I built a web front end for an Nmap-based port scanner: a FastAPI backend, a React

dashboard, background scan jobs, a plugin system. It worked. Then I sat down and

audited it like an attacker would — and found a stack of real weaknesses, plus a

lesson in why you verify an exploit before you call it one.

This is the honest version: the holes I found, the unauthenticated-RCE chain I