REPORTS
PROGRAMS
PUBLISHERS
Now on Twitter
the unofficial
HackerOne
disclosure timeline.
X
b'Rocket.Chat'
disclosed a bug submitted by
b'olidayw'
b'Stored XSS in Rocket.Chat HTML File Export Unauthenticated Entry via LiveChat'
16 Jul 2026
b'GitHub'
disclosed a bug submitted by
b'vaib25vicky'
b'Able to bypass authorization logic and gain more access then intended'
15 Jul 2026
b'AWS VDP'
disclosed a bug submitted by
b'mistercloudsec'
b'Bedrock AgentCore Starter Toolkit Creates Gateway IAM Roles Without Confused Deputy Protections'
15 Jul 2026
b'Basecamp'
disclosed a bug submitted by
b'newbiefromcoma'
b'Stored XSS on Trix Editor version latest (2.1.16) - Sanitizer Bypass '
14 Jul 2026
b'AWS VDP'
disclosed a bug submitted by
b'mistercloudsec'
b'bedrock-mantle.api.aws accepts Bedrock API keys outside the IAM Deny, CloudTrail signal, and invocation logging AWS publishes for Bedrock keys'
14 Jul 2026
b'SingleStore'
disclosed a bug submitted by
b'bisht-ji'
b'SELECT ... INTO OUTFILE does not enforce the FILE WRITE privilege unprivileged arbitrary file write on the server'
13 Jul 2026
b'AWS VDP'
disclosed a bug submitted by
b'mistercloudsec'
b'Kiro IDE Stores Auth Tokens with World-Readable Permissions (0644)'
09 Jul 2026
b'AWS VDP'
disclosed a bug submitted by
b'kaporia'
b'OS Command Injection in `aws-cdk-lib` NodejsFunction via Unsanitized `OsCommand` Helper (Supply Chain RCE)'
06 Jul 2026
b'Basecamp'
disclosed a bug submitted by
b'zerodaysec_xyz'
b'Any installed app can force immediate logout and persistent DOS of authenticated Basecamp sessions via unprotected exported StartActivity'
04 Jul 2026
b'Shopify'
disclosed a bug submitted by
b'abahack'
b'admin.shopify.com: Shopify Flow continues sending internal emails to a configured recipient after the staff author is removed'
03 Jul 2026
b'AWS VDP'
disclosed a bug submitted by
b'nick_frichette_dd'
b'Non-Production API Endpoints for the Amazon S3 Tables Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration'
02 Jul 2026
b'8x8'
disclosed a bug submitted by
b'pmgjoe'
b'jitsi-meet: Prosody/Jigasi missing header whitelist in mod_filter_iq_rayo allows arbitrary SIP header injection and Caller ID spoofing'
02 Jul 2026
b'8x8'
disclosed a bug submitted by
b'r1skr1der'
b'jitsi-call-analytics: Unauthenticated arbitrary file write via path traversal in `/api/v1/uploads/analyze`'
02 Jul 2026
b'Yelp'
disclosed a bug submitted by
b'0xmanticore'
b'Yelp for Business: locked Email field silently editable via API'
02 Jul 2026
b'Nintendo'
disclosed a bug submitted by
b'hana2736'
b'Splatoon 3 In-Match Integrity Bypass via Consensus Reflection Attack on Unordered Peer Submission'
02 Jul 2026
b'Nintendo'
disclosed a bug submitted by
b'alzxk11'
b'[Splatoon 3] Kick other players with NplnLogin message'
02 Jul 2026
b'SingleStore'
disclosed a bug submitted by
b'bl4ck-'
b'Exceeding the maximum number of spaces allowed by exploiting a Race Condition in the Workspace creation process'
01 Jul 2026
b'SingleStore'
disclosed a bug submitted by
b'bl4ck-'
b'Insecure Direct Object Reference (IDOR) allows creating folders.'
01 Jul 2026
b'SingleStore'
disclosed a bug submitted by
b'bl4ck-'
b'Delete any folder for any user within the organization'
01 Jul 2026
1
2
3
...
770
BY DENIS WERNER - @NOBBD -
IMPRESSUM