Whoami

zsh — thedumpster
excal1bur@thedumpster:~$ whoami

Daniel Miranda Barcelona


pentester · offensive security researcher · RF/SDR
If it flies, it has an attack surface.

Daniel Miranda Barcelona (Excal1bur) finds and reports vulnerabilities in software that actually flies: mission-control frameworks, ground stations and embedded stacks. Confirmed fixes across NASA, ESA and operational MCS projects, with the technical writeups here in The Dumpster.

// proof_of_work
NASA · P1 P2 P3

NASA VDP: Letters of Recognition

SBN-Client, AIT-Core and ION-DTN. Full P1/P2/P3 trifecta across the program, all with confirmed fixes.

ESA · CVE-2026-54086

SLE API Java (sleapi-j)

Unauthenticated malformed ISP1 PDU triggers unhandled exceptions and resource leakage in ESA/ESOC ground-station software. Fixed and credited.

read the advisory →
Basilisk · credited

Basilisk (CU Boulder)

Vulnerabilities in the AVSLab astrodynamics framework, credited as BSK-2026-001/002/003. Disclosure completed.

PR #1362 →
YAMCS · 3 CVEs

YAMCS mission control

User enumeration, missing rate limiting and LDAP injection in the framework behind real space ops.

44595 44596 42568
CryptoLib · in progress

CryptoLib (NASA)

Vulnerabilities in NASA’s space data-link security library. Coordinated disclosure in progress.

INCIBE-CERT · public sector

Public-sector disclosure (Spain)

Non-intrusive analysis of a public-sector platform, reported and registered through INCIBE-CERT.

read the case →
Exploit-DB · 4 entries

Public PoCs

Four entries on Exploit-DB, including the NTLM hash-leak PoC for CVE-2025-24071.

52325 52603 52604 52605
bug bounty · paid

CreatorIQ (private)

Paid vulnerability disclosure handled directly with CreatorIQ, a Skyscanner third-party vendor.

// build
OrbiDump · live

OrbiDump: real-time satellite tracking

Thousands of active satellites visualized live from Celestrak TLE data, with SGP4 orbit propagation over a 3D Earth, downlink metadata and an integrated WebSDR tuning panel. FastAPI · React · Three.js · PostgreSQL.

open OrbiDump →
// writing

Technical writeups here in The Dumpster, plus CVE analysis on araintel.com (ES): React2Shell · Sudo chroot-to-root · Ghost in the share.

// arsenal

Payloads merged into the official Hak5 repo: Vault Exfiltrator · Vault Scanner. VulnWatch, an automated OSS repo-monitoring pipeline (currently private). More tools and PoCs on github.com/ex-cal1bur.

// certs
OSCP · in progresseWPTeJPTGoogle CybersecurityICCA
// contact

Available for freelance work in offensive security: space software, embedded systems, RF/SDR and web/app pentesting.

Zaragoza, Spain · CET · remote-friendly

daniel.mirandabarcelona@gmail.com Download CV GitHub LinkedIn Exploit-DB