REPORTS
PROGRAMS
PUBLISHERS
Top10 publishers:
b'bobrov'
117
b'sp1d3rs'
86
b'geeknik'
84
b'linkks'
75
b'jobert'
70
b'nyymi'
67
b'someonenobbd'
62
b'ooooooo_q'
54
b'guido'
50
b'haxta4ok00'
49
Now on Twitter
the unofficial
HackerOne
disclosure timeline.
X
b'pixiv'
disclosed a bug submitted by
b'lainkusanagi'
b'Non-premium user can disable Ads in japanese version of dic.pixiv.net'
27 Apr 2026
b'Weblate'
disclosed a bug submitted by
b'alexb_616'
b'Argument Injection in /manage/ssh/ via host parameter leads to sensitive file disclosure on Weblate'
26 Apr 2026
b'Shopify'
disclosed a bug submitted by
b'0xd0ff9'
b'mruby-engine: UAF in MRubyEngine#initialize enables local RCE'
24 Apr 2026
b'Node.js'
disclosed a bug submitted by
b'mbarbs'
b'Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS'
23 Apr 2026
b'Rocket.Chat'
disclosed a bug submitted by
b'arccode'
b'RBAC bypass on App log endpoints via `permissionRequired` typo any authenticated user reads admin-only Enterprise App logs'
23 Apr 2026
b'Rocket.Chat'
disclosed a bug submitted by
b'npc'
b'Complete authentication bypass to admin permissions'
22 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'nullcathedral'
b'SVG filter primitives bypass remote image blocking, enabling email tracking without consent.'
20 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'nullcathedral'
b"position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays."
20 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'nullcathedral'
b'Unquoted body background attribute enables CSS injection that bypasses remote image blocking'
20 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'nullcathedral'
b'SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent'
20 Apr 2026
b'curl'
disclosed a bug submitted by
b'valvelvel'
b'libcurl omits IPv6 zoneid from host identity and leaks credentials/cookies across scoped link-local realms'
19 Apr 2026
b'curl'
disclosed a bug submitted by
b'fg0x0'
b'Digest Auth State Leak on Cross-Origin Redirect via Netrc - Username and Password Hash Sent to Wrong Host'
19 Apr 2026
b'Nextcloud'
disclosed a bug submitted by
b'aikido_security'
b'Stored XSS in attachment-display exploitable through SameSite'
19 Apr 2026
b'curl'
disclosed a bug submitted by
b'skksndk'
b'libcurl reuses a learned RTSP Session header across different hosts on the same easy handle, enabling cross-host session leak and replay'
18 Apr 2026
b'Ruby on Rails'
disclosed a bug submitted by
b'smlee'
b'Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs'
18 Apr 2026
b'curl'
disclosed a bug submitted by
b'asdwe'
b'libcurl stale CURLOPT_AUTOREFERER leaks a previous request URL to a different origin on a reused easy handle'
17 Apr 2026
b'HackerOne'
disclosed a bug submitted by
b'joejoe5'
b'Residual Malicious Payloads on HackerOne after Vulnerability Fixes'
16 Apr 2026
b'HackerOne'
disclosed a bug submitted by
b'hellokbit'
b'DOS via Mutation Aliasing in GraphQL Account Recovery Phone Number Verification API'
16 Apr 2026
b'curl'
disclosed a bug submitted by
b'hybirdss'
b'lib/http2.c: SSL connections accept non-HTTP push schemes (incomplete fix for 2e8c922a)'
16 Apr 2026
b'arkadiyt-projects'
disclosed a bug submitted by
b'argareksapatii'
b'Authorization header leak in ssrf_filter via cross-host redirect leads to credential theft and unauthorized access'
15 Apr 2026
1
2
3
4
5
...
761
BY DENIS WERNER - @NOBBD -
IMPRESSUM
