Acorn MFG is a US-based manufacturing and e-commerce platform selling industrial supplies, hardware, and specialty tools at acornmfg.com. The site handles customer accounts, wholesale ordering, payment processing, admin backoffice panels, CMS product management, and file upload workflows — fertile ground for admin access escalation, shell/RCE, XSS-to-file-upload chains, and database extraction if any boundary slips.

In scope materially: every HTTP(S) origin answering for acornmfg.com and delegated subdomains, admin and staff portals, CMS and product management interfaces, customer database and order records, checkout and payment processing flows, file upload endpoints, API integrations, staging or preview environments.
Civil exclusions only: mass harassment, ransomware, laundering.

One flat tier. Multiple criticals from the same researcher are paid independently.

Everything Acorn MFG operates at acornmfg.com and its subdomains.

• Admin and staff backoffice panels — authentication bypass, privilege escalation
• File upload endpoints — unrestricted upload, path traversal, web shell deployment
• XSS vectors — stored, reflected, DOM-based chaining to session theft
• Shell/RCE — command injection, template injection, SSRF-to-RCE
• Customer database — SQL injection, data extraction of PII and order records
• Checkout and payment flows — price manipulation, order tampering
• CMS and product management — content injection, media library abuse
• API endpoints — REST and GraphQL surfaces, authentication flaws, IDOR
• Staging / dev environments — dev-, staging-, test- subdomains

Every endpoint, parameter, and admin interface is eligible when a critical impact is reproducible.

• Every hostname routing through Acorn MFG edge
• Third-party integrations when the vulnerability originates from Acorn MFG
• Admin subdomains — admin, dashboard, backoffice

1. Prove exploitation success. Replayable curl flows, Burp/HAR exports, web shell access logs.
2. Articulate kill chain. Number each hop: initial vector → escalation → admin access → data exfiltration.
3. Document blast radius. Quantify users or records affected.
4. Encrypt & ship privately. Sanctioned intake before broadcasting.
5. Duplicate fairness. First fully qualifying chain wins.

Start from the security contact on acornmfg.com.

# Title
[Critical][Exploit-Proven] <tight title>
## Attack chain narrative
1. Preconditions
2. Entry primitive — exact HTTP verb/path/query/body
3. Pivot(s) chaining trust escalation
4. Final hop → admin access / data exfiltration / shell
## Successful exploitation evidence
• Replayable script + truncated responses
• HAR / Burp with unauthorized state change
## Reproduction package
Commands + fixtures + pinned SHAs

Unsanitized search parameter passed directly to SQL query — extract customer data via UNION-based injection.

// BUGGY: unsanitized search input in SQL query
<?php
$search = $_GET['q'];
$results = $db->query("SELECT * FROM products WHERE name LIKE '%$search%'");

// No prepared statement — UNION injection extracts customer table
// GET /search?q=' UNION SELECT id,email,password,cc FROM customers --