REPORTS
PROGRAMS
PUBLISHERS
Now on Twitter
the unofficial
HackerOne
disclosure timeline.
X
b'Revive Adserver'
disclosed a bug submitted by
b'v3rtical'
b'Banner status override by advertiserlevel users'
03 Jun 2026
b'Revive Adserver'
disclosed a bug submitted by
b'3l4'
b'Stored XSS via malicious usernames in audit log details + Username validation bypass in XMLRPC addUser '
03 Jun 2026
b'Revive Adserver'
disclosed a bug submitted by
b'rajib_mahmud'
b'PHP code injection via unexpected delivery limitation parameter'
03 Jun 2026
b'curl'
disclosed a bug submitted by
b'hungly09'
b'PRE_PROXY change leaks stale Proxy Digest state across proxy-chain boundary'
03 Jun 2026
b'curl'
disclosed a bug submitted by
b'arkss'
b'curl/libcurl 8.20.0 NOPROXY bypass via uppercase-hex IPv4 aliases leaks off-proxy Basic credentials to the configured proxy'
03 Jun 2026
b'curl'
disclosed a bug submitted by
b'hualuo'
b'SMTP connection reuse ignores --ssl-reqd / CURLOPT_USE_SSL and reuses a clear-text STARTTLS session on current master'
03 Jun 2026
b'curl'
disclosed a bug submitted by
b'lvtable'
b'Proxy CONNECT response poisoning via authentication retry in cf-h1-proxy.c (libcurl)'
03 Jun 2026
b'PortSwigger Web Security'
disclosed a bug submitted by
b'hacker-kartel'
b'Incomplete fix for CVE-2022-35406: meta-redirect content-type check bypassable via parameter injection'
02 Jun 2026
b'LY Corporation'
disclosed a bug submitted by
b'imnotr3al'
b'page.line.me Open Redirect Leading to OAuth Authorization Code Exposure and Access Token Compromise'
02 Jun 2026
b'Shopify'
disclosed a bug submitted by
b'cipher-kid'
b'Missing HMAC validation on /uninstall webhook in Shopify/sample-django-app reference template'
01 Jun 2026
b'curl'
disclosed a bug submitted by
b'karthiktp1810'
b'Mentioned unites are at the same time .Then we have to increase the bounty.'
01 Jun 2026
b'curl'
disclosed a bug submitted by
b'fg0x0'
b'TLS conn reuse and session cache ignore fsslctx callback and ssl_config_data flags ( incomplete fix variant of 7541ae569 )'
01 Jun 2026
b'curl'
disclosed a bug submitted by
b'tpfeng'
b'lib/ldap.c follows attacker-controlled LDAP referrals and binds to a second server; WinLDAP builds leak current logon credentials (confirmed on Window'
01 Jun 2026
b'curl'
disclosed a bug submitted by
b'giant_anteater'
b'Use-after-free in `curl_easy_duphandle()` with HTTP/2 stream-dependency tree'
01 Jun 2026
b'curl'
disclosed a bug submitted by
b'ajohnston3825'
b'Low priority HSTS bypass in curl_easy_duphandle()'
01 Jun 2026
b'phpBB'
disclosed a bug submitted by
b'misop00p'
b'Blind POST SSRF via Web Push Notification Endpoint'
30 May 2026
b'AWS VDP'
disclosed a bug submitted by
b'misop00p'
b'V1Plugin.Decrypt panics on empty ciphertext (Remote DoS)'
28 May 2026
b'AWS VDP'
disclosed a bug submitted by
b'misop00p'
b'V2Plugin.Decrypt panics on empty ciphertext (Remote DoS)'
28 May 2026
b'Brave Software'
disclosed a bug submitted by
b'aaront'
b'iOS Brave Playlist "Open in Private Tab" bypasses FaceID requirement for Private Tabs'
28 May 2026
b'curl'
disclosed a bug submitted by
b'giant_anteater'
b'Heap-OOB read in urlapi `redirect_url()` via `CURLU_GUESS_SCHEME` + `CURLU_NO_GUESS_SCHEME` flow'
25 May 2026
1
...
5
6
7
8
9
...
769
BY DENIS WERNER - @NOBBD -
IMPRESSUM