the unofficial HackerOne disclosure timeline.

X
b'curl' disclosed a bug submitted by b'stze' 
b'Use-after-free in `mev_forget_socket` when `curl_easy_pause()` is called from a `CURL_POLL_REMOVE` socket callback (incomplete fix of CVE-2026-9080)'
28 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'b1gtang' 
b'mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0'
26 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'tneelc' 
b'CURLOPT_HAPROXY_CLIENT_IP lacks input validation, enabling HAProxy PROXY protocol injection'
26 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'doomtech' 
b'PHP code injection in delivery-limitation `logical` validation bypass - XML-RPC setChannelTargeting'
25 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'garuthacktvist' 
b'XMLRPC login leak exposes valid session ID enabling unauthorized API access'
25 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'kanon4' 
b'Reflected XSS via unsanitised refresh parameter in zone invocation tag'
25 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'riodrwn' 
b'PHP code injection in delivery-limitation `logical` validation bypass'
25 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'an_gr_y' 
b'Stored XSS in maintenance tools via unescaped entity names'
25 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'an_gr_y' 
b'CSRF in zoneinclude.php allows unauthorized banner and campaign linking'
25 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'hakuopi' 
b'Missing ownership validation allows crossmanager trackercampaign linking'
25 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'kanon4' 
b'Reflected XSS in statsvideo.php via improperly encoded URL parameters'
25 Jun 2026 timeline
b'Node.js' disclosed a bug submitted by b'yushengchen' 
b'HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent`'
25 Jun 2026 timeline
b'Node.js' disclosed a bug submitted by b'cyberjoker' 
b'Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix)'
25 Jun 2026 timeline
b'Node.js' disclosed a bug submitted by b'tmeletlidis' 
b'Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat'
25 Jun 2026 timeline
b'Node.js' disclosed a bug submitted by b'tmeletlidis' 
b'Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching'
25 Jun 2026 timeline
b'Node.js' disclosed a bug submitted by b'3d7omb' 
b'TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections'
25 Jun 2026 timeline
b'Node.js' disclosed a bug submitted by b'muhammaddaffa' 
b'Permission Model bypass via FileHandle.utimes() in the promises API'
25 Jun 2026 timeline
b'Node.js' disclosed a bug submitted by b'nssys' 
b'Proxy credentials leaked in ERR_PROXY_TUNNEL error message'
25 Jun 2026 timeline
b'Node.js' disclosed a bug submitted by b'kingsd' 
b'Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames'
25 Jun 2026 timeline
1 2 3 ... 768
Follow @disclosedh1 on twitter to receive updates when a new bug is disclosed!
Twitter
BY DENIS WERNER - @NOBBD - IMPRESSUM