diff --git a/README.md b/README.md
index 21c4dac..50ab076 100644
--- a/README.md
+++ b/README.md
@@ -3,3 +3,4 @@ jh
 cdsav
  kjhbvljhv
 wfewqfd
+acfdW
diff --git a/sample-vuln/app.py b/sample-vuln/app.py
new file mode 100644
index 0000000..ca33240
--- /dev/null
+++ b/sample-vuln/app.py
@@ -0,0 +1,22 @@
+
+@app.route("/load")
+from flask import request
+
+def load():
+    raw = request.args.get("data", None)
+    if not raw:
+        return {"error": "no data"}, 400
+
+    import json, binascii
+    try:
+        # PRECOGS_FIX: do NOT use pickle.loads on untrusted data; expect JSON encoded in hex instead
+        data_bytes = bytes.fromhex(raw)
+    except (ValueError, TypeError):
+        return {"error": "invalid hex data"}, 400
+
+    try:
+        obj = json.loads(data_bytes.decode("utf-8"))
+    except Exception:
+        return {"error": "failed to parse JSON payload; sending pickles is not allowed"}, 400
+
+    return {"loaded": str(obj)}
\ No newline at end of file