REPORTS
PROGRAMS
PUBLISHERS
Now on Twitter
the unofficial
HackerOne
disclosure timeline.
X
b'curl'
disclosed a bug submitted by
b'lvtable'
b'Proxy CONNECT response poisoning via authentication retry in cf-h1-proxy.c (libcurl)'
03 Jun 2026
b'PortSwigger Web Security'
disclosed a bug submitted by
b'hacker-kartel'
b'Incomplete fix for CVE-2022-35406: meta-redirect content-type check bypassable via parameter injection'
02 Jun 2026
b'LY Corporation'
disclosed a bug submitted by
b'imnotr3al'
b'page.line.me Open Redirect Leading to OAuth Authorization Code Exposure and Access Token Compromise'
02 Jun 2026
b'Shopify'
disclosed a bug submitted by
b'cipher-kid'
b'Missing HMAC validation on /uninstall webhook in Shopify/sample-django-app reference template'
01 Jun 2026
b'curl'
disclosed a bug submitted by
b'karthiktp1810'
b'Mentioned unites are at the same time .Then we have to increase the bounty.'
01 Jun 2026
b'curl'
disclosed a bug submitted by
b'fg0x0'
b'TLS conn reuse and session cache ignore fsslctx callback and ssl_config_data flags ( incomplete fix variant of 7541ae569 )'
01 Jun 2026
b'curl'
disclosed a bug submitted by
b'tpfeng'
b'lib/ldap.c follows attacker-controlled LDAP referrals and binds to a second server; WinLDAP builds leak current logon credentials (confirmed on Window'
01 Jun 2026
b'curl'
disclosed a bug submitted by
b'giant_anteater'
b'Use-after-free in `curl_easy_duphandle()` with HTTP/2 stream-dependency tree'
01 Jun 2026
b'curl'
disclosed a bug submitted by
b'ajohnston3825'
b'Low priority HSTS bypass in curl_easy_duphandle()'
01 Jun 2026
b'phpBB'
disclosed a bug submitted by
b'misop00p'
b'Blind POST SSRF via Web Push Notification Endpoint'
30 May 2026
b'AWS VDP'
disclosed a bug submitted by
b'misop00p'
b'V1Plugin.Decrypt panics on empty ciphertext (Remote DoS)'
28 May 2026
b'AWS VDP'
disclosed a bug submitted by
b'misop00p'
b'V2Plugin.Decrypt panics on empty ciphertext (Remote DoS)'
28 May 2026
b'Brave Software'
disclosed a bug submitted by
b'aaront'
b'iOS Brave Playlist "Open in Private Tab" bypasses FaceID requirement for Private Tabs'
28 May 2026
b'curl'
disclosed a bug submitted by
b'giant_anteater'
b'Heap-OOB read in urlapi `redirect_url()` via `CURLU_GUESS_SCHEME` + `CURLU_NO_GUESS_SCHEME` flow'
25 May 2026
b'curl'
disclosed a bug submitted by
b'jingzhou'
b'curl GnuTLS backend accepts a clientAuth-only certificate for HTTPS server authentication'
25 May 2026
b'Rocket.Chat'
disclosed a bug submitted by
b'deprrous'
b'Autotranslate DDP Method Exposes Private Messages Without Authentication or Room Access Check'
25 May 2026
b'Node.js'
disclosed a bug submitted by
b'junius'
b'NULL pointer dereference in node:sqlite DatabaseSync#applyChangeset() via malformed SQLite changeset'
23 May 2026
b'Node.js'
disclosed a bug submitted by
b'v1ct0rv0nd00m'
b'Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (`StringBytes::Encode`)'
23 May 2026
b'Nextcloud'
disclosed a bug submitted by
b'msatz'
b'Group restriction bypass via bearer token in user_oidc (SETTING_RESTRICT_LOGIN_TO_GROUPS not enforced in Backend::getCurrentUserId)'
21 May 2026
b'curl'
disclosed a bug submitted by
b'sdjasj'
b'curl --skip-existing has a TOCTOU race that lets a post-check symlink redirect the later download write'
20 May 2026
1
2
3
4
5
6
...
766
BY DENIS WERNER - @NOBBD -
IMPRESSUM
