REPORTS
PROGRAMS
PUBLISHERS
Top10 publishers:
b'bobrov'
117
b'sp1d3rs'
86
b'geeknik'
84
b'linkks'
75
b'jobert'
70
b'nyymi'
67
b'someonenobbd'
62
b'ooooooo_q'
54
b'guido'
50
b'haxta4ok00'
49
Now on Twitter
the unofficial
HackerOne
disclosure timeline.
X
b'curl'
disclosed a bug submitted by
b'osama-hamad'
b'CVE-2026-5773: wrong reuse of SMB connection'
29 Apr 2026
b'curl'
disclosed a bug submitted by
b'm1llie'
b'Use-after-free in `curl_easy_ssls_export()` during callback re-entrancy'
29 Apr 2026
b'curl'
disclosed a bug submitted by
b'h3zh3z'
b'Heap-buffer-overflow in `Curl_ssl_push_certinfo_len()` sole bounds check is `DEBUGASSERT`'
29 Apr 2026
b'curl'
disclosed a bug submitted by
b'wi110w'
b'Stack exhaustion in MIME multipart reading with deeply nested subparts'
29 Apr 2026
b'PlayStation'
disclosed a bug submitted by
b'gezine'
b'PS4 BD-J privilege escalation using nested JAR'
29 Apr 2026
b'IBM'
disclosed a bug submitted by
b'jhon1231248e'
b'IBM Aspera HTTP Gateway stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user.'
27 Apr 2026
b'Mozilla'
disclosed a bug submitted by
b'icecream_23'
b'Bypass of Restricted Keyword "Mozilla" in Display Name Field via Unicode Homoglyphs on addons.allizom.org'
27 Apr 2026
b'pixiv'
disclosed a bug submitted by
b'aaqibhussain'
b'Bypassing Inbox Privacy Settings and Enabling Spam on Pixiv.net'
27 Apr 2026
b'pixiv'
disclosed a bug submitted by
b'lainkusanagi'
b'Non-premium user can disable Ads in japanese version of dic.pixiv.net'
27 Apr 2026
b'Weblate'
disclosed a bug submitted by
b'alexb_616'
b'Argument Injection in /manage/ssh/ via host parameter leads to sensitive file disclosure on Weblate'
26 Apr 2026
b'Shopify'
disclosed a bug submitted by
b'0xd0ff9'
b'mruby-engine: UAF in MRubyEngine#initialize enables local RCE'
24 Apr 2026
b'Node.js'
disclosed a bug submitted by
b'mbarbs'
b'Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS'
23 Apr 2026
b'Rocket.Chat'
disclosed a bug submitted by
b'arccode'
b'RBAC bypass on App log endpoints via `permissionRequired` typo any authenticated user reads admin-only Enterprise App logs'
23 Apr 2026
b'Rocket.Chat'
disclosed a bug submitted by
b'npc'
b'Complete authentication bypass to admin permissions'
22 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'nullcathedral'
b'SVG filter primitives bypass remote image blocking, enabling email tracking without consent.'
20 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'nullcathedral'
b"position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays."
20 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'nullcathedral'
b'Unquoted body background attribute enables CSS injection that bypasses remote image blocking'
20 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'nullcathedral'
b'SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent'
20 Apr 2026
b'curl'
disclosed a bug submitted by
b'valvelvel'
b'libcurl omits IPv6 zoneid from host identity and leaks credentials/cookies across scoped link-local realms'
19 Apr 2026
1
2
3
...
760
BY DENIS WERNER - @NOBBD -
IMPRESSUM
