REPORTS
PROGRAMS
PUBLISHERS
Top10 publishers:
b'bobrov'
117
b'sp1d3rs'
86
b'geeknik'
84
b'linkks'
75
b'jobert'
70
b'nyymi'
67
b'someonenobbd'
62
b'ooooooo_q'
54
b'guido'
50
b'haxta4ok00'
49
Now on Twitter
the unofficial
HackerOne
disclosure timeline.
X
b'Nextcloud'
disclosed a bug submitted by
b'nullcathedral'
b'SVG filter primitives bypass remote image blocking, enabling email tracking without consent.'
20 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'nullcathedral'
b"position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays."
20 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'nullcathedral'
b'Unquoted body background attribute enables CSS injection that bypasses remote image blocking'
20 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'nullcathedral'
b'SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent'
20 Apr 2026
b'curl'
disclosed a bug submitted by
b'valvelvel'
b'libcurl omits IPv6 zoneid from host identity and leaks credentials/cookies across scoped link-local realms'
19 Apr 2026
b'curl'
disclosed a bug submitted by
b'fg0x0'
b'Digest Auth State Leak on Cross-Origin Redirect via Netrc - Username and Password Hash Sent to Wrong Host'
19 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'aikido_security'
b'Stored XSS in attachment-display exploitable through SameSite'
19 Apr 2026
b'curl'
disclosed a bug submitted by
b'skksndk'
b'libcurl reuses a learned RTSP Session header across different hosts on the same easy handle, enabling cross-host session leak and replay'
18 Apr 2026
b'Ruby on Rails'
disclosed a bug submitted by
b'smlee'
b'Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs'
18 Apr 2026
b'curl'
disclosed a bug submitted by
b'asdwe'
b'libcurl stale CURLOPT_AUTOREFERER leaks a previous request URL to a different origin on a reused easy handle'
17 Apr 2026
b'HackerOne'
disclosed a bug submitted by
b'joejoe5'
b'Residual Malicious Payloads on HackerOne after Vulnerability Fixes'
16 Apr 2026
b'HackerOne'
disclosed a bug submitted by
b'hellokbit'
b'DOS via Mutation Aliasing in GraphQL Account Recovery Phone Number Verification API'
16 Apr 2026
b'curl'
disclosed a bug submitted by
b'hybirdss'
b'lib/http2.c: SSL connections accept non-HTTP push schemes (incomplete fix for 2e8c922a)'
16 Apr 2026
b'arkadiyt-projects'
disclosed a bug submitted by
b'argareksapatii'
b'Authorization header leak in ssrf_filter via cross-host redirect leads to credential theft and unauthorized access'
15 Apr 2026
b'AWS VDP'
disclosed a bug submitted by
b'killnet-edc'
b'SQL Injection Detection Bypass in AWS WAF Managed Rules (AWSManagedRulesSQLiRuleSet)'
15 Apr 2026
b'Basecamp'
disclosed a bug submitted by
b'xavlimsg'
b'DOM XSS in `fizzy.do` import filename preview enables one-click victim account takeover'
14 Apr 2026
b'Basecamp'
disclosed a bug submitted by
b'xavlimsg'
b'Improper Access Control in `fizzy.do` import flow allows cross-tenant ActionText reference resolution and data disclosure'
14 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'cyberjoker'
b"BOLA/IDOR in Out-of-Office API allows any authenticated user to read other users' absence data"
14 Apr 2026
b'Cloudflare Public Bug Bounty'
disclosed a bug submitted by
b'matured_kazama'
b'[Variation of #3321406] YetAnother 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in AccessTempAuth'
14 Apr 2026
1
2
3
...
759
BY DENIS WERNER - @NOBBD -
IMPRESSUM
