the unofficial HackerOne disclosure timeline.

X
b'curl' disclosed a bug submitted by b'bugthiru' 
b'CRLF Injection via Custom HTTP Headers'
11 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'fg0x0' 
b'heap-use-after-free in state.referer when CURLOPT_REFERER replaced or cleared after perform'
11 Jun 2026 timeline
b'DuckDuckGo' disclosed a bug submitted by b'6r1ff1n' 
b'RCE + PAT Exfiltration via pull_request_target in privacy-configuration/auto-respond-pr.yml Direct Supply Chain to All DDG Browsers'
11 Jun 2026 timeline
b'DuckDuckGo' disclosed a bug submitted by b'6r1ff1n' 
b'RCE + Supply Chain Attack via pull_request_target in content-scope-scripts/semver-label.yml Affects All DuckDuckGo Browsers'
11 Jun 2026 timeline
b'Rocket.Chat' disclosed a bug submitted by b'button142857' 
b'SSRF via Improper Redirect Validation in Rocket.Chat oEmbed Function'
11 Jun 2026 timeline
b'Rocket.Chat' disclosed a bug submitted by b'button142857' 
b'SSRF via improper validation after DNS name resolution in the link-preview feature'
11 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'monk17' 
b'curl-ipv4-percent-normalization-SSRF'
10 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'azraelxuemo' 
b'Trailing-Dot Hostname in Redirect Silently Strips Client Certificate and Auth Credentials'
10 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'nyymi' 
b'curl/libcurl vulnerable to TLS truncation attacks'
10 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'byteray_ltd' 
b'SSH/SFTP connection reuse can bypass SSH key identity after ssh_config_matches removal'
09 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'kalfkinen' 
b'SOCKS5 no-auth accepted despite username/password-only authentication'
09 Jun 2026 timeline
b'Ruby on Rails' disclosed a bug submitted by b'ooooooo_q' 
b'Action Text ReDoS (Ruby 3.1 or lower)'
09 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'torkd1' 
b'libcurl: HTTP/1.x bare LF byte in response header value enables cookie jar pollution and POST body/credential exfiltration via redirect RC=0, curl 8'
08 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'maxhearnden' 
b'DNS domain search list followed for extant domain missing A or AAAA records'
08 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'awofjawofjfawf' 
b'OpenSSL TLS 1.2 session resumption accepts expired server certificates in libcurl'
07 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'fanhua' 
b'curl cross-origin HTTPS redirect reuses TLS client certificate for unintended second-origin mTLS authentication'
07 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'alphalaab' 
b'curl External-Controlled Filename in `--url @file` Leads to Arbitrary File Overwrite'
07 Jun 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'pirikara' 
b'Valid share tokens allow to access tempory upload files of share owner'
07 Jun 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'priyanka010' 
b'Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC'
07 Jun 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'alper_ozturk' 
b'PIN bypass in PassCodeActivity via back button'
07 Jun 2026 timeline
1 2 3 4 ... 766
Follow @disclosedh1 on twitter to receive updates when a new bug is disclosed!
Twitter
BY DENIS WERNER - @NOBBD - IMPRESSUM