the unofficial HackerOne disclosure timeline.

X
b'Node.js' disclosed a bug submitted by b'shinchan_69' 
b' Incomplete Fix for CVE-2026-21637: OCSPRequest and resumeSession Events Crash Node.js TLS Server via Unhandled Synchronous Exceptions'
12 Jun 2026 timeline
b'AWS VDP' disclosed a bug submitted by b'inkerton' 
b'Command Injection via Unsanitized Bundling Options in `aws-cdk-lib/aws-lambda-nodejs`'
11 Jun 2026 timeline
b'AWS VDP' disclosed a bug submitted by b'terrynini38514' 
b' Firecracker Out-of-bounds Read/Write Local Privilege Escalation Vulnerability'
11 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'bugthiru' 
b'CRLF Injection via Custom HTTP Headers'
11 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'fg0x0' 
b'heap-use-after-free in state.referer when CURLOPT_REFERER replaced or cleared after perform'
11 Jun 2026 timeline
b'DuckDuckGo' disclosed a bug submitted by b'6r1ff1n' 
b'RCE + PAT Exfiltration via pull_request_target in privacy-configuration/auto-respond-pr.yml Direct Supply Chain to All DDG Browsers'
11 Jun 2026 timeline
b'DuckDuckGo' disclosed a bug submitted by b'6r1ff1n' 
b'RCE + Supply Chain Attack via pull_request_target in content-scope-scripts/semver-label.yml Affects All DuckDuckGo Browsers'
11 Jun 2026 timeline
b'Rocket.Chat' disclosed a bug submitted by b'button142857' 
b'SSRF via Improper Redirect Validation in Rocket.Chat oEmbed Function'
11 Jun 2026 timeline
b'Rocket.Chat' disclosed a bug submitted by b'button142857' 
b'SSRF via improper validation after DNS name resolution in the link-preview feature'
11 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'monk17' 
b'curl-ipv4-percent-normalization-SSRF'
10 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'azraelxuemo' 
b'Trailing-Dot Hostname in Redirect Silently Strips Client Certificate and Auth Credentials'
10 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'nyymi' 
b'curl/libcurl vulnerable to TLS truncation attacks'
10 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'byteray_ltd' 
b'SSH/SFTP connection reuse can bypass SSH key identity after ssh_config_matches removal'
09 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'kalfkinen' 
b'SOCKS5 no-auth accepted despite username/password-only authentication'
09 Jun 2026 timeline
b'Ruby on Rails' disclosed a bug submitted by b'ooooooo_q' 
b'Action Text ReDoS (Ruby 3.1 or lower)'
09 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'torkd1' 
b'libcurl: HTTP/1.x bare LF byte in response header value enables cookie jar pollution and POST body/credential exfiltration via redirect RC=0, curl 8'
08 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'maxhearnden' 
b'DNS domain search list followed for extant domain missing A or AAAA records'
08 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'awofjawofjfawf' 
b'OpenSSL TLS 1.2 session resumption accepts expired server certificates in libcurl'
07 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'fanhua' 
b'curl cross-origin HTTPS redirect reuses TLS client certificate for unintended second-origin mTLS authentication'
07 Jun 2026 timeline
1 2 3 ... 765
Follow @disclosedh1 on twitter to receive updates when a new bug is disclosed!
Twitter
BY DENIS WERNER - @NOBBD - IMPRESSUM