Interests

  • Web & Mobile Security
  • Browser Security
  • CTF & Bug Bounty

Education

2025.08 – present

M.S. in Computer Science and Engineering

Ulsan National Institute of Science and Technology, @UNIST WebSec Lab

Advisor: Seongil Wi

2021.03 – 2025.08

B.S. in Industrial Security & Police Science & Crime Investigation Software

Dongguk University, Korea

Publications

[1] BUIzz: Finding Policy Enforcement Bugs via Interaction Simulation on the Browser User Interface

Mingi Jung, Donggyu Kim, Mijung Kim, Seongil Wi

In Proceedings of the USENIX Security Symposium (USENIX Security), 2026

[2] SandVenture: Escaping JavaScript Sandboxes with Objective-driven Input Generation

Mingi Jung, Hyeon Heo, Seongil Wi

In Proceedings of the IEEE European Symposium on Security and Privacy (IEEE EuroS&P), 2026 (Acceptance Rate: 17.83%)

Honors

IBSM Award (Outstanding Graduate Student Award) UNIST  ·  2026.02.04

Security Bugs

CVE

CVE-2026-34514 aio-libs (aiohttp) HTTP header injection via CRLF
CVE-2026-21932 Oracle (Oracle Java SE) Unauthorized data modification via network access
CVE-2026-0877 Mozilla (Firefox Browser) DOM security mitigation bypass
CVE-2025-69235 Naver (Whale Browser) Same-Origin Policy bypass
CVE-2025-69234 Naver (Whale Browser) Iframe sandbox escape
CVE-2025-62585 Naver (Whale Browser) CSP bypass
CVE-2025-62584 Naver (Whale Browser) Same-Origin Policy bypass
CVE-2025-62583 Naver (Whale Browser) Iframe sandbox escape
CVE-2025-53791 Microsoft (Edge Browser) Security feature bypass
CVE-2025-53600 Naver (Whale Browser) Same-Origin Policy bypass
CVE-2025-48980 Brave Software (Brave Browser) SameSite cookie bypass
CVE-2025-32792 Endo (Secure ECMAScript) Lexical scope exposure in SES sandbox
Discovered via Strategy 5 of our IEEE EuroS&P 2026 paper, SandVenture: Escaping JavaScript Sandboxes with Objective-driven Input Generation. Web pages and extensions using ses and the Compartment API to evaluate third-party code in an isolated environment inadvertently expose const, let, and class bindings declared in the top-level scope of a <script> tag to the lexical scope of untrusted third-party code.

Acknowledgement

MSRC 2026 Bounty Technical Leaderboard Microsoft (Edge) · Rank #8
Mozilla Bug Bounty Hall of Fame Mozilla Foundation · 2026 Q1
NBB-2026-0007 Naver Corporation
NBB-2025-0211 Naver Corporation
NBB-2025-0209 Naver Corporation
KV-2025-186 Kakao Corporation
KV-2025-185 Kakao Corporation

Contact

Office Ulsan National Institute of Science and Technology, Ulsan