop and deploy a fix


• 2.Additional 30 days (optional) for the security update to reach end users


• 3.Early disclosure if the vendor releases a patch sooner

Some organizations, like Google’s Project Zero, pioneered this approach to balance giving vendors adequate time to fix issues while ensuring vulnerabilities don’t remain secret indefinitely.

When CVE-2025–26206 was published in the National Vulnerability Database with a CVSS score of 9.0 (Critical), it was surreal. My name was listed alongside veteran researchers. That moment taught me: perspective can matter more than experience.

→ Compound Learning Pays Off: Every tutorial, failure, and late-night debug session adds up. Like compound interest, your knowledge grows exponentially if you just keep going.

→ Confidence Needs Calibration: You need a kind of wild belief that you can find what others missed, but it has to be balanced with structure, testing, and the humility to be wrong.

→ Think Differently, Not Just Harder: Following standard playbooks gets standard results. The real value is in connecting dots others haven’t, especially when you’re not weighed down by “best practices.”

→ Communication is a Skill Too: Technical knowledge is powerful. But being able to explain it clearly — from the technical details to the business impact — turns that knowledge into meaningful change.

→ Persistence Trumps Perfection: CVE-2025–26206 wasn’t found because I was smarter than everyone else. It was found because I kept looking where others had already moved on.

• You won’t ever feel “ready.” Start anyway.


• Document your learning publicly. The feedback loop matters.


• Don’t just hunt bugs, understand them. Know why they exist.


• Talk to people. Tools are great. Mentors are better.

Finding a CVE at 17 wasn’t the finish line. It was a signal. That with curiosity, patience, and persistence, age stops mattering.

Success in this field isn’t about knowing everything. It’s about asking better questions, sticking with hard problems, and being open to what others ignore.

And if you’re young, that’s your edge. You haven’t yet learned what you “shouldn’t” do, so do it.

If you’re curious about cybersecurity, follow it.

Even if you’re young. Especially if you’re young.

You don’t need permission.

You don’t need all the answers.

You just need to care enough to keep digging.

The next critical vulnerability is out there, waiting for someone with fresh eyes to find it. That someone could be you.

Found something cool? Got a question? Just vibing with the post? DMs are open. Don’t be a stranger.

→ linktr.ee/sibhi
Let’s build, break, and learn together.