REPORTS
PROGRAMS
PUBLISHERS
Now on Twitter
the unofficial
HackerOne
disclosure timeline.
X
b'curl'
disclosed a bug submitted by
b'skksndk'
b'libcurl reuses a learned RTSP Session header across different hosts on the same easy handle, enabling cross-host session leak and replay'
18 Apr 2026
b'Ruby on Rails'
disclosed a bug submitted by
b'smlee'
b'Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs'
18 Apr 2026
b'curl'
disclosed a bug submitted by
b'asdwe'
b'libcurl stale CURLOPT_AUTOREFERER leaks a previous request URL to a different origin on a reused easy handle'
17 Apr 2026
b'HackerOne'
disclosed a bug submitted by
b'joejoe5'
b'Residual Malicious Payloads on HackerOne after Vulnerability Fixes'
16 Apr 2026
b'HackerOne'
disclosed a bug submitted by
b'hellokbit'
b'DOS via Mutation Aliasing in GraphQL Account Recovery Phone Number Verification API'
16 Apr 2026
b'curl'
disclosed a bug submitted by
b'hybirdss'
b'lib/http2.c: SSL connections accept non-HTTP push schemes (incomplete fix for 2e8c922a)'
16 Apr 2026
b'arkadiyt-projects'
disclosed a bug submitted by
b'argareksapatii'
b'Authorization header leak in ssrf_filter via cross-host redirect leads to credential theft and unauthorized access'
15 Apr 2026
b'AWS VDP'
disclosed a bug submitted by
b'killnet-edc'
b'SQL Injection Detection Bypass in AWS WAF Managed Rules (AWSManagedRulesSQLiRuleSet)'
15 Apr 2026
b'Basecamp'
disclosed a bug submitted by
b'xavlimsg'
b'DOM XSS in `fizzy.do` import filename preview enables one-click victim account takeover'
14 Apr 2026
b'Basecamp'
disclosed a bug submitted by
b'xavlimsg'
b'Improper Access Control in `fizzy.do` import flow allows cross-tenant ActionText reference resolution and data disclosure'
14 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'cyberjoker'
b"BOLA/IDOR in Out-of-Office API allows any authenticated user to read other users' absence data"
14 Apr 2026
b'Cloudflare Public Bug Bounty'
disclosed a bug submitted by
b'matured_kazama'
b'[Variation of #3321406] YetAnother 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in AccessTempAuth'
14 Apr 2026
b'Cloudflare Public Bug Bounty'
disclosed a bug submitted by
b'matured_kazama'
b'[Variation of #1554049] 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in Access Temp Auth'
14 Apr 2026
b'Brave Software'
disclosed a bug submitted by
b'mousepadkalilinux12'
b'Brave Shields Domain Reordering Leads to Origin Confusion'
13 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'py0zz1'
b'Credential Disclosure via Unvalidated directDownloadUrl (Missing DontAddCredentialsAttribute)'
13 Apr 2026
b'curl'
disclosed a bug submitted by
b'midoussa7'
b'Argument Injection via curl Short-Flag Grouping'
13 Apr 2026
b'curl'
disclosed a bug submitted by
b'pwnpwn'
b'Integer Overflow/Signedness Mismatch in Printf Precision for HTTP/2 Trailer Headers'
11 Apr 2026
b'AWS VDP'
disclosed a bug submitted by
b'misop00p'
b'Encryption context keys and values logged at INFO level'
10 Apr 2026
b'Rocket.Chat'
disclosed a bug submitted by
b'soohyun'
b'Open Redirect in Rocket.Chat'
10 Apr 2026
b'Mozilla'
disclosed a bug submitted by
b'adilnbabras'
b'[Vertical Privilege Escalation] User can Unapproved any Approved Translation at [/translations/unapprove/]'
10 Apr 2026
1
...
10
11
12
13
14
...
769
BY DENIS WERNER - @NOBBD -
IMPRESSUM