the unofficial HackerOne disclosure timeline.

X
b'Node.js' disclosed a bug submitted by b'pimterry' 
b'HTTP/2 sessions never clean up after GOAWAY on invalid protocol errors'
18 Jun 2026 timeline
b'Node.js' disclosed a bug submitted by b'suul' 
b'Permission Model Bypass via `process.report.writeReport()` Path Misvalidation'
18 Jun 2026 timeline
b'Shopify' disclosed a bug submitted by b'saltymermaid' 
b'Reflected XSS in AI Chat Bot Greetings at help.shopify.com via Markdown Image Rendering'
18 Jun 2026 timeline
b'HackerOne' disclosed a bug submitted by b'brumbelow' 
b'Authenticated Elasticsearch Painless script execution via Query.search.sort_query on hackerone.com/graphql'
17 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'argareksapatii' 
b'verify-release rebuilds from the tarball under verification, enabling pre-check command execution and false OK for a malicious curl release tarball'
17 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'newstuff321' 
b'Vulnerability Report: Buffer Overflow in Path Sanitization'
16 Jun 2026 timeline
b'Rocket.Chat' disclosed a bug submitted by b'eldudareeno' 
b'Unauthenticated file deletion via deleteFileMessage DDP method allows permanent destruction of any uploaded file'
16 Jun 2026 timeline
b'Tor' disclosed a bug submitted by b'aptupdate' 
b'Malicious Conflux Endpoint Can Leave Stale Global OOO Queue Accounting After Teardown'
16 Jun 2026 timeline
b'Rocket.Chat' disclosed a bug submitted by b'aikido_security' 
b'Unauthenticated reading of every file via livechat auth and predicting MongoDB ObjectId()'
15 Jun 2026 timeline
b'IBM' disclosed a bug submitted by b'entrovyx' 
b'Reflected Cross-Site Scripting (XSS) found on IBM.com domain'
15 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'unknowperson0212' 
b'Incomplete Suppression of Transfer-Encoding: chunked Header in HTTP/2 After Redirect From HTTP/1.1'
15 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'daviey' 
b' Secure cookies leaked to HTTP origins through HTTPS forwarding proxy'
15 Jun 2026 timeline
b'PortSwigger Web Security' disclosed a bug submitted by b'hacker-kartel' 
b'UI Consent Bypass via Comma Injection in `addAutoApproveTarget` User-Approval Dialog and Persistence Layer Disagree on Target Scope, Yielding Authen'
15 Jun 2026 timeline
b'PortSwigger Web Security' disclosed a bug submitted by b'kawakatz' 
b'Burp Suite Professional: browser-powered crawl can write attacker-controlled files through file input handling'
14 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'violet12331' 
b'Duplicate chunked Transfer-Encoding lets a malicious origin smuggle a response across reused HTTP proxy connections'
13 Jun 2026 timeline
b'Node.js' disclosed a bug submitted by b'shinchan_69' 
b' Incomplete Fix for CVE-2026-21637: OCSPRequest and resumeSession Events Crash Node.js TLS Server via Unhandled Synchronous Exceptions'
12 Jun 2026 timeline
b'AWS VDP' disclosed a bug submitted by b'inkerton' 
b'Command Injection via Unsanitized Bundling Options in `aws-cdk-lib/aws-lambda-nodejs`'
11 Jun 2026 timeline
b'AWS VDP' disclosed a bug submitted by b'terrynini38514' 
b' Firecracker Out-of-bounds Read/Write Local Privilege Escalation Vulnerability'
11 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'bugthiru' 
b'CRLF Injection via Custom HTTP Headers'
11 Jun 2026 timeline
1 2 3 ... 766
Follow @disclosedh1 on twitter to receive updates when a new bug is disclosed!
Twitter
BY DENIS WERNER - @NOBBD - IMPRESSUM