I built a web front end for an Nmap-based port scanner: a FastAPI backend, a React
dashboard, background scan jobs, a plugin system. It worked. Then I sat down and
audited it like an attacker would — and found a stack of real weaknesses, plus a
lesson in why you verify an exploit before you call it one.
This is the honest version: the holes I found, the unauthenticated-RCE chain I






